Need to clean something deep

Welcome to your place for tech questions! ( Log In or Join today ) Get answers from experts today. (it's 100% free) Virus removal forum

What the Tech > Spyware / Malware / Virus Removal > Virus, Spyware & Malware Removal

Need to clean something deep, Keeps coming back

Options

8210GUY View Member Profile	Jun 22 2011, 02:39 PM Post #1
SuperMember Group: Visiting Tech Posts: 1,679 Joined: 15-May 09 From: UK Member No.: 85,793 Operating System: Win 98se, Windows 2000, xp Home sp3, xp Pro sp3, Vista Ultimate 32bit\64bit, Win7 Ultimate 32bit\64bit.	A mate has asked me to sort his system, he had some people stay over for a bit and allowed they're kids to use his system, and he is one who loves to help if he can, but the end result is he was absolutely riddled with nasties, it's taken me all day cleaning etc to get it into some kind of shape, but it still keeps exhibiting hijack behaviour, especially when trying to get help. I had to download Hijack This on my system then transfer it over, as his results kept getting jacked, as per usual I have forgotten all the names involved, just tried looking at the mbam logs, only to find the logs were not enabled at the time of repairing, I have now enabled them, but it now reports the system to be clean, Avast often came up with blocked Trojan messages etc, it lists a lot of what it did, but I can't see how to copy the log to show it here, but I have ran multiple scans with Malwarebytes Anti-Malware, Avast! Free Antivirus and SUPERAntiSpyware, ALL found and removed numerous infections, but there is still something not right. Another point to note, using 4 junk file cleaners, Disk Cleaner, CCleaner, CleanUp and ATF-Cleaner, CleanUp seems to find masses of temp files every time, I have never seen that happen before, so I figure it's his hijacker creating them, and Secunia will not load, I have installed it, it runs, it update new findings etc, but when I try to launch it to see the results it shuts down as soon as it opens, it does not crash, it keeps working, it just wont open to view the results, so any help would be great. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 21:08:28, on 22/06/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\NETGEAR\WPN111\wpn111.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\Iconix\IconixService.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe C:\WINDOWS\system32\svchost.exe c:\program files\teamviewer\version6\TeamViewer_Service.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\SearchIndexer.exe c:\program files\teamviewer\version6\TeamViewer.exe c:\program files\teamviewer\version6\tv_w32.exe C:\WINDOWS\system32\ctfmon.exe c:\program files\teamviewer\version6\TeamViewer_Desktop.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Secunia\PSI\PSIA.exe C:\Program Files\Secunia\PSI\PSI_TRAY.exe C:\Program Files\Secunia\PSI\sua.exe C:\Documents and Settings\George\Desktop\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_46.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\IEPro\IEProRecorder.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ? O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O8 - Extra context menu item: Save Page As PDF ... - file://C:\Program Files\Nitro PDF\PDF Download\nitroweb.htm O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_46.dll O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_46.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: PDF Download - Options - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_46.dll O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_46.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139406804265 O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D1FA74-04D3-4D48-AA61-B7E700DB9CC7}: NameServer = 208.67.222.222,208.67.220.220 O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Iconix Update Service (IconixService) - Unknown owner - C:\Program Files\Common Files\Iconix\IconixService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - c:\program files\teamviewer\version6\TeamViewer_Service.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11409 bytes

mowman View Member Profile	Jun 22 2011, 05:39 PM Post #2
SuperMember Group: Malware Team Posts: 2,644 Joined: 11-April 09 From: Stoke,England Member No.: 85,186 Operating System: vista home premium sp2	Let's give it a go. Download OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Under Custom Scan paste this in netsvcs drivers32 %SYSTEMDRIVE%\. %systemroot%\Fonts\.com %systemroot%\Fonts\.dll %systemroot%\Fonts\.ini %systemroot%\Fonts\.ini2 %systemroot%\Fonts\.exe %systemroot%\system32\spool\prtprocs\w32x86\.* %systemroot%\REPAIR\.bak1 %systemroot%\REPAIR\.ini %systemroot%\system32\.jpg %systemroot%\.jpg %systemroot%\.png %systemroot%\.scr %systemroot%\._sy %APPDATA%\Adobe\Update\.* %ALLUSERSPROFILE%\Favorites\. %APPDATA%\Microsoft\. %PROGRAMFILES%\. %APPDATA%\Update\. %systemroot%\. /mp /s CREATERESTOREPOINT %systemroot%\System32\config\.sav %PROGRAMFILES%\bak. /s %systemroot%\system32\bak. /s %ALLUSERSPROFILE%\Start Menu\.lnk /x %systemroot%\system32\config\systemprofile\.dat /x %systemroot%\.config %systemroot%\system32\.db %APPDATA%\Microsoft\Internet Explorer\Quick Launch\.lnk /x %USERPROFILE%\Desktop\.exe %PROGRAMFILES%\Common Files\. %systemroot%\.src %systemroot%\install\.* %systemroot%\system32\DLL\. %systemroot%\system32\HelpFiles\. %systemroot%\system32\rundll\. %systemroot%\winn32\. %systemroot%\Java\. %systemroot%\system32\test\. %systemroot%\system32\Rundll32\. %systemroot%\AppPatch\Custom\. %APPDATA%\Roaming\Microsoft\Windows\Recent\.lnk /x %PROGRAMFILES%\PC-Doctor\Downloads\.* %PROGRAMFILES%\Internet Explorer\.tmp %PROGRAMFILES%\Internet Explorer\.dat %USERPROFILE%\My Documents\.exe %USERPROFILE%\.exe %systemroot%\ADDINS\. %systemroot%\assembly\.bak2 %systemroot%\Config\.* %systemroot%\REPAIR\.bak2 %systemroot%\SECURITY\Database\.sdb /x %systemroot%\SYSTEM\.bak2 %systemroot%\Web\.bak2 %systemroot%\Driver Cache\. %PROGRAMFILES%\Mozilla Firefox\0.exe %ProgramFiles%\Microsoft Common\.* %ProgramFiles%\TinyProxy. %USERPROFILE%\Favorites\.url /x %systemroot%\system32\.bk %systemroot%\.te %systemroot%\system32\system32\.* %ALLUSERSPROFILE%\.dat /x %systemroot%\system32\drivers\.rmv dir /b "%systemroot%\system32\.exe" \| find /i " " /c dir /b "%systemroot%\.exe" \| find /i " " /c %PROGRAMFILES%\Microsoft\. %systemroot%\System32\Wbem\proquota.exe %PROGRAMFILES%\Mozilla Firefox\.dat %USERPROFILE%\Cookies\.txt /x %SystemRoot%\system32\fonts\. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\|LastSuccessTime /rs Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in. Please download Rootkit Unhooker and save it to your desktop. Link 1 Now double-click on RKUnhookerLE.exe to run it. Click the Report tab, then click Scan. Check (Tick) Drivers and Stealth Uncheck the rest. then click OK When prompted to Select Disks for Scan, make sure *C:\* is checked and click OK Wait till the scanner has finished and then click File > Save Report. Save the report somewhere where you can find it. Click Close. Copy the entire contents of the report and paste it in your next reply. Note** you may get the following warning, just click OK and continue. "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"

8210GUY View Member Profile	Jul 6 2011, 03:46 PM Post #3
SuperMember Group: Visiting Tech Posts: 1,679 Joined: 15-May 09 From: UK Member No.: 85,793 Operating System: Win 98se, Windows 2000, xp Home sp3, xp Pro sp3, Vista Ultimate 32bit\64bit, Win7 Ultimate 32bit\64bit.	Hi, Thanks for this, sorry for a slow reply, I am snowed under with stuff I have to get done, and to that end it will be next week before I can give this a go, I'm away to help a mate all weekend (from tomorrow), then will need to get the problem system to do as you ask, but in the words of Arnie, "I*'ll be back" lol, again sorry for the delays.

mowman View Member Profile	Jul 6 2011, 03:54 PM Post #4
SuperMember Group: Malware Team Posts: 2,644 Joined: 11-April 09 From: Stoke,England Member No.: 85,186 Operating System: vista home premium sp2	No problem,I will keep this topic open as long as necessary.

« Next Oldest · Virus, Spyware & Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
Virus, Spyware & Malware Removal Log Appears Clean Yet I Still Get Things!	5	Writ	2,224	7th January 2004 - 06:22 PM Last post by: cnm
Virus, Spyware & Malware Removal Ongoing Problem After Using Cw To Clean Freednshos	3	jgharvey2222	1,237	17th April 2004 - 08:03 AM Last post by: Daemon
Virus, Spyware & Malware Removal HELP infected by Vcodec: cannot clean PC	11	gollum	2,548	8th January 2006 - 03:45 PM Last post by: LDTate
Virus, Spyware & Malware Removal Assuring A Clean Slate	3	newtech	1,226	20th August 2004 - 02:19 PM Last post by: dgosling
Virus, Spyware & Malware Removal Clean-up Needed? 12	18	Darkelf	2,073	11th October 2004 - 02:26 PM Last post by: little eagle