Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have 3 trojans and a registry problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have 3 trojans and a registry problem

Unread postby Eurocab » February 13th, 2009, 3:18 pm

I had a multitude of problems on Monday. I used Spybot to try to remove the issues, but things got worse. I ended up having to use the recover program to get the computer back up and running. After the recovery I had still several trojans, malware, spyware, etc. I ran Spybot and rebooted computer multiple times and have now finally go it down to only 3 Trojans (2 - Win32.Delf.uc & 1 Win32.Joleee.K) & 2 security entries Firewall Overide and Security Center disabled. I also have a problem with the printer server spool at startup. I haven't tried to use the printer yet, but I guess it is disabled at the moment. I need some help. Thanks. My Logfile follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:50 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\services.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\HP_Owner\reader_s.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\HP_Owner\klk.exe \s
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe
O4 - HKCU\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [fprbalrb.exe] C:\WINDOWS\fprbalrb.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlejsupq.exe] C:\WINDOWS\xlejsupq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [lfsblghu.exe] C:\WINDOWS\lfsblghu.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [fprbalrb.exe] C:\WINDOWS\fprbalrb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8278 bytes
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm
Advertisement
Register to Remove

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 14th, 2009, 5:45 am

Hi Eurocab

Welcome to Malware Removal!
My name is Bjorn, known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • Please always try to reply within 5 days. If you know you won't be able to reply for any reason, please tell me so we don't close your thread.
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 14th, 2009, 11:30 am

Thanks for your response Bjorn. Since I first reported the problems to the forum, my computer crashed again and I had to recover as the restore points weren't functioning properly. I am responding to you from a different internet connection and computer as the infected computer is a bit unstable. Here is the new scan from HT followed by the uninstall log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:52 AM, on 2/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\HP_Owner\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN5.tmp
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\HP_Owner\sijmdb.exe \s
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [vxvarubn.exe] C:\WINDOWS\vxvarubn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdlmtanr.exe] C:\WINDOWS\hdlmtanr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rvhcdrxn.exe] C:\WINDOWS\rvhcdrxn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [vxvarubn.exe] C:\WINDOWS\vxvarubn.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7137 bytes

:flower: :flower: :flower: :flower: :flower: :flower: :flower: :flower: :flower: :flower:

I followed your instructions and here are the results of the uninstall:

Agere Systems PCI Soft Modem
ATI Control Panel
ATI Display Driver
Final Drive Nitro from Hewlett-Packard Desktops (remove only)
Help and Support Additions
HijackThis 2.0.2
HP Boot Optimizer
HP Deskjet Printer Preload
HP Image Zone 4.8.6
HP Image Zone Plus 4.8.6
HP Organize
HP Photosmart Cameras 4.5
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
KBD
Lexibox Deluxe from Hewlett-Packard Desktops (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
muvee autoProducer 4.0
PC-Doctor for Windows
Phoenix Assault from Hewlett-Packard Desktops (remove only)
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Remove WeatherBug installer
Shooting Stars Pool from Hewlett-Packard Desktops (remove only)
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Updates from HP
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781


Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 16th, 2009, 3:00 pm

Hi Eurocab

I'm afraid I have unpleasant news for you. :(
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 16th, 2009, 8:53 pm

Bjorn,

Thanks for your response. I am not happy to hear that it appears that this is an untenable situation. Fortunately, this computer was used solely for the internet. My computer that has personal and private information on it has been offline for a couple of years. I decided to get another computer after realizing that my main computer was feeding packets of information to the internet for no apparent reason. I became paranoid and bought another PC to be used exclusively for the internet. The infected computer was used by a friend to access free movie sites and to make phone calls to Germany. The problems didn't surface until a few weeks ago, when the Windows update shield would appear to get you to update to service packet 3. Then the computer would crash. My friend went directly to recover instead of restoring which caused a lot of stress. Later I showed him how to restore the computer to a previous restoration point.

