"Virus Alert!" in Task Bar + fake warnings

[neilalderson]

Hi guys,

I stupidly fell into a trap of downloading what looked like a Flash update but was in fact a package of a whole heap of nasties! The first noticable symptom is "Virus Alert!" appearing in the Task Bar by the Date/Time. This phrase seems to pop up alongside ANY System DateTime being displayed. Also I think my desktop has been hijacked as it changes colour and turns white. A load of restrictions have been put on any account I log into, can't run Task Manager, open Explorer, many Start menu items have been removed. On top of this there are a load of Fake Windows Alerts popping up telling me I need to download Anti Virus software, which then link to some dodgy website. Ran AdAware but it didn't help and ran my McAfee On-Demand scan, which also hasn't found much (just a few trojan files which were deleted but reappear on reboot).

I have attached my HijackThis log, if someone could show me which items can be fixed and address any of the other issues I'd be eternally grateful!

Thanks,
Neil

 

[neilalderson]

Not sure if my attachment worked so pasting the log in plain view for easier access for you.

Cheers,
Neil

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13: VIRUS ALERT!, on 28/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fortifw.exe
C:\Program Files\Fortinet\FortiClient\FCMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\OmniBack\bin\OmniInet.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\Program Files\Asset Services Management\ASMAgent.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\program files\timbuktu pro\tb2logon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Kontiki\KHost.exe
C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE
C:\WINDOWS\system32\lphc50oj0erfe.exe
C:\Windows\system32\YURB1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com
O1 - Hosts: 172.23.81.75 fxtwiki.felixstowe.actaris.com fxtwiki
O1 - Hosts: 172.23.80.139 fxebdcrms # for Vantage share
O1 - Hosts: 172.23.49.8 teamtrack.dtc.actaris.com # team track
O1 - Hosts: 172.23.80.138 www.felixstowe.actaris.com www # intranet
O1 - Hosts: 172.23.81.4 fx003 # Appsight License Server
O1 - Hosts: 172.23.80.248 fx1427s # Appsight Server
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {129D532E-E2EC-4527-B4BA-4626830EFE18} - C:\WINDOWS\dfmlxbpkbkl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: peltodgx - {BAB8F6DC-41B1-440F-A066-AAC224906880} - C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [lphc50oj0erfe] C:\WINDOWS\system32\lphc50oj0erfe.exe
O4 - HKLM\..\Run: [\YURD5.exe] C:\Windows\system32\YURD5.exe
O4 - HKLM\..\Run: [\YURD6.exe] C:\Windows\system32\YURD6.exe
O4 - HKLM\..\Run: [\YURD7.exe] C:\Windows\system32\YURD7.exe
O4 - HKLM\..\Run: [\YURD8.exe] C:\Windows\system32\YURD8.exe
O4 - HKLM\..\Run: [\YUR72.exe] C:\Windows\system32\YUR72.exe
O4 - HKLM\..\Run: [\YUR73.exe] C:\Windows\system32\YUR73.exe
O4 - HKLM\..\Run: [\YUR76.exe] C:\Windows\system32\YUR76.exe
O4 - HKLM\..\Run: [\YURB0.exe] C:\Windows\system32\YURB0.exe
O4 - HKLM\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
O4 - HKLM\..\Run: [\YURB3.exe] C:\Windows\system32\YURB3.exe
O4 - HKLM\..\Run: [\YURB4.exe] C:\Windows\system32\YURB4.exe
O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKLM\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
O4 - HKCU\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
O4 - HKLM\..\Policies\Explorer\Run: [mC85vZsMwb] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\windfr.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0533AC04-11E3-48CA-A167-40D782C6BD1C} (FileTransferControl Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/FileTransfer2.cab
O16 - DPF: {493EBD8D-8D67-4A2D-8CF9-B8FC992DCFF6} (ProcessViewer Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/ProcessViewer.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pdm.dtc.actaris.com/Advitium/ActiveX/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: rwlfsdmk - {E8ACF29E-CF02-4B6C-83B3-136B1F15A7CE} - C:\WINDOWS\rwlfsdmk.dll
O21 - SSODL: onfwbsak - {15E4D4B5-A7D1-4541-9220-FC5EAFC15054} - C:\WINDOWS\onfwbsak.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atria Location Broker (Albd) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\albd_server.exe
O23 - Service: AppSight Install Service (AppSightInstallService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
O23 - Service: AppSight Server (ApsSrvService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\ApsSrv.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
O23 - Service: Atria Cred Manager (cccredmgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Atria Lock Manager (LockMgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Data Protector Inet (OmniInet) - Hewlett-Packard - C:\Program Files\OmniBack\bin\OmniInet.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Vantage Comms Server - Actaris - C:\Program Files\Actaris\Vantage Comms Server\Actaris.Vantage.CommsServer.exe
O23 - Service: Vantage Schedule Processor - Actaris - C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13811 bytes