Help me please I either have a virus or I have been Hijacked

View previous topic View next topic Go down

Help me please I either have a virus or I have been Hijacked

Post by ree30ree on 7th October 2009, 8:06 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:16 PM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\windows\mstre22.exe
C:\windows\pp12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sYSteM32\SvchOst.eXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
c:\windows\freddy68.exe
C:\Documents and Settings\Jodie\My Documents\Downloads\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld15.exe
O4 - HKLM\..\Run: [sysfbtray] c:\windows\freddy68.exe
O4 - HKLM\..\Run: [SySmstray] C:\windows\mstre22.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp12.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Internet Explorer (2).lnk = ?
O4 - Startup: Internet Explorer.lnk = ?
O4 - Startup: MSN.lnk = C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
O4 - Startup: My Computer (2).lnk = ?
O4 - Startup: My Computer (3).lnk = ?
O4 - Startup: My Computer.lnk = ?
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: Windows Messenger.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3017 bytes

ree30ree
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-04-05
OS OS : XP
Points Points : 28101
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help me please I either have a virus or I have been Hijacked

Post by Belahzur on 7th October 2009, 8:22 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [sysldtray] C:\windows\ld15.exe
    O4 - HKLM\..\Run: [sysfbtray] c:\windows\freddy68.exe
    O4 - HKLM\..\Run: [SySmstray] C:\windows\mstre22.exe
    O4 - HKLM\..\Run: [pp] C:\windows\pp12.exe
    O4 - Startup: Internet Explorer (2).lnk = ?
    O4 - Startup: Internet Explorer.lnk = ?
    O4 - Startup: My Computer (2).lnk = ?
    O4 - Startup: My Computer (3).lnk = ?
    O4 - Startup: My Computer.lnk = ?


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help me please I either have a virus or I have been Hijacked

Post by ree30ree on 7th October 2009, 8:49 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2922
Windows 5.1.2600 Service Pack 3

10/7/2009 4:48:00 PM
mbam-log-2009-10-07 (16-48-00).txt

Scan type: Quick Scan
Objects scanned: 84353
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\fio32.dll (Worm.Koobface) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fioo32 (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fioo32 (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fioo32 (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fio32 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIO32 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIOO32 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fio32.dll (Worm.Koobface) -> Delete on reboot.
C:\Documents and Settings\Jodie\My Documents\downloads\setup(2).exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\My Documents\downloads\setup(3).exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\My Documents\downloads\WebfettiSetup2.3.50.56.SA.HP.ZKfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\fio32.sys (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\QRSBUDWX\pp[1].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\QRSBUDWX\pp[2].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\QRSBUDWX\v2prx[1].exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\QRSBUDWX\fb[1].67.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\W9IF49I7\ff2ie[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\W9IF49I7\pp[1].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\W9IF49I7\v2prx[1].exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\Y16VCL2B\pp[1].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\Y16VCL2B\get[1].exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\YZ01234N\v2prx[1].exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\YZ01234N\pp[1].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\YZ01234N\pp[2].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\YZ01234N\pp[3].12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\Local Settings\Temporary Internet Files\Content.IE5\YZ01234N\ms[1].22.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\pp12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy67.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\ld15.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\mstre22.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254774253.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254848593.exe (Trojan.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254849765.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254849762.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254945312.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254946401.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\rdr_1254947461.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146116101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465050.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465554.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465654.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy68.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\mmsmark2.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jodie\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

ree30ree
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-04-05
OS OS : XP
Points Points : 28101
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help me please I either have a virus or I have been Hijacked

Post by Belahzur on 8th October 2009, 12:19 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum