Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Devastating virus - HiJack log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Devastating virus - HiJack log

Unread postby jrowe182 » June 5th, 2009, 12:48 am

I'll try my best to describe how it affects my computer. Basically it makes my internet extremely slow, and as long as I'm connected, it's like my computer hogs the internet so none of my other family members are able to connect w/ their computers. Also, when I run certain anti-virus programs, this windows pop-up appears attempting to start a "system cleanup," which I immediately cancel. And sometimes my desktop background will just disappear, and my homepage changes automatically to microsoft.com. These last two symptoms seem to only happen after running a certain program called 'Spybot Search & Destroy.' It's as if the virus knows I'm looking for it, and retaliates by changing my desktop and homepage. Oh, and my computer is in portuguese so if anyone needs clarification about anything in the log below I'd be more than happy to translate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:53, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Avant Browser\iexplore.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F1 - win.ini: run=C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steven] C:\Documents and Settings\Steven\Steven.exe /i
O4 - HKUS\.DEFAULT\..\Run: [] C:\Documents and Settings\Steven\.exe /i (User 'Default user')
O8 - Extra context menu item: abrir todos os links desta página... - C:\Arquivos de programas\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: adicionar à lista negra de anúncios - C:\Arquivos de programas\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: bloquear todas as imagens do mesmo servidor - C:\Arquivos de programas\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: marcar - C:\Arquivos de programas\Avant Browser\Highlight.htm
O8 - Extra context menu item: pesquisar - C:\Arquivos de programas\Avant Browser\Search.htm
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://unbisnet.un.org
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLa ... uncher.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7275886921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3345499171
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {D87BE747-157C-49BD-A392-A68B75A54947} (IaxClientOcx Control) - http://www.voipsharing.com.br/0800/casa ... bphone.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/p ... ginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F320F36B-4DB7-4A63-96FC-44576EEA8741}: NameServer = 200.174.144.14,200.174.144.15
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O20 - Winlogon Notify: mlJApnOg - mlJApnOg.dll (file missing)
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallTest - Unknown owner - C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe (file missing)
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Atualizações Automáticas (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9534 bytes
jrowe182
Active Member
 
Posts: 3
Joined: June 5th, 2009, 12:37 am
Advertisement
Register to Remove

Re: Devastating virus - HiJack log

Unread postby MWR 3 day Mod » June 8th, 2009, 12:11 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Devastating virus - HiJack log

Unread postby askey127 » June 8th, 2009, 5:38 pm

Hi jrowe182,
-----------------------------------------------------------
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
or here:
http://subs.geekstogo.com/ComboFix.exe
and Save to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Usually if you right click the Anti-Virus icon in the system tray, you can choose to disable or exit the program.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.[/b]
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the contents of that report, located here: "C:\ComboFix.txt", along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze. Give it atleast 20-30 minutes to finish if needed.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Devastating virus - HiJack log

Unread postby jrowe182 » June 8th, 2009, 11:50 pm

Here's the combofix report
Again, it is in portuguese, if you need any translations.

ComboFix 09-06-08.03 - Steven 08/06/2009 20:26:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.511.228 [GMT -7:00]
Executando de: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090608-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SYS32DLL.bat
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\babISYay.ini
C:\WINDOWS\system32\babISYay.ini2
C:\WINDOWS\system32\brspjyhe.ini
C:\WINDOWS\system32\cayqfxxd.ini
C:\WINDOWS\system32\drivers\657b6afb.sys
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\grlsgelb.ini
C:\WINDOWS\system32\hgbarxpk.ini
C:\WINDOWS\system32\hllyfmct.ini
C:\WINDOWS\system32\idecuxgc.ini
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\kaeshmlk.ini
C:\WINDOWS\system32\kjegvmhi.ini
C:\WINDOWS\system32\kjPrBcfe.ini
C:\WINDOWS\system32\kjPrBcfe.ini2
C:\WINDOWS\system32\lmocgyyd.ini
C:\WINDOWS\system32\mmwwawfl.ini
C:\WINDOWS\system32\mthafujq.ini
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\osphcqes.ini
C:\WINDOWS\system32\osphcqes.ini2
C:\WINDOWS\system32\osphcqes.tmp
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\snscdrol.ini
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\swuekotb.ini
C:\WINDOWS\system32\SYyxyccf.ini
C:\WINDOWS\system32\SYyxyccf.ini2
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tvCKknnn.ini
C:\WINDOWS\system32\tvCKknnn.ini2
C:\WINDOWS\system32\twniyyoj.ini
C:\WINDOWS\system32\ufxklsut.ini
C:\WINDOWS\system32\uuEKRtwa.ini
C:\WINDOWS\system32\uuEKRtwa.ini2
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\wHjkUvut.ini
C:\WINDOWS\system32\wHjkUvut.ini2
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\xysebeuq.ini
C:\WINDOWS\Temporary Internet Files\bestwiner.stt
C:\WINDOWS\Temporary Internet Files\fbk.sts
C:\WINDOWS\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI64SI
-------\Legacy_TDSSSERV.SYS
-------\Service_657b6afb
-------\Service_TDSSserv.sys


(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-09 to 2009-06-09 ))))))))))))))))))))))))))))
.

2009-05-28 06:13:30 . 2009-05-28 06:13:30 0 d-----w- C:\Arquivos de programas\MSECache
2009-05-23 21:59:45 . 2009-02-05 20:06:20 51376 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2009-05-23 21:59:45 . 2009-02-05 20:06:10 23152 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2009-05-23 21:59:44 . 2009-02-05 20:05:11 26944 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2009-05-23 21:59:42 . 2009-02-05 20:07:23 114768 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2009-05-23 21:59:42 . 2009-02-05 20:07:12 20560 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2009-05-23 21:59:42 . 2009-02-05 20:04:45 97480 ----a-w- C:\WINDOWS\system32\AvastSS.scr
2009-05-23 21:59:41 . 2009-02-05 20:08:19 93296 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2009-05-23 21:59:41 . 2009-02-05 20:08:10 94032 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2009-05-23 21:59:23 . 2009-02-05 20:11:35 1256296 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2009-05-16 20:30:06 . 2009-05-16 20:30:11 0 d-----w- C:\Arquivos de programas\ConvertHelper
2009-05-16 20:19:26 . 2009-05-16 20:19:26 0 d-----w- C:\Documents and Settings\Steven\dwhelper
2009-05-16 18:19:01 . 2003-03-18 20:20:00 1060864 ----a-w- C:\WINDOWS\system32\MFC71.dll
2009-05-11 02:17:01 . 2009-05-11 02:17:01 2967799 ----a-w- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 02:59:15 . 2006-09-22 20:25:06 0 d-----w- C:\Documents and Settings\Steven\Dados de aplicativos\BitTorrent
2009-06-07 08:35:07 . 2007-02-08 20:00:38 0 d-----w- C:\Documents and Settings\Steven\Dados de aplicativos\Skype
2009-06-03 22:55:48 . 2008-04-10 07:37:02 0 d-----w- C:\Documents and Settings\Steven\Dados de aplicativos\U3
2009-05-28 04:30:59 . 2008-11-02 20:17:58 0 d-----w- C:\Documents and Settings\Steven\Dados de aplicativos\DNA
2009-05-27 22:48:46 . 2008-11-02 20:17:58 0 d-----w- C:\Arquivos de programas\DNA
2009-05-16 18:15:48 . 2008-10-26 03:06:44 0 d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\avg8
2009-05-14 16:02:30 . 2009-05-06 07:52:03 100 --s-a-w- C:\WINDOWS\system32\2284993143.dat
2009-05-12 05:33:33 . 2005-10-11 20:02:45 0 d-----w- C:\Arquivos de programas\AIM
2009-05-12 05:28:54 . 2008-05-11 23:22:14 0 d-----w- C:\Arquivos de programas\Exterminate It!
2009-05-12 05:25:55 . 2007-02-20 00:52:59 0 d-----w- C:\Arquivos de programas\MP3 WAV Converter
2009-05-12 05:25:07 . 2005-02-01 16:43:07 0 d-----w- C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2009-05-12 05:23:28 . 2007-02-28 22:22:23 0 d-----w- C:\Arquivos de programas\SopCast
2009-05-12 05:23:09 . 2006-09-21 23:02:14 0 d-----w- C:\Arquivos de programas\Soulseek
2009-05-12 05:22:40 . 2008-10-05 04:02:13 0 d-----w- C:\Arquivos de programas\The Vault2 PE
2009-05-12 05:22:20 . 2006-10-09 22:24:49 0 d-----w- C:\Arquivos de programas\videofixer
2009-05-12 05:22:12 . 2005-10-11 20:02:51 0 d-----w- C:\Documents and Settings\All Users\Dados de aplicativos\Viewpoint
2009-05-12 05:22:11 . 2005-10-11 20:02:51 0 d-----w- C:\Arquivos de programas\Viewpoint
2009-05-11 02:17:12 . 2008-10-27 01:24:51 0 d-----w- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2009-05-09 21:39:00 . 2003-04-08 12:00:00 82674 ----a-w- C:\WINDOWS\system32\perfc016.dat
2009-05-09 21:39:00 . 2003-04-08 12:00:00 462918 ----a-w- C:\WINDOWS\system32\perfh016.dat
2009-04-06 22:32:54 . 2008-10-27 01:24:53 38496 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32:46 . 2008-10-27 01:24:55 15504 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:45:31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 20:08:45 81000]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 17:16:00 5058560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= "C:\ARQUIV~1\GbPlugin\gbiehabn.dll" [2007-11-19 21:02:36 341928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginAbn]
2007-11-19 21:02:36 341928 ----a-w- C:\ARQUIV~1\GbPlugin\gbiehabn.dll

[HKLM\~\startupfolder\c:^documents and settings^all users^menu iniciar^programas^inicializar^adobe reader speed launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^steven^menu iniciar^programas^inicializar^magicdisc.lnk]
path=C:\Documents and Settings\Steven\Menu Iniciar\Programas\Inicializar\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Metric Conversion Calculator Installer"=2 (0x2)
"iPod Service"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avast! mail scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Starcraft\\starcraft.exe"=
"C:\\Documents and Settings\\Steven\\Meus documentos\\Limewire\\LimeWire.exe"=
"C:\\Arquivos de programas\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Sierra\\Half-Life\\Steam\\Steam.exe"=
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\Avant Browser\\iexplore.exe"=
"C:\\WINDOWS\\Installer\\{ABEB838C-A1A7-4C5D-B7E1-8B4314600813}\\MsblIco.Exe"=
"C:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=
"C:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\EA GAMES\\MOHAA\\Medal of Honor Spearhead.exe"=
"C:\\Arquivos de programas\\LucasArts\\Star Wars Battlefront\\GameData\\battlefront.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"C:\\Arquivos de programas\\DNA\\btdna.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24682:TCP"= 24682:TCP:LimeWire Pro 4.12.3
"7124:TCP"= 7124:TCP:a

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [23/5/2009 14:59:42 114768]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\drivers\aswFsBlk.sys [23/5/2009 14:59:42 20560]
S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\drivers\ezwinit.sys [16/6/2005 16:32:07 14280]
S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\drivers\ezwriter.sys [16/6/2005 16:32:07 16680]
S2 InstallTest;InstallTest;"C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test --> C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe [?]
S3 jatmlano;jatmlano;\??\C:\DOCUME~1\Steven\CONFIG~1\Temp\jatmlano.sys --> C:\DOCUME~1\Steven\CONFIG~1\Temp\jatmlano.sys [?]
S3 mbamswissarmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [26/10/2008 18:24:53 38496]
S4 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update --> C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE [?]
UnknownUnknown GbpSv;GbpSv; [x]
.
Conteúdo da pasta 'Tarefas Agendadas'

2008-05-10 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Arquivos de programas\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-22 00:35:06 . 2005-09-22 00:35:06]

2008-05-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34:12 . 2008-07-30 19:34:12]

2009-05-19 C:\WINDOWS\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2003-04-08 12:00:00 . 2004-08-04 07:45:41]

2008-05-11 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Arquivos de programas\Symantec\LiveUpdate\NDETECT.EXE [2005-02-01 16:42:56 . 2004-08-24 13:47:32]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Steven - C:\Documents and Settings\Steven\Steven.exe
Notify-mlJApnOg - mlJApnOg.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.sys
SafeBoot-AVG Anti-Spyware Guard


.
------- Scan Suplementar -------
.
uInternet Settings,ProxyOverride = *.local
IE: abrir todos os links desta página... - C:\Arquivos de programas\Avant Browser\OpenAllLinks.htm
IE: adicionar à lista negra de anúncios - C:\Arquivos de programas\Avant Browser\AddToADBlackList.htm
IE: bloquear todas as imagens do mesmo servidor - C:\Arquivos de programas\Avant Browser\AddAllToADBlackList.htm
IE: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: marcar - C:\Arquivos de programas\Avant Browser\Highlight.htm
IE: pesquisar - C:\Arquivos de programas\Avant Browser\Search.htm
Trusted Zone: com.br\www.mercadolivre
Trusted Zone: un.org\unbisnet
TCP: {F320F36B-4DB7-4A63-96FC-44576EEA8741} = 200.174.144.14,200.174.144.15
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: {D87BE747-157C-49BD-A392-A68B75A54947} - hxxp://www.voipsharing.com.br/0800/casa ... bphone.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/p ... ginABN.cab
jrowe182
Active Member
 
Posts: 3
Joined: June 5th, 2009, 12:37 am

Re: Devastating virus - HiJack log

Unread postby jrowe182 » June 8th, 2009, 11:51 pm

And the new HijackThis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:17, on 8/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Avant Browser\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F1 - win.ini: run=C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steven] C:\Documents and Settings\Steven\Steven.exe /i
O8 - Extra context menu item: abrir todos os links desta página... - C:\Arquivos de programas\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: adicionar à lista negra de anúncios - C:\Arquivos de programas\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: bloquear todas as imagens do mesmo servidor - C:\Arquivos de programas\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: marcar - C:\Arquivos de programas\Avant Browser\Highlight.htm
O8 - Extra context menu item: pesquisar - C:\Arquivos de programas\Avant Browser\Search.htm
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Arquivos de programas\Internet Explorer\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://unbisnet.un.org
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7275886921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3345499171
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {D87BE747-157C-49BD-A392-A68B75A54947} (IaxClientOcx Control) - http://www.voipsharing.com.br/0800/casa ... bphone.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/p ... ginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F320F36B-4DB7-4A63-96FC-44576EEA8741}: NameServer = 200.174.144.14,200.174.144.15
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginAbn - C:\ARQUIV~1\GbPlugin\gbiehabn.dll
O20 - Winlogon Notify: mlJApnOg - mlJApnOg.dll (file missing)
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Serviço de transferência inteligente de plano de fundo (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallTest - Unknown owner - C:\Arquivos de programas\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe (file missing)
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Arquivos de programas\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Atualizações Automáticas (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9690 bytes
jrowe182
Active Member
 
Posts: 3
Joined: June 5th, 2009, 12:37 am

Re: Devastating virus - HiJack log

Unread postby askey127 » June 9th, 2009, 7:12 am

viewtopic.php?f=11&t=43409
jrowe182,
Unfortunately, you have a very dangerous infection called W32.Tidserv, with "backdoor" capabilities.
This can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of the infection's backdoor functionality(i.e., remote control capability), the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).

If you do not have the resources to reinstall your Windows Operating System and would like me to attempt to clean your machine, I will be happy to do so.
These infections are serious enough that removing them without damaging the Windows system is no sure thing. This is your choice to make.
The following articles may be of assistance in your decision: Should you have any questions, please feel free to ask.

If you decide you want to clean it, proceed as follows.
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?f=11&t=33112
In order for us to help you, please uninstall the following Peer to Peer program(s) that exist on your system, so we are not wasting our time:

Use of these is the reason your machine is infected.

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    Soulseek
    Limewire
    DNA
    Bittorrent
NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
--------------------------------------------------
Run Flash Disinfector
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task > Run... Type in explorer.exe and press Enter. Your desktop should now appear.
Wait until it has finished scanning and then exit the program.

You can run Flash Disinfector with other flash drives and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the folder(s) shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename.

C:\DOCUME~1\Steven\CONFIG~1\Temp\jatmlano.sys

If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete or find.
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to each folder shown below, highlight each one in turn shown in red, if found, and press Delete.

C:\Arquivos de programas\Symantec\ <== this folder only
C:\Arquivos de programas\Soulseek\ <== this folder only
C:\Arquivos de programas\DNA\ <== this folder only
C:\Documents and Settings\All Users\Dados de aplicativos\avg8\ <== this folder only
C:\Documents and Settings\All Users\Dados de aplicativos\BitTorrent\ <== this folder only

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that,, note the name of the file, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.

-----------------------------------------------------------
Copy/Paste/Run a Registry Edit
Copy/paste the following quote box into a new notepad document:
Code: Select all
REGEDIT4
[HKLM\Controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24682:TCP"= -

[HKLM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Arquivos de programas\\DNA\\btdna.exe"=-
"C:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=-
"C:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=-


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save it as File Type All Files (not as a Text document, or it won't work).
Save it to your Desktop as fixme.reg
Double click fixme.reg on your Desktop, and merge it into the registry when asked.
-----------------------------------------------------------
Reboot Windows.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder. In addition, the list opens in Notepad so you can also save as another name in another location if you wish. Please paste the contents into your next reply.
Click the "X" in the upper right corner of the HiJackThis window to close it.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Devastating virus - HiJack log

Unread postby NonSuch » June 14th, 2009, 3:43 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 491 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware