Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with Malware Removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with Malware Removal

Unread postby DShook » April 25th, 2009, 1:44 pm

Per the instructions, below is a copy of the HiJackThis log file. Someone was using my computer and must have ok'd the installation of a program with malware or a virus. Avast! has detected the problem, but I have been unable to remove it with multiple scans. Any help which can be provided would be most appreciated.
Thanks in advance.
Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:39 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Wendy C. Shook\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("__000.aim.buddy.SndPlayFirstIncoming_ICQ", false);
user_pref("__000.aim.buddy.SndPlayIncoming_ICQ", false);
user_pref("__000.aim.buddy.SndPlayOutgoing_ICQ", false);
user_pref("__000.aim.buddy.SndPlaySignOn_ICQ", false);
user_pref("__000.aim.general.im.enterCR", false);
user_pref("__000.aim.general.im.tabKey", false);
user_pref("__000.aim.general.im.timeStamp", false);
user_pref("__000.icq.im.playall", false);
user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\Wendy
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("__000.aim.buddy.SndPlayFirstIncoming_ICQ", false);
user_pref("__000.aim.buddy.SndPlayIncoming_ICQ", false);
user_pref("__000.aim.buddy.SndPlayOutgoing_ICQ", false);
user_pref("__000.aim.buddy.SndPlaySignOn_ICQ", false);
user_pref("__000.aim.general.im.enterCR", false);
user_pref("__000.aim.general.im.tabKey", false);
user_pref("__000.aim.general.im.timeStamp", false);
user_pref("__000.icq.im.playall", false);
user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\Wendy
O2 - BHO: C:\WINDOWS\system32\zfgh83jg3.dll - {d5bf49a0-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wbvnvxiarx.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wbvnvxiarx.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/ ... porter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1140727453
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\yenojuje.dll c:\windows\system32\jozujoti.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7556 bytes
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm
Advertisement
Register to Remove

Re: Help with Malware Removal

Unread postby MWR 3 day Mod » April 30th, 2009, 2:40 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Help with Malware Removal

Unread postby Shaba » April 30th, 2009, 10:11 am

Hi DShook

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 1st, 2009, 3:29 pm

Thanks so much for your help with this matter.
I ran GMER in Safe Mode, but nothing was found.
I had to run it four times in regular XP before it ran the whole time without freezing the system.
I pasted the entire text file but received this message: Your message contains 3448136 characters. The maximum number of allowed characters is 100000.
So, there are a few things pasted below, but the entire notepad file is attached.
Please let me know what I should do next.
Dave

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-05-01 14:23:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose
SSDT \SystemRoot\System32\drivers\953f326d.sys ZwCreateEvent
SSDT \SystemRoot\System32\drivers\953f326d.sys ZwCreateKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject
SSDT \SystemRoot\System32\drivers\953f326d.sys ZwOpenKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey

Code 0F638C17 KeFindConfigurationNextEntry

---- User code sections - GMER 1.0.12 ----
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 1st, 2009, 3:41 pm

Please upload that file to rapidshare.com and post back link here :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 1st, 2009, 4:51 pm

Thanks for you help.
I have posted the zipped version of the text file on Rapidshare.
Here is the link:
http://rapidshare.com/files/228044651/5 ... l.zip.html
Dave
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 2nd, 2009, 2:03 am

That seems to be an empty file.

Please split gmer log then to multiple replies.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 4th, 2009, 9:52 am

My apologies. Let's try this one:
http://rapidshare.com/files/229063218/5 ... e.zip.html
Thanks!
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 4th, 2009, 11:01 am

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 4th, 2009, 11:47 am

Here is the Combofix.txt file:

ComboFix 09-05-03.6 - Wendy C. Shook 05/04/2009 11:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.342 [GMT -4:00]
Running from: c:\documents and settings\Wendy C. Shook\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090501-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\INSTALL.LOG
c:\windows\QODCAT.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\dipagowe.dll
c:\windows\system32\drivers\953f326d.sys
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_953f326d


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-04 15:10 . 2009-05-04 15:10 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-19 21:38 . 2009-04-19 21:38 -------- d-----w c:\documents and settings\Wendy C. Shook\DoctorWeb
2009-04-14 22:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 22:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-14 22:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 22:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 22:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 22:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 22:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 22:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 22:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 22:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 21:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 21:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 15:24 . 2009-04-11 15:23 410984 ----a-w c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 14:31 . 2004-12-18 18:07 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-20 01:19 . 2002-08-29 11:00 433664 ----a-w c:\windows\system32\wiaacmgr.exe
2009-04-20 01:18 . 2002-08-29 11:00 77312 ----a-w c:\windows\system32\sdbinst.exe
2009-04-20 01:17 . 2002-08-29 11:00 76800 ----a-w c:\windows\system32\nslookup.exe
2009-04-20 01:17 . 2002-08-29 11:00 36864 ----a-w c:\windows\system32\netstat.exe
2009-04-20 01:17 . 2003-06-30 20:33 86016 ----a-w c:\windows\system32\netsh.exe
2009-04-20 01:17 . 2002-08-29 11:00 331776 ----a-w c:\windows\system32\netsetup.exe
2009-04-20 01:17 . 2002-08-29 11:00 124928 ----a-w c:\windows\system32\net1.exe
2009-04-20 01:17 . 2002-08-29 11:00 42496 ----a-w c:\windows\system32\net.exe
2009-04-20 01:17 . 2002-08-29 11:00 4096 ----a-w c:\windows\system32\nddeapir.exe
2009-04-20 01:17 . 2002-08-29 11:00 20480 ----a-w c:\windows\system32\NBTSTAT.EXE
2009-04-20 01:17 . 2002-11-20 16:50 53760 ----a-w c:\windows\system32\narrator.exe
2009-04-20 01:17 . 2008-06-22 00:40 176640 ----a-w c:\windows\system32\napstat.exe
2009-04-20 01:17 . 2002-08-29 11:00 677888 ----a-w c:\windows\system32\mstsc.exe
2009-04-20 01:17 . 2004-07-15 10:31 12288 ----a-w c:\windows\system32\mstinit.exe
2009-04-20 01:17 . 2002-08-29 11:00 6656 ----a-w c:\windows\system32\MSSWCHX.EXE
2009-04-20 01:15 . 2002-08-29 11:00 9728 ----a-w c:\windows\system32\LABEL.EXE
2009-04-20 01:15 . 2003-04-12 10:36 172032 ----a-w c:\windows\system32\jview.exe
2009-04-20 01:15 . 2003-04-12 10:35 14848 ----a-w c:\windows\system32\jdbgmgr.exe
2009-04-20 01:15 . 2000-04-26 19:34 39424 ----a-w c:\windows\system32\JETCOMP.exe
2009-04-20 01:15 . 2002-08-29 11:00 23552 ----a-w c:\windows\system32\ipxroute.exe
2009-04-20 01:15 . 2003-06-30 20:30 53248 ----a-w c:\windows\system32\ipv6.exe
2009-04-20 01:15 . 2002-08-29 11:00 44032 ----a-w c:\windows\system32\IPSEC6.EXE
2009-04-20 01:15 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\ipconfig.exe
2009-04-20 01:15 . 2005-10-19 12:59 114688 ----a-w c:\windows\system32\igfxzoom.exe
2009-04-20 01:15 . 1980-01-01 06:00 155648 ----a-w c:\windows\system32\igfxtray.exe
2009-04-20 01:15 . 2002-08-29 11:00 114688 ----a-w c:\windows\system32\iexpress.exe
2009-04-20 01:13 . 2003-09-01 19:46 17920 ----a-w c:\windows\system32\dpnsvr.exe
2009-04-20 01:12 . 2002-08-29 11:00 5120 ----a-w c:\windows\system32\BOOTVRFY.EXE
2009-04-20 01:12 . 2004-08-04 07:56 71680 ----a-w c:\windows\system32\blastcln.exe
2009-04-20 01:12 . 2002-08-29 11:00 4608 ----a-w c:\windows\system32\BOOTOK.EXE
2009-04-20 01:12 . 2002-09-10 23:34 98304 ----a-w c:\windows\system32\BacsTray.exe
2009-04-20 01:12 . 2004-08-04 07:56 14336 ----a-w c:\windows\system32\auditusr.exe
2009-04-20 01:12 . 2002-08-29 11:00 12288 ----a-w c:\windows\system32\attrib.exe
2009-04-20 01:12 . 2002-08-29 11:00 11264 ----a-w c:\windows\system32\atmadm.exe
2009-04-20 01:12 . 2002-08-29 11:00 25088 ----a-w c:\windows\system32\at.exe
2009-04-20 01:12 . 2002-08-29 11:00 19456 ----a-w c:\windows\system32\ARP.EXE
2009-04-20 01:12 . 2002-08-29 11:00 98304 ----a-w c:\windows\system32\ahui.exe
2009-04-20 01:12 . 2002-08-29 11:00 4096 ----a-w c:\windows\system32\actmovie.exe
2009-04-20 00:55 . 2002-08-29 11:00 744448 ----a-w c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2009-04-20 00:35 . 2002-12-14 06:50 1077248 ----a-w c:\windows\Help\SBSI\Training\orun32.exe
2009-04-19 21:41 . 2002-08-29 11:00 289792 ----a-w c:\windows\system32\vssvc.exe
2009-04-19 21:40 . 2002-08-29 11:00 224768 ----a-w c:\windows\system32\dmadmin.exe
2009-04-19 21:40 . 2002-08-29 11:00 15360 ----a-w c:\windows\system32\ctfmon.exe
2009-04-19 21:40 . 2002-08-29 11:00 33280 ----a-w c:\windows\system32\clipsrv.exe
2009-04-19 21:40 . 2002-08-29 11:00 25600 ----a-w c:\windows\system32\cisvc.exe
2009-04-19 21:40 . 2002-08-29 11:00 64512 ----a-w c:\windows\system32\alg.exe
2009-04-19 21:40 . 2003-05-12 01:12 1053696 ----a-w c:\windows\explorer.exe
2009-04-18 21:02 . 2002-12-14 06:54 -------- d-----w c:\program files\Classic PhoneTools
2009-04-18 21:02 . 2004-08-10 00:22 -------- d-----w c:\program files\Audiovox USB Drivers
2009-04-18 16:30 . 2003-09-02 13:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 23:57 . 2005-02-19 03:02 -------- d-----w c:\program files\Startup Inspector for Windows
2009-04-16 23:57 . 2002-12-14 07:00 -------- d-----w c:\program files\QuickTime
2009-04-11 15:28 . 2007-07-21 16:59 -------- d-----w c:\program files\CCleaner
2009-04-11 15:23 . 2002-12-21 20:25 -------- d-----w c:\program files\Java
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-08-29 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-04-16 20:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-03 19:59 . 2002-08-29 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-16 23:03 . 2009-01-16 23:03 69632 --sha-w c:\windows\SYSTEM32\yenojuje.dll.vir
.

------- Sigcheck -------

[-] 2009-04-19 21:40 1053696 953F77FF58D8479C222AEDAE58625360 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2002-08-29 11:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2009-04-19 21:40 15360 40D1E302F6F6FAC1FD41C8A658D6074D c:\windows\SYSTEM32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2009-04-19 21:41 77824 E1A02B72BFD3B6727A6EAF0083C6C688 c:\windows\SYSTEM32\spoolsv.exe

[7] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2009-04-19 21:41 26112 F2FD355880A880105ADC231A3786DBA3 c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2009-04-19 1613824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 21:40]

2002-12-21 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 21:41]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Windows Resurections - c:\windows\TEMP\wbvnvxiarx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = 127.0.0.1;hxxp://localhost;
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Wendy C. Shook\Application Data\Mozilla\Firefox\Profiles\mv0e142o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/outlook/health/c ... centsearch
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 11:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3020)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-04 11:44
ComboFix-quarantined-files.txt 2009-05-04 15:44

Pre-Run: 16,900,272,128 bytes free
Post-Run: 16,886,792,192 bytes free

192 --- E O F --- 2009-04-15 00:52
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 4th, 2009, 11:59 am

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\explorer.exe
c:\windows\SYSTEM32\ctfmon.exe
c:\windows\SYSTEM32\spoolsv.exe
c:\windows\SYSTEM32\userinit.exe


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 4th, 2009, 12:31 pm

Here are the Jotti results:

explorer.exe
A-Squared Found Trojan.Win32.Patched!IK[/color]
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found Trojan.Win32.Patched
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ctfmon.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

spoolsv.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Virut.NBP
Norman Virus Control Found W32/Virut.CK
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

userinit.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 4th, 2009, 12:48 pm

Not good news then.

Please scan these as well and post back results:

c:\windows\ServicePackFiles\i386\explorer.exe
c:\windows\ServicePackFiles\i386\ctfmon.exe
c:\windows\ServicePackFiles\i386\spoolsv.exe
c:\windows\ServicePackFiles\i386\userinit.exe
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Help with Malware Removal

Unread postby DShook » May 4th, 2009, 1:06 pm

Here are the Jotti results:

c:\windows\ServicePackFiles\i386\explorer.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

c:\windows\ServicePackFiles\i386\ctfmon.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

c:\windows\ServicePackFiles\i386\spoolsv.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

c:\windows\ServicePackFiles\i386\userinit.exe
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
DShook
Regular Member
 
Posts: 18
Joined: April 23rd, 2009, 2:31 pm

Re: Help with Malware Removal

Unread postby Shaba » May 4th, 2009, 1:24 pm

Those looks promising :)

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    FCopy::
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    c:\windows\ServicePackFiles\i386\ctfmon.exe | c:\windows\system32\ctfmon.exe
    c:\windows\ServicePackFiles\i386\spoolsv.exe | c:\windows\system32\spoolsv.exe
    c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware