1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

WebBuying malware resistant to removal

Discussion in 'Virus & Other Malware Removal' started by ime, Jul 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ime

    ime Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    5
    Nearly a week ago, my Windows XP Home computer was apparently infected with some malware. AVG and Defender each found problems during their respective scans, and each claimed that it had fixed the problem. Since then, there have been persistent symptoms. The most obvious is pop-ups of Internet Explorer instances with ads or their own malware (a secondary infection by Outerinfo was apparently introuced this way.) Minor items were that Windows Update stopped running (apparently the "Genuine Advantage" tool was corrupted or removed), Internet Explorer gets re-created despite being renamed, and odd processes often show up in the process table ("xtiraqib.exe" was one such process).

    The original infection was probably a java exploit; I saw a java console process show up about the time this all started. But its persistence seems more likely to be ActiveX-based, going on the fact that all the pop-ups have been IE windows, and that Genuine Advantage, an intentional ActiveX abuse, stopped working.

    I don't see anything in the HijackThis log, pasted inline at the bottom of this page, so I've also run a WinPFind3u scan, which I'm attaching.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:03:32 PM, on 7/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    E:\WinPFind3u\WinPFind3U.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\TTERMPRO\ttermpro.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SoftwareDistribution\Download\Install\VS80sp1-KB926747-X86-INTL.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\nnwlxwtl.dll",forkonce
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
    O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168915243774
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D588CCAA-1333-4538-901D-98B636BDD664}: NameServer = 198.7.0.1,198.7.0.2
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

    --
    End of file - 5137 bytes
     

    Attached Files:

  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download the Trial version of Superantispyware Pro (SAS):
    http://www.superantispyware.com/superantispyware.html?rid=3132


    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new Hijack This log.
     
  3. ime

    ime Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    5
    SAS found a lot...

    I paste below logs for two runs of SAS, and then a current HTS log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/18/2007 at 04:40 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 02:13:26

    Memory items scanned : 392
    Memory threats detected : 2
    Registry items scanned : 5913
    Registry threats detected : 34
    File items scanned : 38071
    File threats detected : 130

    Trojan.WinFixer
    C:\WINDOWS\SYSTEM32\PMNLJ.DLL
    C:\WINDOWS\SYSTEM32\PMNLJ.DLL
    HKLM\Software\Classes\CLSID\{B565949E-EF71-447A-A35C-21A383534977}
    HKCR\CLSID\{B565949E-EF71-447A-A35C-21A383534977}
    HKCR\CLSID\{B565949E-EF71-447A-A35C-21A383534977}\InprocServer32
    HKCR\CLSID\{B565949E-EF71-447A-A35C-21A383534977}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B565949E-EF71-447A-A35C-21A383534977}
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pmnlj

    Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\KHFDBCA.DLL
    C:\WINDOWS\SYSTEM32\KHFDBCA.DLL

    Adware.ClickSpring/Outer Info Network
    HKLM\Software\Classes\CLSID\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32#ThreadingModel
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\Programmable
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\TypeLib
    C:\PROGRAM FILES\OUTERINFO\OUTERINFO.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\UMBYKJMR.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}
    HKCR\CLSID\{DC192567-65F9-4AB6-ADB7-E13575F81726}

    Trojan.Downloader-WebBuying/PopEngine
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf8bb6b7-04c7-4165-84b0-1c0194a9d892}
    HKCR\CLSID\{CF8BB6B7-04C7-4165-84B0-1C0194A9D892}
    HKCR\CLSID\{CF8BB6B7-04C7-4165-84B0-1C0194A9D892}\InprocServer32
    HKCR\CLSID\{CF8BB6B7-04C7-4165-84B0-1C0194A9D892}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\GKRJEVP.DLL

    Trojan.Downloader-Gen/HitItQuitIt
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfdbca
    C:\WINDOWS\SYSTEM32\LJJKKHH.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][3].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected]_4x2m[1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][3].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected]luead[1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][2].txt
    C:\Documents and Settings\A\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][2].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][2].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][2].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][2].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt
    C:\Documents and Settings\A_2\Cookies\[email protected][1].txt

    Adware.ClickSpring
    HKLM\Software\ClickSpring
    HKLM\Software\ClickSpring#UBWKR

    Adware.Web Buying
    HKU\S-1-5-21-574683053-1643674284-449089951-1005\Software\WebBuying

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\DOCUMENTS AND SETTINGS\A\LOCAL SETTINGS\TEMP\WINANTISPYWARE2007FREEINSTALL.EXE

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\FIFOED\A0191474.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP834\A0194176.EXE

    Trojan.Downloader-ClickSpring/NDrv
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\FIFOED\A0191477.DLL

    Adware.WebBuying Assistant-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP826\A0192493.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP826\A0192494.EXE

    Trojan.ZQuest
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP838\A0197571.DLL




    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/18/2007 at 10:42 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 04:49:01

    Memory items scanned : 381
    Memory threats detected : 0
    Registry items scanned : 5909
    Registry threats detected : 0
    File items scanned : 88771
    File threats detected : 3

    Trojan.Downloader-WebBuying/PopEngine
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP839\A0202571.DLL

    Trojan.Downloader-Gen/HitItQuitIt
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP839\A0202572.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9019C9ED-B07A-49D2-881F-1AEF2AB0CC2F}\RP839\A0202575.DLL




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:26:22 AM, on 7/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {391A3A81-8A3F-89CB-1A13-898DCA53849F} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {A7A0201A-6650-40A4-888F-C206D3486C2D} - C:\Program Files\MSN Gaming Zone\hokew83122.dll (file missing)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\nnwlxwtl.dll",forkonce
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
    O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168915243774
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D588CCAA-1333-4538-901D-98B636BDD664}: NameServer = 198.7.0.1,198.7.0.2
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

    --
    End of file - 5434 bytes
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Can I also see a new WinPFind log? (attached)
     
  5. ime

    ime Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    5
    OK, I'll attach it here.

    I've observed no symptoms since the second SAS run completed.
     

    Attached Files:

  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    Copy and paste the information in the quote box below into the pane where it says "Paste fix here" and then click the Run Fix button.
    Then reboot and post a new HijackThis log please.

     
  7. ime

    ime Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    5
    WinPFind3U is still running, having accumulated over 20 hours of CPU time and over a billion (10^9) page faults. According to your .sig, you're on holiday for a few days, so I don't expect a response until Tuesday, but I'm probably going to kill the task.
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Try running it in Safe Mode
     
  9. ime

    ime Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    5
    It wouldn't run to completion in Safe Mode either.

    There is a line in the original HijackThis log:

    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\nnwlxwtl.dll",forkonce

    which was probably an infection; I don't have ICQ installed on this computer, and there are similar lines (with different, apparently random, dll names) in the HJT logs of many of the malware complaints here and elsewhere. I used regedit to delete that entry.

    Then, I cut the WinPFind3U Fix file into three pieces, and ran each. I'm attaching the three log files it output.

    After the post-WinPFind3U reboot, here is my current HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:50:50 PM, on 7/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
    C:\Program Files\TiVo\Desktop\TiVoNotify.exe
    C:\Program Files\TiVo\Desktop\TiVoServer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: (no name) - {391A3A81-8A3F-89CB-1A13-898DCA53849F} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {A7A0201A-6650-40A4-888F-C206D3486C2D} - C:\Program Files\MSN Gaming Zone\hokew83122.dll (file missing)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
    O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168915243774
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D588CCAA-1333-4538-901D-98B636BDD664}: NameServer = 198.7.0.1,198.7.0.2
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

    --
    End of file - 5474 bytes
     

    Attached Files:

  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O2 - BHO: (no name) - {391A3A81-8A3F-89CB-1A13-898DCA53849F} - (no file)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - {A7A0201A-6650-40A4-888F-C206D3486C2D} - C:\Program Files\MSN Gaming Zone\hokew83122.dll (file missing)

    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -


    Reboot.

    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u2.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597132

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice