Malware or virus

View previous topic View next topic Go down

Malware or virus

Post by zhengs on 29th March 2009, 4:47 pm

Hi, I have a virus or malware. Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:41 AM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\N1\N1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Zheng n\Desktop\Hijack(GP)This.exe

O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 [You must be registered and logged in to see this link.]
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QWProtectBHO - {2182220D-AA70-4764-B4E6-1F5BBA322C9C} - C:\Documents and Settings\All Users\Application Data\N1\QWProtect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [Drive] C:\Documents and Settings\All Users\Application Data\N1\N1i.exe
O4 - HKLM\..\RunOnce: [NSSInstallation] C:\WINDOWS\system32\Adobe\Shockwave 11\nssstub.exe /RunOnce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5956 bytes

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 4:53 pm

Hello.

Download HostsXpert from [You must be registered and logged in to see this link.]

  • Unzip it and start the program.
  • If "Make writeable?" is shown in red at the top, click it to make writeable.
  • Press "Restore MS Hosts File"
  • OK the prompt.
  • Then click on "Make read only"
  • Exit HostXpert.

Lets see if we can find what's causing the problem.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: QWProtectBHO - {2182220D-AA70-4764-B4E6-1F5BBA322C9C} - C:\Documents and Settings\All Users\Application Data\N1\QWProtect.dll
    O4 - HKLM\..\Run: [Drive] C:\Documents and Settings\All Users\Application Data\N1\N1i.exe
    O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm


  • Press "Fix Checked"
  • Close Hijack This.

You aren't running Anti Virus Software

This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 6:36 pm

Downloading Avira takes too long.....4 hours.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 6:39 pm

Do you have a dial-up connection? because this system is wide open to an attack. No AV, very old version of Java, and malware is already on the system. If you don't get an AV running soon, it's all downhill from here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 6:40 pm

nope, no dial-up connection

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 6:43 pm

Hello.
What's your download speed normally then? the site seems quite fast now for me, so the server isn't lagging your download speed.
It shouldn't take 4hrs to download 25-50mb. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 6:45 pm

It seems that the malware or virus is slowing my connection down alot.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 6:48 pm

Hello.
Is your connection via wireless? becuase that's probably the problem.
If your not on LAN, you might not get your full download speed.

Where are you from the main router? the closer you are the better your speed will be, signal strenghts are only so strong.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 6:50 pm

ya i'm wireless

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 6:54 pm

Go sit next to the router, your speed should pick up. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 7:10 pm

no it wont....plus i'm using cable at cousin's house.

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 7:14 pm

Is there any connection to the router that is on LAN and not wireless?
Download Avira on LAN then transfer it over to your machine via a USB stick. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or virus

Post by zhengs on 29th March 2009, 7:19 pm

don't have a LAN

zhengs
Senior
Senior

Posts Posts : 228
Joined Joined : 2009-01-02
Gender Gender : Male
OS OS : Windows Vista
Points Points : 30505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or virus

Post by Belahzur on 29th March 2009, 7:27 pm

Okay, stop the download if it's taking too long.
Lets beat the malware first before we get an AV on board.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Documents and Settings\All Users\Application Data\N1


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum