Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

windows/system32 trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

windows/system32 trojan

Unread postby XtreemCO2 » August 23rd, 2005, 1:46 pm

Logfile of HijackThis v1.99.1
Scan saved at 1:41:41 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\kvuzba.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Benzinger\Desktop\fr2-beta2[03-24]\fr2_beta\mirc.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Benzinger\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [dvirsn] c:\windows\system32\kvuzba.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2217246250
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
XtreemCO2
Active Member
 
Posts: 2
Joined: August 23rd, 2005, 1:41 pm
Top
Advertisement
Register to Remove

Unread postby percyonline2004 » August 23rd, 2005, 3:15 pm

Hi XtreemCO2 and welcome to the MWR Forums, Please be patient while we check your log over in detail. I wil get back to you as soon as this is done, thank you.
User avatar
percyonline2004
Regular Member
 
Posts: 129
Joined: August 3rd, 2005, 5:28 am
Top

Unread postby percyonline2004 » August 24th, 2005, 10:59 am

Hi XtreemCO2. Welcome to the MWR Forums. Your computer is in need a little attention but it is nothing that we can not sort for you, The following instructions will be set out as plain as possible and in different sections. Please make sure that each step is complete before moving on to the next one. If you are having any difficulty understanding or following any part of the instructions then please feel free to enquire so that we can clarify things in more detail.

Please move HJT to its own folder Right click on the desktop (in an empty area - not over an icon) Select "new" then select "folder" call this folder HJT and move the program into it before you scan with HJT again

I would suggest that you either print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

First we need to download a couple of files
Ewido - Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Nailfix - Unzip the file but DO NOT RUN yet

Please ensure that hidden files are set to show
  • Open the Windows Explorer - Tools - Folder Options - and select the View tab:
  • Scroll down to where it says "Hidden Files and Folders" section.
  • Now select the option to "Show hidden files and folders"
  • Take the tick out of "Hide file extensions for known file types"
  • Take the tick out of "Hide protected operating system files" Click on OK and Apply
  • Next Click the "Apply to all Folders" button. Close Windows Explorer.
Nowl we need to close down a windows service To do this follow the instructions below
  • Go to start menu - Select run - type in the following Services.msc
  • You should now have a window open which shows you what services are running on your computer
  • Look for one called System Startup Service and double click on it
  • Towards the bottom of the window you will see an area called service status - click on the stop button
  • Just above the services area you will see a menu called Start up type - select Disabled
  • Click on Apply button
  • Click on OK button
Now go to control panel and select "Add remove programs"
Look for SurfSideKick 3 and select the remove button to the right

Please re-start your computer in safe mode - To do so reboot your computer and repeatedly tap the F8 whilst your computer is booting up (just before the MS Windows flag screen appears) until a menu appears. Once you see the menu select the option to start the computer in safe mode. (It might take more than go to access the menu if you have not done this before, just simply reboot the machine again and repeat the steps)

Once you are in safe mode click on the nailfix.cmd - Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Once nail has been run then run the Ewido program on a full scan and save the log file to a secure place on your computer

Run HiJackThis - Select the option to do a system scan only - we do not need a log for this:
  • 1 Click on the "Config..." Button
  • 2.Click on the "Misc Tools" Button
  • 3.Select the button to "Open Process Manager"
Next, while holding down the CTRL key Locate (if present) and click on the following file/s to highlight them:
  • kvuzba.exe
Once they are all highlighted click on the "Kill Process" button.
Now Double check the item/s have disappeared from the list, if not repeat the steps until they have done so

Next click on the "Back" button to return to the main HJT log
Now place a tick in the left hand boxes alongside the following entries

Once you have placed a tick in all the relevent boxes click on the fix button - Now re-run HJT to double check that none of the entries have been missed out accidently

Next Locate the following files
once you find them (some may not exist but its safer to double check), click on them to highlight the file, hold down the shift key then press delete at the same time
  • C:\WINDOWS\Nail.exe
  • C:\WINDOWS\dsr.dll
  • c:\windows\SvcProc.exe
  • c:\windows\system32\kvuzba.exe

Next Locate the following Folders (if they still exist) - click on them to highlight the folder, hold down the shift key then press delete at the same time
    C:\Program Files\SurfSideKick 3

Hopefully you should now have a clean system - Now restart in normal mode and please post a fresh HJT log back to me, Thank you
User avatar
percyonline2004
Regular Member
 
Posts: 129
Joined: August 3rd, 2005, 5:28 am
Top

Unread postby XtreemCO2 » August 24th, 2005, 11:59 am

This file just recreates itself as a different file name when I end the process. trend micro online virus scan identifies it as a trojan.horse/downloader-abs/Win32.BettInet.AQ

O4 - HKLM\..\Run: [dvirsn] c:\windows\system32\kvuzba.exe r

http://www.trendmicro.com/vinfo/virusen ... J_AGENT.PZ

Logfile of HijackThis v1.99.1
Scan saved at 12:02:22 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\windows\system32\jfvbnze.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benzinger\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 2217246250
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
XtreemCO2
Active Member
 
Posts: 2
Joined: August 23rd, 2005, 1:41 pm
Top

Unread postby percyonline2004 » August 25th, 2005, 11:10 am

Hi XtreemCO2,

I would advise you to print this out as your computer will be restarted by the instalation of programs throughout the process

First lets give you security a boost...

Download and install Zone Alarm Free This is a firewall program designed to stop unwanted traffic in and out of your computer.

Download and install avg antivirus follow the on-screen instalation instructions, check for any recent updates then do a full system scan

Download and install Ad-Aware SE Personal editionand check for any updates - Run the adaware program on a full system scan and delete any entries that it finds

Go to add remove programs in control panel and uninstall SurfSideKick 3
You may also want to read up on information on the weather bug program that you have installed, WeatherBug has been identified by some as malware - see symantecs security response for more information

Open HJT and Select the option to do a system scan only - we do not need a log for this:

Now place a tick in the left hand boxes alongside the following entries
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) - If desired

Once you have placed a tick in all the relevent boxes click on the fix button

Now re-run HJT to double check that these entries have disappeared

Even though you should now have an anti virus prgram running I would like you to do an online scan here at Panda Active Scan. At the end, there is an option to save the log. Please do this and save the log to a secure location as I will need it in the next step

Once this is complete I would like you to post a new log from HJT along with the ewido and panda scan results
User avatar
percyonline2004
Regular Member
 
Posts: 129
Joined: August 3rd, 2005, 5:28 am
Top

Unread postby NonSuch » September 13th, 2005, 3:07 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index