[Closed] Help with Malware infection
#1
Posted 02 April 2008 - 01:06 PM
Register to Remove
#2
Posted 05 April 2008 - 02:20 PM
Welcome to the Whatthetech Malware Removal Forum,
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
- Open HJT Scan and Save a Log File, it will open in Notepad
- Go to Format and make sure Wordwrap is Unchecked
- Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
Post the Malwarebytes log and a Hijackthis log please
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#3
Posted 05 April 2008 - 08:43 PM
Thanks again;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:50 PM, on 4/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Franklin VPN Client\cvpnd.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
D:\PersApps\Webshots\webshots.scr
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Franklin Templeton Investments
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: 0 - {DC310461-CDB1-41DE-89BE-62CFF5C37945} - C:\Program Files\Outlook Express\xunaj.dll (file missing)
O2 - BHO: (no name) - {e2c80ab6-85cb-4ac7-9e1d-06d211ee1ce8} - C:\WINNT\system32\vjnlnvr.dll (file missing)
O2 - BHO: (no name) - {E9FCF511-46AF-0E22-DA26-30E671890A99} - C:\WINNT\system32\tsrlii.dll (file missing)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeFireTray] C:\PROGRA~1\NETWOR~1\MCAFEE~1\Firetray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PersApps\IPod\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Cwoa] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\RACLE~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Startup: Webshots.lnk = D:\PersApps\Webshots\Launcher.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O15 - Trusted Zone: http://edrweb.franklintempleton.com (HKLM)
O15 - Trusted Zone: http://lmsprod.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://myworktools.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://psportaltest.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://sacsun98.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://sacsun99.noam.corp.frk.com (HKLM)
O15 - Trusted Zone: http://*.ftimarketing.com (HKLM)
O15 - Trusted Zone: http://*.intranet (HKLM)
O15 - Trusted Zone: http://*.sacgiweb (HKLM)
O15 - Trusted Zone: http://*.sacr01giww1 (HKLM)
O15 - Trusted Zone: http://*.sacr01giww2 (HKLM)
O15 - Trusted Zone: http://*.stpgiweb (HKLM)
O15 - Trusted Zone: http://*.stpr01giww1 (HKLM)
O15 - Trusted Zone: http://*.stpr01giww2 (HKLM)
O15 - Trusted Zone: http://*.torr01fln01 (HKLM)
O15 - Trusted Zone: http://*.torr01fln07 (HKLM)
O15 - Trusted Zone: http://*.torr01fln08 (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noam.corp.frk.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.corp.frk.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: Crystal Query Server - Unknown owner - C:\PROGRA~1\SEAGAT~1\QUERYS~1\querysrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Franklin VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: BeyondLogic RmtExec Server (rexesvr) - http://www.beyondlogic.org - C:\WINNT\System32\rexesvr.exe
O23 - Service: Remote Task Manager Service (RTM) - Unknown owner - C:\WINNT\System32\rtmservice.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\cewuewu.html
--
End of file - 8144 bytes
Malwarebytes' Anti-Malware 1.10
Database version: 594
Scan type: Quick Scan
Objects scanned: 48740
Time elapsed: 11 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7e412486-3c80-4dc0-996a-6076d4c67fd3} (Adware.TTC) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e412486-3c80-4dc0-996a-6076d4c67fd3} (Adware.TTC) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\dalix777444.dll (Adware.TTC) -> Quarantined and deleted successfully.
Looking forward to your next steps and cleaning my laptop of these annoying sounds and pop-ups, not to mention the performance factor.
#4
Posted 05 April 2008 - 09:21 PM
You do have a few things going on, I need you to look over all the 015 entries on your HJT log and add the ones you don't know to this list to be removed.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: 0 - {DC310461-CDB1-41DE-89BE-62CFF5C37945} - C:\Program Files\Outlook Express\xunaj.dll (file missing)
O2 - BHO: (no name) - {e2c80ab6-85cb-4ac7-9e1d-06d211ee1ce8} - C:\WINNT\system32\vjnlnvr.dll (file missing)
O2 - BHO: (no name) - {E9FCF511-46AF-0E22-DA26-30E671890A99} - C:\WINNT\system32\tsrlii.dll (file missing)
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\cewuewu.html
Please download OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Outlook Express\cewuewu.html
C:\Program Files\Outlook Express\xunaj.dll
C:\WINNT\system32\vjnlnvr.dll
C:\WINNT\system32\tsrlii.dll - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
This tool needs to be run in Safemode for it to be effective
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Post the OTMoveIt log, the SDFix log and a new HJT log please
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#5
Posted 10 May 2008 - 11:19 AM
#6
Posted 18 May 2008 - 07:34 PM
Sorry for the late reply but with you not posting back in over a month your post fell off my list, but I have you back now. We are one of the leading forums for the removal of malware and viruses not for trying to infect your computer, do you think that we would have you download any programs that are not safe???????????????????
Kernel.exe is part of the SDBot worm, its not related to your company logo.
Its been over a month since you posted your HJT log and your system may have changed so post a new HJT log please. If your hesitant about proceeding with the cleaning you may want to consider taking your computer to a shop. Don't mean to seem stern but we clean computers of the viruses and malware that people get, we do not infect them.
Ken
Edited by ken545, 19 May 2008 - 02:44 AM.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#7
Posted 31 May 2008 - 09:05 AM
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users