Jump to content

Recommended Posts

Posted

Hi Tarun, can you check out my log for me please? Many thanks.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:26:33, on 27/04/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Inventel\Gateway\wlancfg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Firetrust\Benign\B9.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\HDD Health\hddhealth.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Z-opti Browser Enhancer - {C348BB9A-995C-404A-8185-76325B4BED9F} - C:\WINDOWS\$XNTUninstall643$\mbdwt.dll

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Context-Ads Browser Enhancer - {F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} - C:\WINDOWS\$XNTUninstall643$\xgoir.dll

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bipro] rundll32 "C:\WINDOWS\$XNTUninstall643$\mbdwt.dll",,Run

O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe

O24 - Desktop Component 0: (no name) -

--

End of file - 7958 bytes

  • Administrator
Posted

Your log looks clean, though I see a few things that are out of date such as Avast, Adobe Reader, and Internet Explorer.

I would definitely recommend uninstalling any/all toolbars, as I see Ask, Limewire and Wanadoo toolbars.

This line can also be removed safely: O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

Are you experiencing any symptoms of infection or is this simply a routine checkup? :)

Posted

Hi Tarun, I'm pretty sure I've got something because when I click on links in Google I sometimes get taken to a different website, usually another search engine. Also, I keep getting a message about my system being under attack and occasionally my firewall gets turned off.

Any ideas?

Dave

  • Administrator
Posted

I do believe I've spotted the infection. I apologize for overlooking it.

O4 - HKLM\..\Run: [bipro] rundll32 "C:\WINDOWS\$XNTUninstall643$\mbdwt.dll",,Run

I'd run Malwarebytes Anti-Malware and see if it picks the file up.

Also, not sure if you still need this or want to keep it, but it hasn't been updated since 2006:

O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize

Posted

Hi Tarun,

Thanks for the reply. I'll get onto that today.

Incidentally, I had awful problems with the PC this morning. Something called "XP Total Security 2011 - Unregistered Version" was insisting I had all these infections and kept throwing up warnings in the taskbar like "Stealth intrusion!, Tracking software found!, Threat detected!" among others. It also appeared to turn off Windows Firewall and Avast. I ignored this and ran Avast in safe mode. It found 1 infection. Here are the details.

File Name

C:\Documents and Settings\All Users\Application Data\84DBKnD6.exe

Severity

High

Status

Threat:Win32:Trojan-gen

When I tried to navigate to the file there was nothing there. I'm hoping Avast has removed it.

After that I ran Malwarebytes and it found 15 problems with it removed.

Despite this however I've still got something redirecting my search queries as when I tried to come to Luarsoft it took me to an e-bay page! After I've removed the entry you've pointed out should I run everything again and send you another HijackThis log? Also, although it doesn't say so on the Wiki, should I be running all my checks in safemode?

Finally, you mention getting rid of the Limewire and Yahoo toolbars. How do I do this and where do I go in the registry to delete the appropriate entries?

Thanks very much for your advice and patience.

Dave

  • Administrator
Posted

Malwarebytes Anti-Malware should be able to remove XP Total Security 2011 just fine. If you don't mind, please post your Malwarebytes log.

You may wish to run all the scanners again in Full Scan instead of Quick/Fast. And safe mode is not necessary. One key reason for this is that Malwarebytes Anti-Malware is more powerful in normal mode than safe mode.

As for getting rid of the toolbars, I'd recommend checking Add/Remove Programs first and see if you can simply run an uninstall. From there we can remove them from HijackThis during the cleanup phase.

Posted

Hi Tarun,

I've followed your instructions and below is my HijackThis log and also the Malwarebytes log.

Just a couple of other things.

Spybot keeps finding "Click.GiftLoad" despite repeated deletions and I'm wondering whether it's loading on startup? Also, after I scanned with Malwarebytes I clicked for my PC to restart and it hung so I had to restart it manually. After scanning with Avast it advised that I let it check the system on boot-scan which I did and it found this:

File C:\Documents and Settings\Network Service\Application Data\Sun\Java\Deployment\cache\6.0\44\2e038c6c-6979ccd1>google\bingo.class is infected by Java:agent-GI[Exp¬]

I deleted that and further items that all had the reference "agent-G" followed by the letters I, J, M and N (I think).

Finally, the light on the tower that shows hard drive activity flashes at regular intervals roughly 1 second apart, even when there appears to be no HDD activity taking place. I've not noticed this before and wondered whether it's something nasty on the system.

Anyway, here are those logs and thanks again for your help.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:07:59, on 03/05/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Inventel\Gateway\wlancfg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Firetrust\Benign\B9.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\HDD Health\hddhealth.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\RunOnce: [spybotDeletingA2670] command.com /c del "C:\WINDOWS\SchedLgU.Txt"

O4 - HKLM\..\RunOnce: [spybotDeletingC768] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt"

O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe

O24 - Desktop Component 0: (no name) -

--

End of file - 7489 bytes

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6500

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

03/05/2011 19:10:17

mbam-log-2011-05-03 (19-10-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 220936

Time elapsed: 1 hour(s), 19 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{75493eb3-c852-41b6-b8a8-f3c98fbd0121}\rp1218\a0279006.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\system volume information\_restore{75493eb3-c852-41b6-b8a8-f3c98fbd0121}\rp1220\a0285030.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\windows\system32\memzpack.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\8pabk5u7\nbc[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\8pabk5u7\nbg[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

  • Administrator
Posted

I see some that are found are in your System Restore. You can easily remove them by making a new System Restore point and naming it (Something like Cleaning up) and then using the Disk Cleanup to remove all but the latest one. You may also want to run CCleaner once more and do quick scans.

Are there still symptoms present?

Posted

Hi Tarun,

Sorry it’s taken so long to get back to you (work etc.). We’re still experiencing a browser hijack along with problems on start up/shut down so I did another lot of scans today and took some notes along the way.

First off I started the PC but it only got as far as our screensaver then stalled. At this point there were no icons on the screen. I pressed the restart button and start up got as far as the screensaver with icons before seeming to stall again. After 5:05 minutes the start up continued and seemed to load normally.

Then a balloon appeared with this message:

Your computer might be at risk. Automatic Updates is turned off. Click this balloon to fix this problem.

I clicked the balloon and the Security Centre screen appeared showing Automatic Updates as off. But when I clicked “Turn on Automatic Updates†a box appeared with this message:

“We’re sorry. The Security Centre could not change your Automatic Updates settings. To try changing these settings yourself, go to System in Control Panel. On the Automatic Upfates tab select Automatic (recommended), and then click ok.â€

So I followed these instructions but when I got to System Properties it said that Automatic Updates are switched on.

After this I began the scans as per your Wiki instructions.

After running Spywareblaster I did a full scan with Avast and it found a virus. These are the details.

MBR:\\.\PHYSICALDRIVE0

Threat:Rootkit:hidden boot-sector

I deleted this.

On reboot I experienced the same 5 minute delay on start up.

A full scan with Malewarebytes revealed nothing but a full scan with SuperAntiSpyware revealed some problems. Here are the details:

System.BrokenFileAssociation (2)

HKCR\.exe

HKCR\exefile\shell\open\command

Trojan.Agent/Gen-Nullo(short) (1)

C:\SYSTEM_VOLUME_INFORMATION\_RESTORE {75493EB3-C852-41B6-B8A8-F3C98FBD0121}\RP1222\A0313358.EXE

I deleted these and when prompted I rebooted. This time everything loaded in 1:44 minutes.

Next I clicked to start Spybot but while it was loading this message came up:

To help protect your computer, Windows has closed this program.

Name Generic Host Process for Win32 Services.

I closed the message and Spybot continued to load and immediately detected Click.GiftLoad again! Other problems surfaced as well.

(I have the whole Spybot log but it's very long and when I tried to post it I was told to shorten the post so I've just posted the bit that seems to highlight the problems.)

--- Search result list ---

Click.GiftLoad: [sBI $89783858] User settings (Registry value, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Fraud.InternetSecurity2011: [sBI $E57DC831] User settings (Registry value, nothing done)

HKEY_USERS\.DEFAULT\Software\Classes\.exe\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*...

Fraud.InternetSecurity2011: [sBI $E57DC831] User settings (Registry value, nothing done)

HKEY_USERS\S-1-5-18\Software\Classes\.exe\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*...

Fraud.InternetSecurity2011: [sBI $8D38ECE3] User settings (Registry value, nothing done)

HKEY_USERS\.DEFAULT\Software\Classes\exefile\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*...

Fraud.InternetSecurity2011: [sBI $8D38ECE3] User settings (Registry value, nothing done)

HKEY_USERS\S-1-5-18\Software\Classes\exefile\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*...

Fraud.InternetSecurity2011: [sBI $9CCE589D] User settings (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Classes\.exe\shell\open\command\

Fraud.InternetSecurity2011: [sBI $9CCE589D] User settings (Registry change, nothing done)

HKEY_USERS\S-1-5-18\Software\Classes\.exe\shell\open\command\

Fraud.InternetSecurity2011: [sBI $F153D38E] User settings (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Classes\exefile\shell\open\command\

Fraud.InternetSecurity2011: [sBI $F153D38E] User settings (Registry change, nothing done)

HKEY_USERS\S-1-5-18\Software\Classes\exefile\shell\open\command\

Fraud.InternetSecurity2011: [sBI $8D9E5DA2] User settings (Registry value, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Fraud.InternetSecurity2011: [sBI $5AEDDF0A] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Fraud.InternetSecurity2011: [sBI $758FB1E3] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Fraud.InternetSecurity2011: [sBI $CDC1B6A2] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Fraud.InternetSecurity2011: [sBI $76913945] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Fraud.InternetSecurity2011: [sBI $F16F6CE5] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Fraud.InternetSecurity2011: [sBI $DE0D020C] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Fraud.InternetSecurity2011: [sBI $6D4031BB] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Fraud.InternetSecurity2011: [sBI $FD1F9FD2] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

Fraud.InternetSecurity2011: [sBI $9EDDC71B] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Fraud.InternetSecurity2011: [sBI $EE344D69] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Common Dialogs: History (2 files) (Registry key, nothing done)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup file, nothing done)

C:\WINDOWS\SchedLgU.Txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)

C:\WINDOWS\System32\wbem\logs\wbemess.log

When I clicked to fix the problems an X appeared next to the Fraud.InternetSecurity2011 problem and this message was displayed:

Some problems could not be fixed; the reason could be that the associated files are still in use (in memory).

This could be fixed after a restart.

May Spybot-S&&D run on your next system startup?

(n.b. The two &&’s are not a typo, that’s how it appeared in the message.)

I clicked yes for the PC to restart but the “Ending program…Please wait†box appeared followed by the “This program is not responding…â€

I tried again with the same result so I pressed the restart button.

On restart Spybot automatically scanned the system again. No threats were found but there were no icons on the screen for a couple of minutes and when they appeared the bar at the bottom of the screen was grey instead of blue.

So I restarted the computer and it loaded to the point where our screensaver was up but there were no icons on the screen. I left it for ten minutes then restarted the PC manually and it loaded in 1:33 minutes.

I then created a restore point before scanning with HijackThis. Here is the log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:10:06, on 10/05/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Firetrust\Benign\B9.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\HDD Health\hddhealth.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Inventel\Gateway\wlancfg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?')

O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe

O24 - Desktop Component 0: (no name) -

--

End of file - 7314 bytes

I should also point out that I sometimes have to double click 4 or 5 times before my browser loads.

Two more things:

How do I get rid of all my restore points except the most recent one?

And how do I remove items from the Startup list in System Configuration Utility?

Thanks again for your help Tarun.

  • Administrator
Posted

Running Kaspersky's TDSSKiller may be helpful as well as G-Data's FakeAV remover.

Go to Start - All Programs - Accessories - System Tools System Restore. Click Create a restore point, and then click Next. Name it whatever you like and create. :)

To remove Startup items, you can use CCleaner, Autoruns, HiJackThis, and of course the MSConfig utility. MSConfig is very easy, you simply uncheck items you do not want to run at startup.

Posted

Hi Tarun,

It looks like that last load of scans I did has done the trick so thanks very much for your help.

One last thing, I'd already unchecked Limewire in msconfig. What I was asking was whether it is possible to completely remove the entry as I thought I'd removed all traces of the program so was surprised to still see it sitting there.

Thanks again,

Dave

  • Administrator
Posted

If you recheck it through MSconfig you can remove it using HijackThis or (the one I prefer to use: ) Autoruns.

  • Administrator
Posted

The issue this thread has been opened for has been resolved.

If you need continued support, please start a new thread and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: PC Cleanup

It is recommended that you review our PC Security wiki page to help secure your computer and protect it.

Guest
This topic is now closed to further replies.
×
×
  • Create New...