Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Log file, please help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Log file, please help.

Unread postby NoBugs » May 13th, 2007, 7:32 pm

Here is my log after 3 days of my best efforts to clean this system. Please help...

Logfile of HijackThis v1.99.1
Scan saved at 5:27:49 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\windows\system32\spoolvs5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DOBE~1\javaw.exe
C:\Documents and Settings\Hatch\Application Data\?dobe\?explore.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {16B5F913-6183-3721-A33A-67E34F92FF93} - C:\WINDOWS\system32\pltwer.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55399A3E-DC04-4FF4-B12E-62C44BA1A962} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A05DA7E0-383C-4E99-A72A-742050A152A2} - C:\WINDOWS\system32\iifdayw.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\dpvjjeim.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SvcManager] spoolvs5.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Euos] "C:\WINDOWS\system32\DOBE~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Deplx] "C:\Documents and Settings\Hatch\Application Data\?dobe\?explore.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3260875194
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3261780623
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

Thanks folks!
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm
Advertisement
Register to Remove

Unread postby silver » May 15th, 2007, 1:48 am

Hi NoBugs,

My name is silver and I'm currently looking over your log. Please hold on while I research a fix for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby silver » May 15th, 2007, 8:10 pm

Hi NoBugs,

Firstly, you should be aware that your computer has been infected by a backdoor trojan. This program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then let me know in your next response, I'll now continue with instructions for cleaning.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A log file will be created at C:\vundofix.txt, please post the contents of this in your next response.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your deskop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the Vundofix log, the uninstall list and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby NoBugs » May 15th, 2007, 8:28 pm

Silver,

I'm going to reformat. The infected machine's purpose has changed recently and it has a LOT of unnecessary software installed. The machine is not used for sensitive tasks (online banking, etc.), but it is connected to a home network with 5 other MS Windows machines.

2 quick questions if I may:

How likely is it that other machines on the network are infected? None of the other machines show any signs of infection. Virus and spyware scans are clean, Security Task Manager shows no unusual things running, system perfformance is normal, etc.

Second, can I safely backup pictures, documents, etc. from the infected drive before re-formatting? I would not, of course, back-up any system files or settings, but I would like to save current copies of some user created files before I wipe the drive. Is that safe?

Many thanks for your help, and I would welcome any suggestions for preventing a recurrence of this infection.
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm

Unread postby NoBugs » May 15th, 2007, 8:37 pm

One more question Silver:

The infected computer has a second hard drive that has no OS or program files on it, only data. Should the data on this drive be safe? I'm asking because I don't know what the machine is infected with and I don't know how sneaky it is about spreading.

Thanks again for you help!
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm

Unread postby NoBugs » May 16th, 2007, 5:54 pm

Hi Silver,

Well...since I made the last post above, I have cleaned the infected 'puter. After I made those posts, I turned the machine off and decided to just go do something else and wait. I couldn't do it! :lol:

I headed out for a ride on my bike and while I was out, I kept thinking about having an infected 'puter and I just got madder and madder. It was a quick ride back to the house, and I knuckled down and cleaned the beast. I had to talk to it occasionally, downloaded gigs of tools and scanners, read and searched 'til my head hurt, and I may have damaged the power button (LOL), but I'm sure it's clean. No idea how many times I booted it, but it was a frenzy for most of the night. 8)

As a result of my research, efforts, and frustrations with cleaning my machine, I have decided to learn how to fight malware and join you fine folks in helping others beat this plague. :D

Please close this topic, and I will see you around the University here. Thanks for your time and assistance!
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm

Unread postby silver » May 17th, 2007, 9:08 am

Hi NoBugs,

I'm glad your machine is running better, however I recommend you to let me double-check your work as the malware on your machine was very serious and not easy to remove (as I'm sure you already know). Either way please post back to let me know you've read this.

The following is my response to you which was composed before your last post, it may be of use to you. See you around MRU!

As far as your pictures, documents and other user-created data on both the infected system drive and the second hard drive, all are likely to be OK and safe from infection, but of course we can't be sure. Therefore, you should initially treat everything as suspect until you have checked it. Before opening or using any of the files, please scan everything with antivirus software either from another computer or from the new OS installation. Scanning from the infected computer is not enough to be sure. If anything is detected amongst the data then please post the details here, I'll help you make sure the infection is taken care of, if it's all clean then you should be fine. I'd recommend you use an online scan from Kaspersky for this purpose.

