Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Another computer, another malware (hijack log included)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 2:45 am

Looks already better :)

Next we will need to check some files:

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
C:\WINDOWS\services.exe


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 7:56 am

Hi Shaba,

The first one was clean, the second one (services.exe) found as follows:
Scan taken on 14 Aug 2008 11:52:43 (GMT)
A-Squared Found nothing
AntiVir Found BDS/Joleee.E
ArcaVir Found Trojan.Joleee.E
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Packed.573
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.Joleee.e
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Joleee.e
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Troj/Agent-HKW
VirusBuster Found nothing
VBA32 Found nothing

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 8:05 am

Thank you for results.

Please upload this to jotti as well:

C:\WINDOWS\system32\drivers\Chl83.sys

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\services.exe

Folder::
C:\Program Files\ednppsf
C:\Documents and Settings\All Users\Application Data\dgdutafs

Driver::
ntsysvers
runbatch

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"runbatch"=-
"ntsysvers"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log and jotti results.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 8:34 am

Hi Shaba,

The file C:\WINDOWS\system32\drivers\Chl83.sys, came back clean.

The logs are as follows:

ComboFix 08-08-12.01 - Mike & Sharon 2008-08-14 9:15:35.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.746 [GMT -3:00]
Running from: C:\Documents and Settings\Mike & Sharon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike & Sharon\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\services.exe
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dgdutafs
C:\Documents and Settings\All Users\Application Data\dgdutafs\fmtajwpc.exe
C:\Program Files\ednppsf
C:\Program Files\ednppsf\GenActMsg.dll
C:\WINDOWS\services.exe
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTSYSVERS
-------\Legacy_RUNBATCH
-------\Service_ntsysvers
-------\Service_runbatch


((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 15:37 . 2008-08-13 15:37 577,024 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-08-13 15:33 . 2008-08-13 15:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-13 11:47 . 2008-08-13 16:29 <DIR> d-------- C:\SDFix
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Program Files\Avira
2008-08-13 09:48 . 2008-08-13 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-10 16:29 . 2008-08-10 16:29 <DIR> d-------- C:\Program Files\Flux
2008-08-02 21:06 . 2008-08-02 21:18 716 --a------ C:\scope

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:19 25,472 ----a-w C:\WINDOWS\system32\drivers\Chl83.sys
2008-08-07 00:09 --------- d-----w C:\Program Files\Plextor
2008-06-25 18:18 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-17 15:40 --------- d-----w C:\Program Files\iZotope
2008-04-20 00:25 101,192 ----a-w C:\Documents and Settings\Mike & Sharon\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-13_16.52.52.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 23:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StrDb"="C:\WINDOWS\system32\rgnybank.exe" [2008-08-12 12:46 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-02 12:40 155648]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"EW Message Server"="msg32.exe" [2003-02-26 20:03 45056 C:\WINDOWS\SYSTEM32\Msg32.exe]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\SYSTEM32\DeltTray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.NTN1"= NUVision.ax
"vidc.dvsd"= dvc.dll
"msacm.dvacm"= dvacm.acm
"VIDC.YMPG"= ympgcdc.dll
"msacm.ympgacm"= ympgacm.acm
"Midi1"= gmidi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike & Sharon^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Mike & Sharon\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2005-10-12 18:13 7086080 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-02 12:40 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svchost"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 BTMgr;Bluelet Device Manager Service;C:\WINDOWS\system32\Drivers\BTMgr.sys [2002-06-12 14:43]
R2 JamLabInstallerService;JamLab Installer;C:\Program Files\M-Audio\JamLab\JamLabInst.exe [2006-01-09 17:39]
R3 EWAVE;EWAVE;C:\WINDOWS\system32\drivers\ew.sys [2003-02-26 20:04]
R3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2003-02-26 20:13]
R3 GBGSIF;FX-MAX virtual GSIF driver;C:\WINDOWS\system32\Drivers\GBGSIF.sys [2005-03-07 00:21]
R3 hypaudio;hypaudio;C:\WINDOWS\system32\DRIVERS\hypaudio.sys [2006-05-30 16:20]
R3 hypkern;hypkern;C:\WINDOWS\system32\drivers\hypkern.sys [2006-05-30 16:20]
R3 MAWGSIF;MOTU PCI GSIF Driver;C:\WINDOWS\system32\drivers\MAWGSIF.sys [2004-07-21 16:05]
R3 MotuAW;MotuAW;C:\WINDOWS\system32\drivers\MotuAW.sys [2004-07-21 16:03]
R3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2003-02-26 20:06]
R3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 03:46]
S3 82827bba-7380-4b11-bfe5-ff053dc5ed6c;82827bba-7380-4b11-bfe5-ff053dc5ed6c;D:\CDS300\cds300.dll []
S3 Btusb;Bluetooth USB;C:\WINDOWS\system32\Drivers\Btusb.sys [2001-12-10 15:16]
S3 FILEMON;FILEMON;C:\Documents and Settings\Mike & Sharon\Desktop\sammon\FILEMON.SYS []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]
S3 gsif324;GSIF Driver for MOTU 324;C:\WINDOWS\system32\drivers\gsif324.sys []
S3 MagixASIODrv;MAGIX_ASIO_BoostDriver;C:\MAGIX\Samplitude_V8_professional\mxasio.sys [2002-04-16 12:10]
S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausbjl.sys [2006-02-01 10:25]
S3 MAWWAVE;MOTU PCI Wave Driver;C:\WINDOWS\system32\drivers\MAWWAVE.sys []
S3 NUVision;NUVision Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-09-20 07:58]
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys []
S3 w324drvr;w324drvr;C:\WINDOWS\system32\drivers\w324drvr.sys []

*Newly Created Service* - EWAVE
.
- - - - ORPHANS REMOVED - - - -

SSODL-GenActMsg-{2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} - C:\Program Files\ednppsf\GenActMsg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 09:22:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-14 9:30:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 12:30:16
ComboFix2.txt 2008-08-13 19:53:20

Pre-Run: 7,502,643,200 bytes free
Post-Run: 7,433,355,264 bytes free

143
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:34 AM, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msg32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rgnybank.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [StrDb] C:\WINDOWS\system32\rgnybank.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4647 bytes

Thanks again...you're the best!!

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 8:43 am

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKCU\..\Run: [StrDb] C:\WINDOWS\system32\rgnybank.exe

Close all windows including browser and press fix checked.

Reboot.

Delete this:

C:\WINDOWS\system32\rgnybank.exe

Empty Recycle Bin.

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Double click on jre-6u7-windows-i586-p.exe to install Java.
  8. After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  9. Read through the requirements and privacy statement and click on Accept button.
  10. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  11. When the downloads have finished, click on Settings.
  12. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  13. Click on My Computer under Scan.
  14. Once the scan is complete, it will display the results. Click on View Scan Report.
  15. You will see a list of infected items there. Click on Save Report As....
  16. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  17. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 11:25 am

Hi Shaba,

Scan report and Hijack log as follows:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 13:59:47
Records in database: 1093196
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
G:\
H:\

Scan statistics:
Files scanned: 146543
Threat name: 9
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:51:28


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\dgdutafs\fmtajwpc.exe.vir Infected: Trojan-Downloader.Win32.Agent.zyd 1
C:\QooBox\Quarantine\C\WINDOWS\services.exe.vir Infected: Backdoor.Win32.Joleee.e 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\C.tmp.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cmprop.dll.vir Infected: Rootkit.Win32.Podnuha.aln 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cmsetac.dll.vir Infected: Rootkit.Win32.Podnuha.aln 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lphc1b8j0erf1.exe.vir Infected: Trojan-Downloader.Win32.Small.aaui 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pphc1b8j0erf1.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\QooBox\Quarantine\catchme2008-08-13_164248.56.zip Infected: Trojan-Downloader.Win32.Mutant.aim 1
C:\QooBox\Quarantine\catchme2008-08-13_164248.56.zip Infected: Trojan-Spy.Win32.Zbot.dpq 1
C:\WINDOWS\SYSTEM32\sxmg4.dll Infected: Trojan-Downloader.Win32.FraudLoad.vaun 1
H:\Maxtor backup\DCTYZ921\C\Documents and Settings\Mike & Sharon\xxy_bbvx.exe Infected: Trojan-PSW.Win32.Papras.ak 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:01 PM, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\M-Audio\JamLab\JamLabInst.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\msg32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EW Message Server] msg32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JamLab Installer (JamLabInstallerService) - M-Audio - C:\Program Files\M-Audio\JamLab\JamLabInst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4984 bytes
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 11:37 am

Delete these:

C:\WINDOWS\SYSTEM32\sxmg4.dll
H:\Maxtor backup\DCTYZ921\C\Documents and Settings\Mike & Sharon\xxy_bbvx.exe

Empty this folder:

C:\QooBox\Quarantine\

Empty Recycle Bin.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 11:46 am

Hi Shaba,

Everything seems to be fine except during the infection the desktop has been changed to a bright red color with a mesage box in the center saying ....Do you think you are in safety? Are you sure? Then there are a couple of links to press. How can I get rid of this?

Thanks
snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 12:03 pm

Have you tried to go to Control Panel - Display and change wallpaper?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 12:08 pm

That did the trick!...I wasn't sure if I should touch anything...lol.

Everything seems to work great, thanks to you, Shaba.
You folks do wonderful work. I'll be sending along a payment for sure!

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 14th, 2008, 12:41 pm

Great :)

Feel free to delete warning wallpaper.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Another computer, another malware (hijack log included)

Unread postby snauss » August 14th, 2008, 12:48 pm

Thanks again, Shaba!
I'll follow your instructions to the "T".

Regards!

snauss
snauss
Regular Member
 
Posts: 31
Joined: July 30th, 2008, 12:44 pm

Re: Another computer, another malware (hijack log included)

Unread postby Shaba » August 15th, 2008, 2:41 am

snauss this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 488 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware