Options

Troublesome Bugs

Unknown
edited August 2008 in Spyware & Virus Removal
So here's the deal. I have multiple infections. This has been confirmed by AVG, TrojanRemover, MalwareBytes, SpyBot S&D, Ad-Aware, SUPERAntiSpyware, Panda ActiveScan, and HiJackThis. None of which could successfully remove the infections. (Though I have not tried with Panda ActiveScan or HiJackThis!.... and the others temporarily remove any sign of infection, but it returns after system restart.)

Here are the most annoying symptoms.

1. Windows Firewall / Updater are being disabled. Within 30 minutes of enabling them they will be disabled again.

2. Browser pages wont fully load. Not every page does this... which I find odd. Most pages I try to load will load halfway on the progress bar.. then continue to seem like they are loading, but no progress is made.

3. Browser opens new windows/tabs (IE/FF respectively). These new windows/tabs appear to be a blank page.


I read and followed the thread instructing me what to do before posting a HiJackThis! log. Below are the logs posted as replies.

Comments

  • etfarnworth
    edited August 2008
    Panda ActiveScan

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2008-08-22 12:59:02
    PROTECTIONS: 0
    MALWARE: 15
    SUSPECTS: 8
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[1].txt
    00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atwola[2].txt
    00327373 Adware/ZapSpot Adware No 0 Yes No C:\Documents and Settings\HP_Administrator\Application Data\ZapSpot\System\Etc\P3OfrMgr.exe
    00327375 Adware/ZapSpot Adware No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP48\A0012487.exe
    00377802 Spyware/PeoplePC Spyware No 0 Yes No C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No M:\Start.exe
    03173496 Trj/Agent.JBN Virus/Trojan Yes 1 Yes No C:\Documents and Settings\HP_Administrator\lsass.exe
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP46\A0009480.exe
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP44\A0009449.exe
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP43\A0007235.exe
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP30\A0006159.exe
    03173496 Trj/Agent.JBN Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP27\A0005986.exe
    03274575 Generic Malware Virus/Trojan No 0 Yes No M:\finished downloads\comp programs\dvdripping\alcohol120%\alcohol120v1.9.5.3105trialpatchtsrh.zip[patch.exe]
    03429845 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\Program Files\Image-Line\Toxic Biohazard\Toxic Biohazard.dll
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP30\A0006152.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP23\A0005881.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\task32.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP48\A0012495.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP30\A0006171.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP31\A0006295.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP27\A0006040.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP20\A0004812.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP44\A0009466.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP13\A0003813.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP46\A0010458.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP47\A0011460.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP48\A0012460.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP21\A0005811.exe
    03463415 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP27\A0006029.exe
    03471854 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9SBCV5FY\kb65666[1]
    03471854 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\xoekhakk.exe
    03476746 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\bvbgtpvk.dll
    03476746 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\bsvselml.dll
    03477012 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP30\A0006162.dll
    03477012 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP30\A0006163.dll
    03491673 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\qoMdefcy.dll
    03491673 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\xxyvtRjg.dll
    03491673 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\cbXPgebA.dll
    03492453 Spyware/Vundo Spyware No 0 Yes No C:\WINDOWS\system32\srukwjff.dll.vir
    03492523 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\knaljnft.dll
    03492523 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\nwyybvfa.dll
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No C:\WINDOWS\system32\eMaxt02\eMaxt022328.exe
    No C:\Documents and Settings\HP_Administrator\index.exe
    No C:\Documents and Settings\HP_Administrator\service.exe
    No C:\hp\bin\KillIt.exe
    No C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll
    No C:\Program Files\PlayOnline\SquareEnix\TetraMaster\polboot.exe
    No C:\WINDOWS\system32\eMaxt02\eMaxt022328.exe
    No C:\WINDOWS\system32\ymvwfxxg.dll.vir
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    184380 MEDIUM MS08-002
    184379 MEDIUM MS08-001
    182048 HIGH MS07-069
    182046 HIGH MS07-067
    182043 HIGH MS07-064
    179553 HIGH MS07-061
    176382 HIGH MS07-057
    176383 HIGH MS07-058
    170911 HIGH MS07-050
    170907 HIGH MS07-046
    170906 HIGH MS07-045
    170904 HIGH MS07-043
    164915 HIGH MS07-035
    164913 HIGH MS07-033
    164911 HIGH MS07-031
    160623 HIGH MS07-027
    157262 HIGH MS07-022
    157261 HIGH MS07-021
    157260 HIGH MS07-020
    157259 HIGH MS07-019
    156477 HIGH MS07-017
    150253 HIGH MS07-016
    150249 HIGH MS07-013
    150248 HIGH MS07-012
    150247 HIGH MS07-011
    150243 HIGH MS07-008
    150242 HIGH MS07-007
    150241 MEDIUM MS07-006
    141034 HIGH MS06-076
    141033 MEDIUM MS06-075
    141030 HIGH MS06-072
    137571 HIGH MS06-070
    137568 HIGH MS06-067
    133387 MEDIUM MS06-065
    133386 MEDIUM MS06-064
    133385 MEDIUM MS06-063
    133379 HIGH MS06-057
    131654 HIGH MS06-055
    129977 MEDIUM MS06-053
    129976 MEDIUM MS06-052
    126093 HIGH MS06-051
    126092 MEDIUM MS06-050
    126087 HIGH MS06-046
    126086 MEDIUM MS06-045
    126083 HIGH MS06-042
    126082 HIGH MS06-041
    126081 HIGH MS06-040
    123421 HIGH MS06-036
    123420 HIGH MS06-035
    120825 MEDIUM MS06-032
    120823 MEDIUM MS06-030
    120818 HIGH MS06-025
    120815 HIGH MS06-022
    120814 HIGH MS06-021
    117384 MEDIUM MS06-018
    114666 HIGH MS06-015
    114664 HIGH MS06-013
    108744 MEDIUM MS06-008
    108743 MEDIUM MS06-007
    108742 MEDIUM MS06-006
    93454 MEDIUM MS05-049
    ;===================================================================================================================================================================================
  • etfarnworth
    edited August 2008
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:11:56 PM, on 8/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Startup Faster\sfagent.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\HP_Administrator\lsass.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
    O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
    O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\HP_Administrator\lsass.exe
    O4 - HKLM\..\Run: [BM76019ae1] Rundll32.exe "C:\WINDOWS\system32\dspljjdm.dll",s
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Startup: StartupFaster
    O4 - Global Startup: StartupFaster
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Rapidown - {57E91B47-F40A-11D1-B792-444553540011} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

    --
    End of file - 7964 bytes
Sign In or Register to comment.