Free Malware Removal Forum

[Lutzee]

Hi,

I think I may have some kind of virus or trojan. This is the reason I think this:

I have 2 hard disks. One has vista ultimate 64 (C:) and the other one is simply for storage (D:). I think I used to have system restore enabled on D: (the storage one).

I recently scanned this drive using Nod32. It found a virus in a file in a system volume information folder (i think this is used for system restore?) but was unable to delete it (i think this is because system restore files are compressed?).

I tried to delete the system restore files without success even in safe mode. I tried again with BartPe and I was able to delete the files inside system volume information, but incredibly not the folder "system volume information" itself.

When I went back into Vista I noticed the only thing left inside system volume information was a file called "tracking.log" I opened it but was unable to read any of it. All this time system restore was not enabled on this drive.

I read on another forum that if I disabled system restore on a drive all the content of system volume information should be deleted. It has not been. Is this a Virus? I have uploaded my Hijack this log.

Thanks for taking the time to look at this

[John B.]

Hi! and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

Please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Finally, please make a uninstall list using HijackThis
  To access the Uninstall Manager you would do the following:
  
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Please don't post the log as an attachment. Also repost your HijackThis log because we don't open attachments if not needed. It's much clearer if others can see logs without downloading them and attachments could be infected. Something I want to ask you: Is System Restore enabled? Did you/the other person manually clean the 'System Volume Information' folder?

Greets, John.

[Lutzee]

Hi John,

Sorry I haven't replied sooner I work away from home during the week.

System restore is not enabled on that drive. It is enabled on the other drive.

I manually cleaned the folder.

[Lutzee]

Uninstall log file:

.NET Terrarium 1.2
1st Ip Port Scanner version 2.0
3DMark05
AC3 Decoder
AC3Filter (remove only)
AccessDiver v4.301
Aces High II
Active Whois 3.0
Ad-Aware 2007
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
Agnitum Tauscan 1.7
America's Army
Angband 3.0.6
Applian FLV Player
ArtCursors
Battlefield 1942
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield 2142
Cain & Abel v4.5
Cain & Abel v4.9.4
CCleaner (remove only)
CD to MP3 Maker
Cheat Engine 5.3
CINEMA 4D Release 10
Cipher Temple Demo
Crazy Car Championship Demo
CuteFTP 8 Home
Data Doctor Chat Archive Recovery Yahoo Messenger(Evaluation) 2.0.1.5
Data Doctor Recovery NTFS 3.0.1.5
Data Doctor Recovery NTFS(Evaluation) 3.0.1.5
Deep Space Nine The Fallen Demo
Dev-C++ 5 beta 9 release (4.9.9.2)
DiamondCS Port Explorer v2.150
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EA Link
EffeTech HTTP Sniffer v4.0
er100LT
Ethereal 0.10.14
EVEMon
EVE-ONLINE (remove only)
Fable - The Lost Chapters
Flash Favorite 1.5
FlightGear v0.9.10
FMS
Fraps
FreeBASIC 0.16b
Futuremark Measurement Services Client
Gaia Web Hits V1.0.4.0
GetDataBack for NTFS
Google Earth
GPL MPEG-1/2 DirectShow Decoder Filter
HDD Regenerator
Hero Workshop
HijackThis 2.0.2
Indiana Jones and the Fountain of Youth Demo
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
JETFIGHTER 2015
Kaspersky Online Scanner
LimeWire 4.12.5
Lock On: Modern Air Combat
Lock On: Modern Air Combat Demo
Metacafe
Metasploit Framework 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Crimson Skies
Microsoft Crimson Skies Trial
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Halo
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio .NET Professional 2003 - English
Microsoft Visual Studio 2005 Professional Edition - ENU
Mig Alley 1.1
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Mummy Maze Deluxe 1.1
NmapW 2.0
NOD32 antivirus system
NTFS4DOS
Oblivion
Oblivion - Construction Set
OpenRPG (Remove Only)
PEiD.0.94.With.ALL.Plugins
Power Render 6 Trial
Privoxy 3.0.6
PTDD Partition Table Doctor 3.5 Demo
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Registry Mechanic 6.0
Roleplaying City Map Generator
Senselang
Shred It
Skype™ 3.5
Sophos Anti-Rootkit 1.3RC
Spybot - Search & Destroy 1.4
Star Trek Away Team
Star Trek Elite Force II
Star Trek Starfleet Command III
Star Wars Starfighter
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
SuperRam
System Requirements Lab
TeamSpeak 2 RC2
Tor 0.1.2.14
Trojan Remover 6.5.9
TrueVision3D 6.2
TV3Demo
UberTools GDK
Vidalia 0.0.11
VideoLAN VLC media player 0.8.6a
VRally3 Demo
What Is Transferring 1.0
Windows Live Messenger
Wings Over Vietnam
WinPcap 4.0
WinRAR archiver
WinZip
Wireshark 0.99.5
wxPython 2.8.1.1 (unicode) for Python 2.5
Xfire (remove only)
Yahoo! Messenger
Zero Assumption Recovery Version 8.0
zMapper 1.30.0.0

[Lutzee]

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:25, on 07/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files (x86)\ESET\nod32kui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Lutzee\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files (x86)\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Product Registration.lnk = C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files (x86)\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files (x86)\Active Whois\ieshow.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files (x86)\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files (x86)\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files (x86)\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Saitek DirectOutput (SaiDOutput) - Saitek - C:\Program Files\Saitek\DirectOutput\DirectOutputService.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7348 bytes

[Lutzee]

Thanks so much for helping me p.s. I also used kapersky online scanner and I installed cain and abel (I know someone else didn't put it there I used it to recover a password on an old machine on my network)

[John B.]

Hi,

Your system is probably clean. One thing you could try (if the hard drive with the empty System Restore folder is the one where it is disabled):

• Enable System Restore
• Reboot
• Disable System Restore
• Reboot

That probably creates a new restore point on the reboot and then you can disable it again. Not sure if an empty System Restore folder is a problem, anyway.

There are some things we can do to make your system safer...

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please decide if you want to keep using P2P so I can put it in my next speech if you don't want to keep it.

Step 1: Move HijackThis
You currently are running HijackThis from your desktop

Please make a folder there and place HijackThis in that folder.

DO NOT follow the steps below until you have moved HijackThis.

Step 2: Remove HijackThis entry

• Run HijackThis
• Click on the Scan button
• Put a check beside the item listed below (if present):
  
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step 3: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of ava Runtime Environment (JRE) 6 Update 5.
• Scroll down to where it says ava Runtime Environment (JRE) 6 Update 5.
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.
• Note: If you don't want the Google toolbar, make sure you uncheck the option included in the installer!

Step 4: Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

• Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
• Then select the items you wish to clean up.
  
  • In the Windows Tab:
    
    • Clean all entries in the Internet Explorer section except Cookies
    • Clean all the entries in the Windows Explorer section
    • Clean all entries in the System section
    • Clean all entries in the Advanced section
    • Clean any others that you choose
  • In the Applications Tab:
    
    • Clean all except cookies in the Firefox/Mozilla section if you use it
    • Clean all in the Opera section if you use it
    • Clean Sun Java in the Internet Section
    • Clean any others that you choose
• Click the Run Cleaner button.
• A pop up box will appear advising this process will permanently delete files from your system.
• Click OK and it will scan and clean your system.
• Click exit when done.
• If it asks you to reboot at the end, click NO

CCleaner should be run with the above settings for each User Account!

Step 5: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives Scan Mail Bases
  
• Click OK
• Now under select a target to scan:
  
  Select My Computer
  
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.

Step 6: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):

• Tell me whether enabling and disabling System Restore solved your concerns
• Tell me if you want to keep on using P2P
• Tell me if you have the Vista Firewall enabled
• Fresh HijackThis log
• Kaspersky log

Greets, John.

[Elrond]

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Elrond