The infected computer has been working behind a hardware firewall forever. I would really like to try to bring it back to life. Please advise
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 17th, 2009, 12:54 pm

Hi Eurocab

Ok, in that case, please follow these instructions :)

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 17th, 2009, 6:18 pm

Bjorn,

Attached is the Combofix log followed by the new HJT log:

ComboFix 09-02-15.01 - HP_Owner 2009-02-17 16:50:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.667 [GMT -5:00]
Running from: K:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\reader_s.exe
c:\program files\system\smss.exe
c:\program files\system\smss.exe.assembly
c:\windows\IE4 Error Log.txt
c:\windows\system32\3.tmp
c:\windows\system32\5.tmp
c:\windows\system32\8.tmp
c:\windows\system32\9.tmp
c:\windows\system32\C.tmp
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\E.tmp
c:\windows\system32\reader_s.exe
D:\Autorun.inf

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-17 16:20 . 2005-02-24 22:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-02-14 14:31 . 2009-02-14 14:31 163,812 --a------ c:\windows\system32\2D.tmp
2009-02-14 14:31 . 2009-02-14 14:31 132 --a------ c:\windows\system32\2C.tmp
2009-02-14 14:12 . 2009-02-14 14:12 249,856 --a------ c:\windows\system32\pdfmona.dll
2009-02-14 14:12 . 2009-02-14 14:12 51,716 --a------ c:\windows\system32\pdf995mon.dll
2009-02-14 14:09 . 2009-02-14 14:12 163,812 --a------ c:\windows\system32\17.tmp
2009-02-14 14:09 . 2009-02-14 14:09 132 --a------ c:\windows\system32\16.tmp
2009-02-14 14:07 . 2009-02-14 14:08 110,080 --------- c:\windows\system32\58.tmp
2009-02-14 14:07 . 2009-02-14 14:07 0 --a------ c:\windows\system32\57.tmp
2009-02-14 14:04 . 2009-02-14 14:07 163,812 --a------ c:\windows\system32\56.tmp
2009-02-14 14:04 . 2009-02-14 14:04 132 --a------ c:\windows\system32\55.tmp
2009-02-14 13:26 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-02-14 13:26 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-02-14 13:26 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-14 13:22 . 2009-02-14 13:25 162,916 --a------ c:\windows\system32\15.tmp
2009-02-14 13:22 . 2009-02-14 13:22 132 --a------ c:\windows\system32\14.tmp
2009-02-14 13:17 . 2009-02-14 13:20 162,916 --a------ c:\windows\system32\13.tmp
2009-02-14 13:17 . 2009-02-14 13:17 132 --a------ c:\windows\system32\6.tmp
2009-02-14 11:41 . 2009-02-14 11:41 164,292 --a------ c:\windows\system32\22.tmp
2009-02-14 11:41 . 2009-02-14 11:41 132 --a------ c:\windows\system32\21.tmp
2009-02-14 11:27 . 2009-02-14 11:30 164,292 --a------ c:\windows\system32\12.tmp
2009-02-14 11:27 . 2009-02-14 11:27 132 --a------ c:\windows\system32\11.tmp
2009-02-14 11:23 . 2009-02-14 11:25 164,292 --a------ c:\windows\system32\10.tmp
2009-02-14 11:23 . 2009-02-14 11:23 132 --a------ c:\windows\system32\F.tmp
2009-02-14 10:30 . 2009-02-14 09:51 94,208 --a------ c:\windows\DUMP757e.tmp
2009-02-14 10:30 . 2009-02-14 15:47 94,208 --a------ c:\windows\DUMP6e0b.tmp
2009-02-14 10:30 . 2009-02-14 10:07 94,208 --a------ c:\windows\DUMP5beb.tmp
2009-02-14 10:12 . 2009-02-14 10:12 132 --a------ c:\windows\system32\D.tmp
2009-02-14 10:08 . 2009-02-14 10:24 <DIR> dr-hs---- c:\windows\system32\dllcache
2009-02-14 10:03 . 2009-02-14 10:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-14 09:52 . 2009-02-14 09:52 132 --a------ c:\windows\system32\4.tmp
2009-02-14 09:52 . 2009-02-14 09:52 0 --a------ c:\windows\system32\B.tmp
2009-02-14 09:47 . 2009-02-14 09:47 132 --a------ c:\windows\system32\2.tmp
2009-02-14 09:24 . 2009-02-14 09:24 132 --a------ c:\windows\system32\7.tmp
2009-02-14 09:24 . 2009-02-14 09:24 0 --a------ c:\windows\system32\A.tmp
2009-02-14 08:52 . 2009-02-14 08:52 163,396 --a------ c:\windows\system32\91.tmp
2009-02-14 08:52 . 2009-02-14 08:52 31,744 --ah----- c:\documents and settings\HP_Owner\sijmdb.exe
2009-02-14 08:52 . 2009-02-14 08:52 132 --a------ c:\windows\system32\90.tmp
2009-02-14 08:50 . 2009-02-14 14:07 137,952 --a------ c:\windows\system32\drivers\ethrytcl.sys
2009-02-14 08:50 . 2009-02-14 08:52 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-14 08:50 . 2009-02-14 08:50 11,264 --ah----- c:\documents and settings\HP_Owner\sblwjsh.exe
2009-02-14 08:48 . 2004-08-04 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-14 08:48 . 2009-02-14 08:50 163,396 --a------ c:\windows\system32\80.tmp
2009-02-14 08:48 . 2009-02-14 08:48 1,838 -rahs---- c:\windows\system32\drivers\103C_HP_CPC_PX748AA-ABA A1114N_YC_0Pavi_QMXK533_E53NAheBLU3_47_IALBACORE_SMSI_V1.0_B3.31_T050801_WXH2_L409_M959_J160_7AMD_8Athlon 64_92.19_#050910_N10EC8139_Z11C1048C_G10025954.MRK
2009-02-14 08:47 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\HP_Owner\WINDOWS
2009-02-14 08:47 . 2009-02-14 08:49 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Symantec
2009-02-14 08:47 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\SampleView
2009-02-14 08:47 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\InterMute
2009-02-14 08:47 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-02-14 08:47 . 2009-02-17 16:52 <DIR> d-------- c:\documents and settings\HP_Owner
2009-02-14 08:47 . 2009-02-14 08:48 132 --a------ c:\windows\system32\7F.tmp
2009-02-14 08:45 . 2005-06-16 21:45 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2009-02-14 08:45 . 2005-06-16 22:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-02-14 08:45 . 2005-06-16 21:58 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-02-14 08:45 . 2005-06-16 22:03 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\InterMute
2009-02-14 08:45 . 2005-06-16 21:45 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2009-02-14 08:44 . 2009-02-14 08:44 81,853 --a------ c:\windows\system32\C5.tmp
2009-02-14 08:44 . 2009-02-14 08:44 132 --a------ c:\windows\system32\C4.tmp
2009-02-13 23:23 . 2009-02-14 13:33 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\mjusbsp
2009-02-12 12:14 . 2009-02-12 12:14 <DIR> d-------- c:\program files\Opera
2009-02-12 12:14 . 2009-02-12 12:14 55,809 --a------ c:\windows\services.ex_
2009-02-12 10:47 . 2009-02-12 10:47 32,256 --ah----- c:\documents and settings\HP_Owner\klk.exe
2009-02-12 10:15 . 2009-02-12 10:15 11,264 --ah----- c:\documents and settings\HP_Owner\gcfa.exe
2009-02-12 09:17 . 2009-02-12 09:17 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-12 09:17 . 2009-02-12 09:17 1,409 --a------ c:\windows\QTFont.for
2009-02-12 08:59 . 2009-02-12 08:59 <DIR> d-------- c:\program files\Plaxo
2009-02-12 08:46 . 2009-02-12 12:11 94,208 --a------ c:\windows\DUMP7dbb.tmp
2009-02-12 07:45 . 2009-02-12 07:45 32,256 --ah----- c:\documents and settings\HP_Owner\xhkgeki.exe
2009-02-12 07:28 . 2009-02-12 07:28 6 --a------ c:\windows\_id.dat
2009-02-12 07:11 . 2009-02-12 07:11 11,264 --ah----- c:\documents and settings\HP_Owner\clj.exe
2009-02-12 07:09 . 2009-02-12 07:09 32,256 --ah----- c:\documents and settings\HP_Owner\rus.exe
2009-02-12 07:09 . 2009-02-12 11:52 130 --a------ c:\windows\adobe.bat
2009-02-10 18:05 . 2009-02-10 18:05 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\PC Tools
2009-02-10 17:42 . 2009-02-10 17:42 32,256 --ah----- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\vjwrq.exe
2009-02-10 17:32 . 2009-02-10 17:32 32,256 --ah----- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\eouq.exe
2009-02-10 15:18 . 2009-02-10 15:18 398,340 --a------ c:\windows\sysguard.exe
2009-02-10 15:17 . 2009-02-17 16:50 <DIR> d-------- c:\program files\system
2009-02-10 15:17 . 2009-02-10 15:17 102,912 --a------ C:\wskrote.exe
2009-02-10 15:17 . 2009-02-10 15:17 39,936 --a------ C:\xxweksc.exe
2009-02-10 15:17 . 2009-02-10 15:17 28,672 --a------ C:\jxnx.exe
2009-02-10 15:17 . 2009-02-10 15:17 22,016 --a------ C:\jwfmld.exe
2009-02-10 15:17 . 2009-02-10 15:17 2 --a------ C:\-589827600
2009-02-09 23:09 . 2009-02-09 23:09 <DIR> d-------- c:\temp\sTMP3
2009-02-06 20:39 . 2009-02-07 21:24 <DIR> d-------- c:\program files\LimeWire
2009-02-06 20:39 . 2009-02-07 21:34 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\LimeWire
2009-02-05 13:35 . 2009-02-05 13:35 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\OpenOffice.org
2009-02-05 13:33 . 2009-02-05 13:33 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-05 13:33 . 2009-02-05 13:33 <DIR> d-------- c:\program files\JRE
2009-02-03 12:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\AdobeUM
2009-02-03 10:47 . 2009-02-03 10:47 <DIR> d---s---- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\UserData
2009-01-31 08:41 . 2009-01-31 08:46 <DIR> d-------- c:\program files\MSECache
2009-01-28 15:32 . 2009-01-28 15:32 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\PC Tools
2009-01-28 15:26 . 2009-02-10 17:11 929 --a------ c:\windows\wininit.ini
2009-01-28 14:56 . 2009-01-28 14:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-28 14:56 . 2009-01-28 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 12:11 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\Administrator.YOUR-F78BF48CE2\Application Data\InterMute
2009-01-28 12:11 . 2009-01-28 12:16 <DIR> d---s---- c:\documents and settings\Administrator.YOUR-F78BF48CE2
2009-01-26 15:28 . 2009-02-10 17:27 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\skypePM
2009-01-26 15:06 . 2009-02-10 17:27 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Skype
2009-01-26 12:08 . 2009-01-26 12:08 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Yahoo!
2009-01-26 12:06 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\InterMute
2009-01-26 12:06 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Apple Computer
2009-01-26 12:05 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\WINDOWS
2009-01-26 12:05 . 2005-06-16 22:06 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\Symantec
2009-01-26 12:05 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2\Application Data\SampleView
2009-01-26 12:05 . 2009-02-03 11:43 <DIR> d-------- c:\documents and settings\Rick Adams.YOUR-F78BF48CE2
2009-01-26 11:46 . 2009-01-26 11:46 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Microsoft Web Folders
2009-01-26 11:34 . 2009-01-26 11:34 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Yahoo!
2009-01-26 11:31 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\WINDOWS
2009-01-26 11:31 . 2005-06-16 22:06 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Symantec
2009-01-26 11:31 . 2005-06-16 21:58 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\SampleView
2009-01-26 11:31 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\InterMute
2009-01-26 11:31 . 2005-06-16 21:45 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Application Data\Apple Computer
2009-01-26 11:31 . 2009-02-10 17:42 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001
2009-01-26 08:54 . 2009-02-14 10:22 <DIR> dr-h----- C:\MSOCache
2009-01-26 08:41 . 2009-01-26 08:41 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\skypePM
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\005144_.tmp
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\005126_.tmp
2009-01-26 08:25 . 2006-12-28 14:01 19,569 --a------ c:\windows\005099_.tmp
2009-01-26 08:18 . 2009-01-26 11:19 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\Skype
2009-01-26 08:04 . 2005-06-16 22:03 <DIR> d-------- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000\Application Data\InterMute
2009-01-26 08:04 . 2009-01-26 11:19 <DIR> d---s---- c:\documents and settings\John Dawe.YOUR-F78BF48CE2.000
2009-01-25 10:41 . 2009-01-25 10:41 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\PC Tools
2009-01-25 10:40 . 2009-02-11 12:13 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-01-25 10:40 . 2009-01-25 10:40 <DIR> d-------- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 14:16 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-14 14:16 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-14 14:03 --------- d-----w c:\program files\Easy Internet signup
2009-02-14 13:51 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-11 16:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-30 23:45 --------- d-----w c:\program files\CIF USB Camera
2009-01-26 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-26 11:36 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Skype
2009-01-26 09:45 --------- d-----w c:\documents and settings\HP_Owner\Application Data\skypePM
2008-12-26 17:47 --------- d-----w c:\documents and settings\HP_Owner\Application Data\ArcSoft
2008-12-26 08:16 --------- d-----w c:\documents and settings\HP_Owner\Application Data\OpenOffice.org2
2008-12-26 01:11 --------- d-----w c:\program files\Common Files\ArcSoft
2008-12-26 01:11 --------- d-----w c:\program files\ArcSoft
2008-12-18 15:50 --------- d-----w c:\documents and settings\Rick Adams\Application Data\Yahoo!
2008-12-05 03:55 307,560 ----a-w c:\windows\WLXPGSS.SCR
2006-09-07 15:48 0 ----a-w c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2008-08-06 16:46 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-10-01 18:00 22 --sha-w c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

2004-08-04 07:00 31232 6183fc0148105ae1a313fe9df9c6928a c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 31232 54168357cb39cc00036bc885b1d8e5bc c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 31232 1be984f0062ddffd1aff4ee3ff2fa096 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2008-04-13 19:12 31744 a745a8367019b8463034b5fc4a94e0e0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
2004-08-04 07:00 31232 02ca9d38c2e1787e266ca3e4577d8620 c:\windows\system32\svchost.exe
2004-08-04 07:00 31232 93e2e44f9ba702a134cd2e0c95a5bc9e c:\windows\system32\dllcache\svchost.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
2008-04-13 14:20 182656 558635d3af1c7546d26067d5d9b6959e c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
2009-02-14 08:51 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-02-14 08:51 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2004-08-04 07:00 1049088 342d471bccb7983bd25a13f8842b43b0 c:\windows\explorer.exe
2007-06-13 06:26 1050112 18960d42702f2894584ee571036a58d6 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1049088 5c450e3c7e2c9f733f15d5f70889e5c0 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 07:00 1049088 e6661d51e826e65dedfde85dcef58a08 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 0d2bfd313fc65abdf876a7391598ae73 c:\windows\ServicePackFiles\i386\explorer.exe
2007-06-13 05:23 1050112 4b8188534d07519917b2ca6b142551e0 c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2008-04-13 19:12 1050624 2df9fcf31cd9d41da77d54cd36c7ee74 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2008-04-13 19:12 1051136 8c8f4369952f2efbd96ad6d1a664a7d2 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
2004-08-04 07:00 1049088 0b4b9d9a53817494cb7678ff22a5eea1 c:\windows\system32\dllcache\explorer.exe

2004-08-04 07:00 32256 d83607d2345fe060882545fbbbdf03fb c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32256 c8d8e34a940137f5eec1867ae75d9e9d c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 306d729049035067f580f8d5e82edca9 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
2008-04-13 19:12 32256 6f492095dbfd0cf6f13abf8cf1fbd822 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
2004-08-04 07:00 32256 2f79d6e72c7ab910cadf0db6ffa9cd29 c:\windows\system32\ctfmon.exe
2004-08-04 07:00 32256 bce9cd27ec6af9fd5604142d4afe0c97 c:\windows\system32\dllcache\ctfmon.exe

2005-06-10 19:17 74752 7ad5bb52bab89eaac15864a619c3d088 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 74752 a47e01f14e9e3584dfbab8f80b3928f8 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 07:00 74752 553733ffddac9569c3ba8bf72da0f125 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 74752 57897baef071bdb8832c57213901517b c:\windows\ServicePackFiles\i386\spoolsv.exe
2005-06-10 18:53 74752 c8f7757bb8e8932cd707c51a1a92255b c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2008-04-13 19:12 75264 4bac22b4e73729c624d6f3b756b46697 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2008-04-13 19:12 74752 35bccb51631de691040eb70ebd5b9a76 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
2004-08-04 07:00 74752 0ce931be31cf9a5032b28186d750df51 c:\windows\system32\spoolsv.exe
2004-08-04 07:00 74752 c3d5a917640f6fd863c122af05bce3ed c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 07:00 41984 d8d14a52e8371755d902087b3f82a140 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 05a5a28fd586596df5698c9ff98182e4 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 6a12ab42e4352222a0e128c465357491 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
2008-04-13 19:12 43520 97ef782b9d5f1f6a7d4e175cd146c260 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
2004-08-04 07:00 41472 45b3202c32e32f482f2cb40a9d678d62 c:\windows\system32\userinit.exe
2004-08-04 07:00 41472 fb0b3f0d4c68bd52bd45a28abfd776c8 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]
"cdloader"="c:\documents and settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 266240]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 360448]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-16 200749]

c:\documents and settings\John Dawe.YOUR-F78BF48CE2.001\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 400896]

c:\documents and settings\John Dawe\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 86068]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-16 65536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrrywtmw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\mjusbsp\\magicJack.exe"=

S0 rrrywtmw;rrrywtmw;c:\windows\system32\Drivers\rrrywtmw.sys --> c:\windows\system32\Drivers\rrrywtmw.sys [?]
S1 ethrytcl;ethrytcl;c:\windows\system32\drivers\ethrytcl.sys [2009-02-14 137952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\autorun.exe
\Shell\phone\command - K:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8b8c2d8-fac4-11dd-a0a2-0013d34fbf57}]
\Shell\AutoRun\command - K:\autorun.exe
\Shell\phone\command - K:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-reader_s - c:\documents and settings\HP_Owner\reader_s.exe
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
HKU-Default-Run-vxvarubn.exe - c:\windows\vxvarubn.exe
HKU-Default-Run-reader_s - c:\documents and settings\HP_Owner\reader_s.exe
HKU-Default-Run-hdlmtanr.exe - c:\windows\hdlmtanr.exe
HKU-Default-Run-rvhcdrxn.exe - c:\windows\rvhcdrxn.exe
HKU-Default-Run-xlpjwnze.exe - c:\windows\xlpjwnze.exe
HKU-Default-Run-nttlrfop.exe - c:\windows\nttlrfop.exe
HKU-Default-Run-dbhgyskc.exe - c:\windows\dbhgyskc.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 17:04:23
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-17 17:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 22:10:02

Pre-Run: 111,326,265,344 bytes free
Post-Run: 114,131,853,312 bytes free

317

***********************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:45 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\explorer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\HP_Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5372 bytes
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 18th, 2009, 4:09 pm

Hi Eurocab

Before we begin cleaning, I need to warn you about something:
After looking to your logs, it seems the computer is badly infected. It can be cleaned and in most cases it does without problems, but with this many infections, there is always a chance you'll need to re-install your whole computer. Don't worry, most likely this won't happen, but I suggest you to backup your important files.

Let's begin with the cleaning now :)

FileFind
Download FileFind by Atribune and unzip it to your Desktop.
  • Double click on FileFind.exe to open the programme.
  • Enter userinit.exe into the File: box.
  • Click on the Search button.
  • After a while a list of file locations will appear in the List of Files: box.
  • Click on the Export button.

This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.

Repeat these steps for the following files:
svchost.exe
spoolsv.exe
explorer.exe
ndis.sys
ctfmon.exe

(so enter all these files in the File: box and post all the results in your next reply.)
Please note that each time you click the export button, the export.txt will be overwritten. So please copy the results each time you have the log and save it somewhere else.


Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
c:\windows\system32\drivers\ndis.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat these steps for this path:
c:\windows\system32\ctfmon.exe



Do you have the windows cd available? There is a small chance we may need it here.

At last, where did you run CF from? I can see this in your log:
Running from: K:\ComboFix.exe

What is K:\? Is it a second hard drive/partition?


In your next reply, please post:
1) The logs from FileFind (you should have 6 of them)
2) The jotti results (from the 2 files)
3) Tell me if you have the Windows cd
4) Please answer the question about where combofix is ran from.

Thanks :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 19th, 2009, 5:09 am

Okay here we go. The results of the six files follow:

C:\WINDOWS\$NtServicePackUninstall$\userinit.exe - 41984 Bytes
C:\WINDOWS\ServicePackFiles\i386\userinit.exe - 43008 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe - 43008 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe - 43520 Bytes
C:\WINDOWS\system32\userinit.exe - 41472 Bytes
C:\WINDOWS\system32\dllcache\userinit.exe - 41472 Bytes

***************************************************


C:\WINDOWS\$NtServicePackUninstall$\svchost.exe - 31232 Bytes
C:\WINDOWS\ServicePackFiles\i386\svchost.exe - 31232 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe - 31232 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe - 31744 Bytes
C:\WINDOWS\system32\svchost.exe - 31232 Bytes
C:\WINDOWS\system32\dllcache\svchost.exe - 31232 Bytes

*****************************************************

C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe - 74752 Bytes
C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe - 74752 Bytes
C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe - 74752 Bytes
C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe - 74752 Bytes
C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe - 74752 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe - 75264 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe - 74752 Bytes
C:\WINDOWS\system32\spoolsv.exe - 74752 Bytes
C:\WINDOWS\system32\dllcache\spoolsv.exe - 74752 Bytes

******************************************************

C:\WINDOWS\explorer.exe - 1049088 Bytes
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe - 1050112 Bytes
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe - 1049088 Bytes
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe - 1049088 Bytes
C:\WINDOWS\ServicePackFiles\i386\explorer.exe - 1050624 Bytes
C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe - 1050112 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe - 1050624 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe - 1051136 Bytes
C:\WINDOWS\system32\dllcache\explorer.exe - 1049088 Bytes

*********************************************************

C:\WINDOWS\$NtServicePackUninstall$\ndis.sys - 182912 Bytes
C:\WINDOWS\ServicePackFiles\i386\ndis.sys - 182912 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys - 182912 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys - 182912 Bytes
C:\WINDOWS\system32\dllcache\ndis.sys - 182912 Bytes
C:\WINDOWS\system32\drivers\ndis.sys - 182912 Bytes

***********************************************************

C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe - 32256 Bytes
C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe - 32256 Bytes
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe - 32768 Bytes
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe - 32256 Bytes
C:\WINDOWS\system32\ctfmon.exe - 32256 Bytes
C:\WINDOWS\system32\dllcache\ctfmon.exe - 32256 Bytes

***********************************************************
Now the results of Jotti

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: ndis.sys
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 558635d3af1c7546d26067d5d9b6959e
Packers detected:
-
Scanner results
Scan taken on 19 Feb 2009 04:16:06 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/gdata.png images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: 1.exe (MD5: bbf1e79887c35f4284690850925e0945, size: 65024 bytes), detected by:

Scanner Malware name
A-Squared Trojan-PWS.Win32.QQPass!IK
AntiVir TR/Crypt.CFI.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Gen:Trojan.Heur.GM.0002C06000
ClamAV Worm.Mytob.IS
CPsecure BackDoor.W32.Hupigon.rc
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus Trojan-PWS.Win32.QQPass.CF
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Sus/UnkPacker
VirusBuster Packed/NSPack
VBA32 X


You are free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Privacy policy

Debian

Page generated by JTPL

***********************************************************

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: ctfmon.exe
Status:
INFECTED/MALWARE
MD5: 2f79d6e72c7ab910cadf0db6ffa9cd29
Packers detected:
-
Scanner results
Scan taken on 19 Feb 2009 08:03:26 (GMT)
A-Squared
Found nothing
AntiVir
Found W32/Virut.Gen
ArcaVir
Found nothing
Avast
Found Win32:Vitro
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Win32.Virut.56
F-Prot Antivirus
Found W32/Virut.AI!Generic
F-Secure Anti-Virus
Found Virus.Win32.Virut.ce
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Virus.Win32.Virut.ce
NOD32
Found Win32/Virut.NBK
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found W32/Scribble-A
VirusBuster
Found nothing
VBA32
Found Virus.Win32.Virut.X5

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/gdata.png images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: ColorSchemer_Studio.exe (MD5: 12687e4982087c7d9b35be5d25fefb0e, size: 1427968 bytes), detected by:

Scanner Malware name
A-Squared Trojan.Packed!IK
AntiVir TR/Renaz.1427968
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Packed.33722
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Sus/UnkPacker
VirusBuster X
VBA32 X


You are free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Privacy policy

Debian

Page generated by JTPL

*************************************************************


I don't believe I was issued a windows disc when I purchased the computer. Not sure why they don't give you discs anymore. At any rate no disc for this computer.

Drive K: is a USB portable drive. I have to use a different computer to download files and communicate. I was able to get the computer up for the virus scan.

