Free Malware Removal Forum

[Batman]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:00:01 AM, on 7/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TweakNow PowerPack 2010\CDAuto.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\STOPzilla!\SZOptions.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100626221605.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CD Autorun] C:\Program Files\TweakNow PowerPack 2010\CDAuto.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7026 bytes

***********************************************

AC3File 0.6b
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
AoA Audio Extractor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Auslogics Disk Defrag
Auslogics Registry Cleaner
Baku
Belarc Advisor 8.1
Bonjour
DVD Decrypter (Remove Only)
DVD Flick 1.3.0.7
DVD Shrink 3.2
DVDFab 7.0.7.0 (08/06/2010)
Free FLV Converter V 6.8.0
Google Earth Plug-in
Google Update Helper
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Intel(R) Network Connections Drivers
Internet Explorer (Enable DEP)
iTunes
Java(TM) 6 Update 20
KeyScrambler
Malwarebytes' Anti-Malware
McAfee Total Protection
McAfee Virtual Technician
MediaInfo 0.7.33
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Automated Troubleshooting Services Shim
Microsoft Baseline Security Analyzer 2.1
Microsoft Fix it Center
Microsoft MPEG-4 VKI Video Codec V1/V2/V3
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.6)
Orbit Downloader
QuickTime
Realtek AC'97 Audio
Revo Uninstaller 1.89
STOPzilla
System Requirements Lab for Intel
TweakNow PowerPack 2010
Ultimate Extras sounds from Microsoft® Tinker™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.1.0
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Sound Schemes
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
ZD Soft Screen Recorder
ZD Soft Screen Video Decoder

**********************************************

I recently downloaded a file called Cain and Abel, a so-called hacker's tool, looking to use it to try and gain access to my wife's email account, for fear that she'd been cheating. I realized quickly that the UI was beyond my knowledge, so I uninstalled it with Revo Uninstaller, using the Advanced option. I then ran a quick scan with Malwarebytes' Anti-Malware(MBAM), and it found the following to be a Rootkit.Agent .

*It must be said that early in my findings, I turned off system restore, as there were malware located in those files as well as what is listed below.*

liqqtxl.sys(Rootkit.Agent) - located in system32\drivers

c:\windows\temp\9f35db3.tmp - Kernel Veryfier tried to access the internet after rootkit liqqtxl.sys was quarrantined and deleted from MBAM.

Windows Problem Reports and Solutions appeared saying 'Kernel Veryfier' has stopped working, and asked to check online for a solution. *Note the spelling of Veryfier. I do not know if this is a legitimate program. I did not allow it to check for a solution, for fear that the malware was using the Windows program to call to the outside world, flagging my PC as an 'open door'.

Other trojans identifying themselves as .tmp files were located, such as: c3453bf1.tmp,VXGame.Temp_044
STOPzilla labels these 'PerformancePlatform' 2 Trojans=\win~\temp\4e1b82c5.tmp,and 93aaf7f.tmp

After every reboot, deleted .tmp files reappear in C:\Windows\Temp , usually 7 of them.

It seems that whenever I try to delete liqqtxl.sys with MBAM and reboot, it reappears as if I had done nothing. I even tried deleting it in Safe Mode. I also performed full scans with MBAM and STOPzilla until each of them found nothing in safe mode. Still, I reboot and STOPzilla finds9 infected registry keys and one .sys file in system32\drivers , not liqqtxl.sys, although it remains.

Also, whenever I try to have HJT delete liqqtxl.sys on startup, an error message appears that states: liqqtxl.sys
A device attached to the system is not functioning.

So I ran a quick scan with MBAM, finding liqqtxl.sys again, and instead of rebooting right away as it suggested, I ran STOPzilla, resulting in the detection of 12 infected registry keys, labeled GASF. Eleven were found at HKLM\SYSTEM\CurrentContr... it doesn't show the rest, but I can provide screenshots if you like.

I then searched for GASF and PerformancePlatform in the registry, without luck. I did find liqqtxl.sys located in:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\liqqtxl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\liqqtxl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\liqqtxl

Note that is was not found in ...ControlSet001\


After finding the above locations of the .sys file in the registry, I exited and removed the 12 items that STOPzilla found, and rebooted as it and MBAM required. Upon startup, once again STOPzilla found 3 PerformancePlatform .tmp files.

I do have a deal more information ready to supply when requested, such as info concerning my temp folder, info I spotted during subsequent scans, cropped screenshots, etc.

I sincerely hope this was not too much information, as I do not want to overstep my bounds. Thank you for any help you can provide.

[xixo_12]

Hello and Welcome to Anti-Malware Forums.
Introduction and rules :

• I'm xixo_12 and really glad to help you.
• You're advised to refrain running any self fixes until I give the "All Clean Speech"
• Instruction in this topic is special create for current problem and don't apply those on another system.
• You're advised to ask for any uncertainty.
• If you are receiving help or have received help on this problem elsewhere, please let us know.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now, we will start the collaboration.
Do keep in mind, removing malware is one of hazardous undertaking. I'm ready to share what I have learn through years in removing malware but I'm also fallible.
You're advised to back up all the important data before we start.
Note : Due to limitation, Windows Vista require user to Right click > Run as Administrator to use the tools.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

First,
Advices.
===============================
Registry related program.

• I notice you have the following program(s) installed.
  

  Auslogics Registry Cleaner
  TweakNow PowerPack 2010

• I strongly suggest you avoid anything that claims to clean, fix or optimize the Windows registry and recommend you to uninstall the above program(s). Even the best programs have occasionally made mistakes and made Windows inoperable by deleting critical registry entries. The gains are negligible and the risks are great.
• Worth for reading :
  
  • An example of what can happen.
  • Registry cleaners?
  • Do I Need a Registry Cleaner? - Bill Pytlovany (creator of WinPatrol)
  • Should I Use a Registry Cleaner?

===============================

Next,
Remove programs.
Please Click Start > Control Panel > Programs and Features
Remove the listed program(s) by clicking Uninstall/Change.

STOPzilla

If some program(s) listed above are not in present, please do not panic and proceed to the next step.

Next,
Reboot into the usual account.

Next,
Discussion
Do you have Windows Vista DVD?

Next,
GMER.
Please download from HERE and save to the desktop.

• Unzip/extract the file to its own folder.
• Disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Right click on Gmer.exe > Run as Administrator to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
• Click on >>> symbol and choose on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the Scan and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

What you need to post
Checklist.

• Respond to our discussion
• Content of GMER.txt

[Batman]

Yes, I have Vista dvd, but unfortunately I was unable to boot my computer, no matter what I tried, so I then figured I had to reinstall the OS. I forgot about the recovery console on the dvd.

But it's all fixed now, apparently. I'm not currently using a reg cleaner, and stopzilla was only downloaded because of the rootkits and such - it was the only program I found that would work. Apparently my PC was controlled by the rootkits/hackers toward the end.

Anyway, everything's new, I now have UAC turned on and use a limited account for web browsing. I have all security fixes, up to date on that, system restore is turned on, virus scan/firewall is on. Everything seems new and fresh, including new passwords for everything.

It took me 2-3 days to get things back to the way I want them, safely of course.

I am grateful for the links related to registry cleaner use and such, I will read all of them.

I appreciate you replying to help me, but you came a few days too late. But again, thank you.

[xixo_12]

Since you did reformat and reinstall on your computer, I have a few advices for you.
I will ask this topic to be close soon and you're most welcome.

Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator

Additional Information :

SpywareBlaster.

• SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
• A tutorial on installing & using this product can be found HERE

Antivirus.

• Antivirus help you to give the maximum protection for the system.
• You are advice to have only ONE antivirus running on the system.
• Please keep it update regurlarly.

Malwarebytes' Anti-Malware.

• Malwarebytes' Anti-Malware is a new and powerful anti-malware tool
• Only realtime protection need to pay.
• Tutorial on installing & using this product can be found below:
  
  • Description and download
  • How to install and run?

WinPatrol.

• Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
• For more information and installation can be found HERE

Windows/Program Update.
Please make sure to have your Windows Automatic Update turn ON or you can do it manually.
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows

• Go to Start > All Programs > Windows Update

To update Office

• Open up any Office program.
• Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

• Secunia Software Inspector
• F-secure Health Check

Information.

• Please check out Tony Klein's article "How did I get infected in the first place?"
• Read some information here how to prevent Malware.
• Is your pc running slow? Read What to do if your Computer is running slowly

Safe surfing!

[Batman]

Thanks again for all the information. I will use it wisely.

This issue has been resolved.

[Dakeyras]

Since we have done all we can, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.