From what I've seen in your log, your machine is infected with very nasty adware and trojans, and while I have no information that indicates the infections are self-replicating and spread via the network, we can't be sure. You are quite right to check each machine, and I'd recommend performing an online scan on each machine just to double-check. Again, I'd recommend Kaspersky for this purpose. If anything is detected, or you have any other symptoms then let me know, otherwise they are probably fine.

Here is some information about reformatting which you may find useful:
http://www.dslreports.com/faq/10063

I recommend you take the time to read the article through, particularly the advice about protecting your unpatched computer until it is secured. I suggest you have offline copies of your protection software ready to install, and do not use the computer for anything until it is fully patched and protected.

Here is some tips to help you keep your machines clean:

Antivirus protection is essential, please ensure you have one operating at all times, do not however install more than one as they can conflict and cause system problems. Two popular and free packages are:

AVG Antivirus: http://free.grisoft.com/doc/1
Antivir: http://www.free-av.com/

Antispyware protection is also essential, there are a variety of programs available, however using one with real-time protection is important.
Windows Defender is free and offers real-time protection.

Firewall protection: XP's in-built firewall helps you by blocking inbound connections to your computer, but adding a software firewall will allow you to monitor and control outbound connections as well. I recommend these programs:
Sunbelt Personal Firewall
Zone Alarm

IESPYADS helps protect you from malicious websites by placing a list of known bad websites in Internet Explorer's Restricted Zone. This Zone limits the capabilities of these websites including preventing them from installing software. This will compliment your security software and I recommend you install it:
http://www.spywarewarrior.com/uiuc/resource.htm

Find out how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby NoBugs » May 17th, 2007, 6:17 pm

Hi Silver,

Thanks for the tips on the bugs spreading to my data files and to the other drive. That is exactly what I was looking for, and my research supports your conclusion that they are likely safe. I have am in the process today of backing up the stuff to DVDs now that I believe the machine is clean. Just in case, I am going to scan the backup DVDs with several of my new favorite tools on another ‘puter before I consider them safe. Thanks for that advice.

As I’m new to the malware removal thing, I doubt that my process for removing the bugs was optimal, but I think it succeeded. I’m going to post a new log for you to look over since you very kindly offered to look it over.

Yes, the infection was VERY nasty and resistant to removal. As you probably already know, I had multiple backdoor Trojan infections and a ton of adware. What made the infection so difficult to clean is that the infections were being continuously reinstalled by a stealth root-kit. Once I discovered what was happening, and purged the root-kit and cleaned up the MBR, the remainder of the cleanup was pretty straightforward.

I will share with you that I discovered the source of the infection. My oldest son (11), who has his own computer and usually isn’t allowed on the machine that was infected, ran an infected file. The file was from a site he surfs to look for tips and codes to help with playing video games. He told me that the computer “just explodedâ€
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm

Unread postby silver » May 18th, 2007, 8:16 pm

Hi NoBugs,

You must have worked pretty hard on your machine, even using the best tools and procedures, the malware in that log is not easy to clean and the rootkit would have made it even more challenging.

Backing up your files to DVD and scanning from another computer sounds great.

Obviously bad downloads like the one that caused this are to be avoided, and signature-based antivirus programs cannot always detect the newest malware; so for some further protection you might consider using a program like Site Advisor or SiteHound which help by alerting the user when opening websites that contain unsafe content.

Your HijackThis log looks fine, of course I can't tell from what I've seen whether your machine is really clean or not, but with those scan results it may well be - if so then well done! I'm sure this experience will give you a big head start in your training, so best of luck and I'll see you around!
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby NoBugs » May 18th, 2007, 9:54 pm

Thanks for taking a look at the log Silver, and I'm glad to hear it looks OK to you.

This machine is the "fast" computer in our house and is used mainly for Flight Simulator and Photo/Video processing. It has significant storage capacity to due to the photo/video file size and consequently the scans take FOREVER. ;)

Since it isn't used for anything sensitive and I believe it is now clean, I'm going to wait until this fall to reformat. This machine is scheduled for an upgrade later this year for more speed and a dual video card setup, so the OS will have to be re-installed then anyway (Vista? :shock: ). I'm still a little spooked by the whole affair, but I have solid backups now and can go ahead and reformat if it blows up on me between now and then.

I'm convinced that we're done with this thread now, and I really appreciate your feedback. I'll see you around school.
NoBugs
Active Member
 
Posts: 11
Joined: May 13th, 2007, 5:34 pm

Unread postby NonSuch » May 29th, 2007, 12:59 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware