6 replies to this topic

[Obsolete]

***Malwarebytes installs but after scan will shuts down after initializing the removal process, and will not update.***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:07 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C82 Series on cbb02] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P37 "Auto EPSON Stylus C82 Series on cbb02" /O16 "\\CBB02\EpsonC82" /M "Stylus C82"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://www.courts.wa.gov/jislink/bluezone3...ls/sglw2hcm.ocx
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5F986CD-F47C-4340-8616-5FFB54815F1A}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5270 bytes

[miekiemoes]

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

also, Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.
Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[Obsolete]

ComboFix 09-06-17.04 - ACBB 06/18/2009 9:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.299 [GMT -7:00]
Running from: c:\documents and settings\ACBB\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ACBB\Application Data\FunWebProducts
c:\documents and settings\ACBB\Application Data\FunWebProducts\Data\ACBB\avatar.dat
c:\documents and settings\ACBB\Application Data\FunWebProducts\Data\ACBB\register.dat
c:\documents and settings\ACBB\Application Data\FunWebProducts\Data\ACBB\zbucks.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-17 21:28 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-17 21:28 . 2009-06-17 21:28 -------- d-----w- c:\program files\Avira
2009-06-17 21:28 . 2009-06-17 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-17 21:15 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 21:15 . 2009-06-17 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 21:15 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 21:55 . 2009-06-09 21:55 152576 -c--a-w- c:\documents and settings\ACBB\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 21:53 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-09 21:53 . 2009-04-29 04:55 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-06-09 21:03 . 2009-06-09 21:03 -------- d-----w- c:\program files\CCleaner
2009-06-09 19:40 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:40 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 18:01 . 2009-06-07 18:01 18184984 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\msgup900_2162_us.exe
2009-06-05 11:54 . 2009-06-05 11:54 -------- d-sh--w- c:\documents and settings\ACBB\IECompatCache
2009-06-05 11:52 . 2009-06-05 11:52 -------- d-sh--w- c:\documents and settings\ACBB\PrivacIE
2009-06-04 16:33 . 2009-06-04 16:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-04 16:33 . 2009-06-04 16:33 -------- d-sh--w- c:\documents and settings\ACBB\IETldCache
2009-06-04 16:31 . 2009-06-09 22:58 -------- d-----w- c:\windows\ie8updates
2009-06-04 16:30 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 15:53 . 2009-06-18 15:53 404225 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.exe
2009-06-18 15:53 . 2009-06-18 15:53 345345 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.dll
2009-06-17 21:47 . 2009-06-17 21:47 -------- d-----w- c:\program files\Trend Micro
2009-06-17 21:44 . 2009-06-17 21:44 -------- d-----w- c:\program files\FileASSASSIN
2009-06-16 20:27 . 2009-06-16 19:49 0 -c--a-w- C:\~GLHTTP1.TMP
2009-06-09 22:50 . 2006-09-29 02:53 -------- d-----w- c:\program files\Google
2009-06-09 22:37 . 2006-06-06 01:56 -------- d-----w- c:\program files\Java
2009-06-09 21:40 . 2006-10-15 23:04 -------- d-----w- c:\program files\Yahoo!
2009-06-09 21:39 . 2006-10-06 19:59 -------- d-----w- c:\program files\Yahoo SiteBuilder
2009-06-09 21:21 . 2006-09-27 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-04 16:00 . 2009-04-20 19:18 -------- d-----w- c:\program files\SmartDraw 2009
2009-05-21 18:33 . 2009-05-09 05:19 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-12 04:09 . 2009-05-12 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-12 04:09 . 2009-05-12 03:57 -------- d-----w- c:\program files\NOS
2009-05-12 04:03 . 2009-05-12 04:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-12 04:02 . 2009-05-12 04:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-07 15:32 . 2004-08-11 22:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 01:59 . 2009-05-06 01:25 -------- d-----w- c:\program files\Powerbullet
2009-05-06 00:45 . 2009-05-06 00:45 -------- d-----w- c:\documents and settings\ACBB\Application Data\KompoZer
2009-04-29 04:56 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-20 19:35 . 2009-04-20 19:20 -------- d-----w- c:\documents and settings\ACBB\Application Data\SmartDraw
2009-04-17 12:26 . 2004-08-11 22:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-11 22:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 17:20 . 2009-06-18 15:53 79105 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updaterc.dll
2009-04-05 17:18 . 2006-06-14 16:30 21744 -c--a-w- c:\documents and settings\ACBB\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-30 17:33 . 2009-06-17 21:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 23:08 . 2009-06-17 21:28 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Auto EPSON Stylus C82 Series on cbb02"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 99840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 18:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2009 2:28 PM 108289]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 4:51 PM 24652]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {D5F986CD-F47C-4340-8616-5FFB54815F1A} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxp://www.courts.wa.gov/jislink/bluezone35/controls/sglw2hcm.ocx
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-18 9:16
ComboFix-quarantined-files.txt 2009-06-18 16:16
ComboFix2.txt 2008-09-30 16:16

Pre-Run: 65,314,754,560 bytes free
Post-Run: 65,315,741,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

143 --- E O F --- 2009-06-16 19:36

[miekiemoes]

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Obsolete]

thanks for the help running great...took care of a lot of other issues i was having!

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.