I had a very difficult time getting the ndis.sys file scanned. I had to switch browsers in the middle of the scan. IE was acting irrational, so I used Mozilla the second time and it took a couple of hours
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 20th, 2009, 2:56 pm

Hi Eurocab

I'm afraid I have some very bad news. Your computer seems to be infected with an infection called "Virut" - one of the worst infection you can have on your computer. This infection can infect EVERY .exe, .src and all related web page extensions (.htm, .html, .asp, .php,...) on your computer. As soon as one file on your whole computer is infected, it can infect every other file. Because of this, it's not possible to clean this computer and the only way to 'clean' it, is to reformat. Please do not backup any file on this computer - you may infect your new installation!

I'm sorry, but a reformat is the only way in this case. We can try cleaning, but with this kind of infection, it's nearly impossible and completely pointless to do so. :(


And this is not the only problem here... it seems your flash drive is possible infected too. I'm sorry, but you need to reformat it. Also, it could be possible every computer where you used the infected flash drive is infected with the Virut.


Please perform these steps on another computer (not the badly infected one and not the one where you store your very important files):

Flash_Disinfector
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Now, please reformat the flash drive to make sure everything is gone.

On how many computers did you use the flash drive? It shouldn't be hard to find out if they are infected, but if you used it on a lot of computers...

In your next reply, please tell me on how many other computer you used the flash drives. Do you have access to them? It's very important you don't use them anymore. Don't plug in your flash drives in them - it may get re-infected!

Once again, I'm very sorry it ended like this - but there is no other option :(
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 20th, 2009, 7:48 pm

Bjorn,

Thanks for your help. I hate to reformat, but I guess that is what I have to do. As far as the Travel Drive goes it has been used on 4 computers as far as I know. With the exception of one, which is totally offline, they are all protected by firewalls and antivirus software. I tried to download the Flash_Disinfector but McAfee detects a Trojan and won't allow it. Should I disable McaFee to allow the "Trojan" in?
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 22nd, 2009, 1:06 pm

Hi Eurocab

Yes, please disable Mcafee and try again. Flash Disinfector is NOT a trojan; many AV's detects our tools as "malware". Don't worry, the tool itself is clean.

Let me know of you're done, then we'll start checking the other computers :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 23rd, 2009, 11:34 am

Bjorn,

Flash-Disinfector run. I have ordered a restore CD from HP for the sick computer. I guess it will be out of commission for a couple of weeks.

To reformat that computer I go to command prompt and find the c & d drives and type format or is there a better way?
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm

Re: I have 3 trojans and a registry problem

Unread postby Bv202 » February 24th, 2009, 12:43 pm

Hi Eurocab

Well, trying to reformat your computer while you're in Windows won't work. Here is a useful tutorial for how to reformat and re-install Windows XP via the easiest way:
Click


Now, we'll check if the other computers are infected. Please perform these steps on all computers you used the flash drive on. I suggest you start with the most important one. Make sure you don't confuse the results (save them per computer so you know which one is from which system):

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
c:\windows\system32\userinit.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat for these files:
c:\windows\system32\cmd.exe
c:\windows\system32\regedit.exe
c:\windows\system32\ctfmon.exe


Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply

Please post the results of the scans in your next reply :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: I have 3 trojans and a registry problem

Unread postby Eurocab » February 25th, 2009, 11:59 am

Here are the logs for Computer "A". Computer "B" will follow in the next post.

Service load:
0% 100%
File: userinit.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: a93aee1928a9d7ce3e16d24ec7380f89
Packers detected:
-
Scanner results
Scan taken on 25 Feb 2009 12:50:30 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Service
Service load:
0% 100%
File: cmd.exe
Status:
OK
MD5: 6d778e0f95447e6546553eeea709d03c
Packers detected:
-
Scanner results
Scan taken on 25 Feb 2009 12:54:12 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


THere is no regedit.exe file in this directory: c:\windows\system32\regedit.exe There is
a regedit in this path c:\windows\regedit.exe and in 8 other paths.

Service
Service load:
0% 100%
File: regedit.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 058710b720282ca82b909912d3ef28db
Packers detected:
-
Scanner results
Scan taken on 25 Feb 2009 13:01:04 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


File: ctfmon.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
Packers detected:
-
Scanner results
Scan taken on 25 Feb 2009 13:06:07 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 25, 2009 13:50:33
Records in database: 1843218
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 96590
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:08:15


File name / Threat name / Threats count
D:\I386\Apps\APP15894\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\Apps\APP15894\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.
Eurocab
Active Member
 
Posts: 14
Joined: February 13th, 2009, 2:26 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 487 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware