virus/spyware/trojan or malware you are infected with

View previous topic View next topic Go down

virus/spyware/trojan or malware you are infected with

Post by Angelbabyblue49 on 22nd November 2009, 2:07 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:56 PM, on 11/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sarah\Desktop\winlogon.scr
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 [You must be registered and logged in to see this link.]
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 88.198.198.202 google.ae
O1 - Hosts: 88.198.198.202 google.as
O1 - Hosts: 88.198.198.202 google.at
O1 - Hosts: 88.198.198.202 google.az
O1 - Hosts: 88.198.198.202 google.ba
O1 - Hosts: 88.198.198.202 google.be
O1 - Hosts: 88.198.198.202 google.bg
O1 - Hosts: 88.198.198.202 google.bs
O1 - Hosts: 88.198.198.202 google.ca
O1 - Hosts: 88.198.198.202 google.cd
O1 - Hosts: 88.198.198.202 google.com.gh
O1 - Hosts: 88.198.198.202 google.com.hk
O1 - Hosts: 88.198.198.202 google.com.jm
O1 - Hosts: 88.198.198.202 google.com.mx
O1 - Hosts: 88.198.198.202 google.com.my
O1 - Hosts: 88.198.198.202 google.com.na
O1 - Hosts: 88.198.198.202 google.com.nf
O1 - Hosts: 88.198.198.202 google.com.ng
O1 - Hosts: 88.198.198.202 google.ch
O1 - Hosts: 88.198.198.202 google.com.np
O1 - Hosts: 88.198.198.202 google.com.pr
O1 - Hosts: 88.198.198.202 google.com.qa
O1 - Hosts: 88.198.198.202 google.com.sg
O1 - Hosts: 88.198.198.202 google.com.tj
O1 - Hosts: 88.198.198.202 google.com.tw
O1 - Hosts: 88.198.198.202 google.dj
O1 - Hosts: 88.198.198.202 google.de
O1 - Hosts: 88.198.198.202 google.dk
O1 - Hosts: 88.198.198.202 google.dm
O1 - Hosts: 88.198.198.202 google.ee
O1 - Hosts: 88.198.198.202 google.fi
O1 - Hosts: 88.198.198.202 google.fm
O1 - Hosts: 88.198.198.202 google.fr
O1 - Hosts: 88.198.198.202 google.ge
O1 - Hosts: 88.198.198.202 google.gg
O1 - Hosts: 88.198.198.202 google.gm
O1 - Hosts: 88.198.198.202 google.gr
O1 - Hosts: 88.198.198.202 google.ht
O1 - Hosts: 88.198.198.202 google.ie
O1 - Hosts: 88.198.198.202 google.im
O1 - Hosts: 88.198.198.202 google.in
O1 - Hosts: 88.198.198.202 google.it
O1 - Hosts: 88.198.198.202 google.ki
O1 - Hosts: 88.198.198.202 google.la
O1 - Hosts: 88.198.198.202 google.li
O1 - Hosts: 88.198.198.202 google.lv
O1 - Hosts: 88.198.198.202 google.ma
O1 - Hosts: 88.198.198.202 google.ms
O1 - Hosts: 88.198.198.202 google.mu
O1 - Hosts: 88.198.198.202 google.mw
O1 - Hosts: 88.198.198.202 google.nl
O1 - Hosts: 88.198.198.202 google.no
O1 - Hosts: 88.198.198.202 google.nr
O1 - Hosts: 88.198.198.202 google.nu
O1 - Hosts: 88.198.198.202 google.pl
O1 - Hosts: 88.198.198.202 google.pn
O1 - Hosts: 88.198.198.202 google.pt
O1 - Hosts: 88.198.198.202 google.ro
O1 - Hosts: 88.198.198.202 google.ru
O1 - Hosts: 88.198.198.202 google.rw
O1 - Hosts: 88.198.198.202 google.sc
O1 - Hosts: 88.198.198.202 google.se
O1 - Hosts: 88.198.198.202 google.sh
O1 - Hosts: 88.198.198.202 google.si
O1 - Hosts: 88.198.198.202 google.sm
O1 - Hosts: 88.198.198.202 google.sn
O1 - Hosts: 88.198.198.202 google.st
O1 - Hosts: 88.198.198.202 google.tl
O1 - Hosts: 88.198.198.202 google.tm
O1 - Hosts: 88.198.198.202 google.tt
O1 - Hosts: 88.198.198.202 google.us
O1 - Hosts: 88.198.198.202 google.vu
O1 - Hosts: 88.198.198.202 google.ws
O1 - Hosts: 88.198.198.202 google.co.ck
O1 - Hosts: 88.198.198.202 google.co.id
O1 - Hosts: 88.198.198.202 google.co.il
O1 - Hosts: 88.198.198.202 google.co.in
O1 - Hosts: 88.198.198.202 google.co.jp
O1 - Hosts: 88.198.198.202 google.co.kr
O1 - Hosts: 88.198.198.202 google.co.ls
O1 - Hosts: 88.198.198.202 google.co.ma
O1 - Hosts: 88.198.198.202 google.co.nz
O1 - Hosts: 88.198.198.202 google.co.tz
O1 - Hosts: 88.198.198.202 google.co.ug
O1 - Hosts: 88.198.198.202 google.co.uk
O1 - Hosts: 88.198.198.202 google.co.za
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\jqw0fkxyw.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jqw0fkxyw.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [26581931] C:\DOCUME~1\ALLUSE~1\APPLIC~1\26581931\26581931.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld15.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [08502621] C:\DOCUME~1\ALLUSE~1\APPLIC~1\08502621\08502621.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKLM\..\Run: [SySmstray] C:\windows\mstre24.exe
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [WinsysMon] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\GoogleUpdate.exe
O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\6c65d\WSa9b.exe" /s /d
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [A00F2E41C.exe] C:\DOCUME~1\Sarah\LOCALS~1\Temp\_A00F2E41C.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Sarah\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Sarah\LOCALS~1\Temp\drweb.exe
O4 - HKUS\S-1-5-19\..\Run: [nopititiwe] Rundll32.exe "C:\WINDOWS\system32\tomewope.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [nopititiwe] Rundll32.exe "C:\WINDOWS\system32\tomewope.dll",s (User '?')
O4 - HKUS\S-1-5-21-299502267-1580818891-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-299502267-1580818891-839522115-1003\..\Run: [A00F2E41C.exe] C:\DOCUME~1\Sarah\LOCALS~1\Temp\_A00F2E41C.exe (User '?')
O4 - HKUS\S-1-5-21-299502267-1580818891-839522115-1003\..\Run: [calc] rundll32.exe C:\DOCUME~1\Sarah\ntuser.dll,_IWMPEvents@0 (User '?')
O4 - HKUS\S-1-5-21-299502267-1580818891-839522115-1003\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Sarah\LOCALS~1\Temp\drweb.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [A00F9B2D9.exe] C:\WINDOWS\TEMP\_A00F9B2D9.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [A00F9B2D9.exe] C:\WINDOWS\TEMP\_A00F9B2D9.exe (User 'Default user')
O4 - S-1-5-21-299502267-1580818891-839522115-1003 Startup: scandisk.dll (User '?')
O4 - S-1-5-21-299502267-1580818891-839522115-1003 Startup: scandisk.lnk = ? (User '?')
O4 - S-1-5-18 Startup: scandisk.dll (User '?')
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User '?')
O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - [You must be registered and logged in to see this link.]
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} (AxLoaderPassword Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat qdmscg.dll C:\WINDOWS\system32\yetevato.dll c:\windows\system32\juzusiwe.dll c:\windows\system32\bebewute.dll c:\windows\system32\jahanane.dll c:\windows\system32\pofipinu.dll,C:\DOCUME~1\Sarah\LOCALS~1\Temp\411631kou.dll
O20 - Winlogon Notify: __c008CF90 - C:\WINDOWS\system32\__c008CF90.dat
O21 - SSODL: apiapl - {3F17C9F7-AF42-CFA9-E65E-012D444D2324} - (no file)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pofipinu.dll (file missing)
O21 - SSODL: SwUpdate - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pofipinu.dll (file missing)
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\jqw0fkxyw.dll
O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)

--
End of file - 13250 bytes

Angelbabyblue49
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2009-11-22
OS OS : windows xp
Points Points : 25743
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware/trojan or malware you are infected with

Post by Belahzur on 22nd November 2009, 2:09 am

Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum