TechSpot

Help Malware, Hijackthis, Combofix... nothing works

By d12littlec
Aug 6, 2009
  1. Hopefully someone can help me with this.

    I clicked on a link yesterday and it drove my computer crazy, the internet froze and when i rebooted it had the windows antivirus virus and the google redirect virus.

    i've tried running malwarebytes (it wont load) i've tried running combofix (wont load) hijackthis (wont load) i've tried renaming them and all and nothing works, i've done this in safe mode and normal mode......any advice anyone can offer me? i cant seem to get a log because it wont let me run the programs
     
  2. strategic

    strategic TechSpot Paladin Posts: 1,020

    You need to do these steps in order, if you don't use it already, use the a/v software shown in the tutorial,
    http://www.techspot.com/vb/topic58138.html. Which a/v software are you currently using? If it isn't Avast or Avira, disbale or uninstall it.
     
  3. d12littlec

    d12littlec TS Rookie Topic Starter

    Doesnt help

    im trying to do those steps but i've tried running avira 3 times and in the end it finds a bunch of virus's but it doesnt let me copy them to post here and when i click repair all it just disapears without doing anything. do i go forward to the next step?
     
  4. d12littlec

    d12littlec TS Rookie Topic Starter

    This is the startup log i've gotten hijackthis to post. Anything i should remove or do with this?

    StartupList report, 8/10/2009, 11:35:39 AM
    StartupList version: 1.52.2
    Started from : C:\Program Files\ghfybhj\HijackThis.EXE
    Detected: Windows XP SP3 (WinNT 5.01.2600)
    Detected: Internet Explorer v8.00 (8.00.6001.18702)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\system32\CID6LNCH.EXE
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
    C:\Program Files\IP Scanner\Receiver\MGS.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\McAfee\MBK\MBackMonitor.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\McAfee\VirusScan\McShield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\ghfybhj\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Acrobat Speed Launcher.lnk = ?
    FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
    ImageReceiver.lnk = C:\Program Files\IP Scanner\Receiver\MGS.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    IgfxTray = C:\WINDOWS\system32\igfxtray.exe
    HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
    Persistence = C:\WINDOWS\system32\igfxpers.exe
    IAAnotif = "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe
    Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    CID_LNCH = C:\WINDOWS\system32\CID6LNCH.EXE
    LogMeIn GUI = "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    mcagent_exe = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    McAfee Backup = C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
    MBkLogOnHook = C:\Program Files\McAfee\MBK\LogOnHook.exe
    Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    avgnt = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    =

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
    (no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
    Browser Address Error Redirector - C:\Program Files\BAE\BAE.dll - {CA6319C0-31B7-401E-A518-A07C3DB8F777}
    (no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
    JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
    (no name) - (no file) - {F54AF7DE-6038-4026-8433-CC30E3F17212}
    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    AppleSoftwareUpdate.job
    McDefragTask.job
    McQcTask.job

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    End of report, 8,418 bytes
    Report generated in 0.281 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. strategic

    strategic TechSpot Paladin Posts: 1,020

    You'll have to be patient and wait for one of the virus/malware guys look through this. You should have a log file for Avira somewhere...
    Actually you can see a log, when you look at the main software page. Copy and paste it into a new text file.
     
  6. d12littlec

    d12littlec TS Rookie Topic Starter

    Yes, this is the Avira log. sorry about that


    Avira AntiVir Personal
    Report file date: Monday, August 10, 2009 10:19

    Scanning for 1618860 virus strains and unwanted programs.

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : HIALEAHMAIN

    Version information:
    BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
    AVSCAN.EXE : 9.0.3.7 466689 Bytes 8/7/2009 16:51:24
    AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
    LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
    LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
    ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
    ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
    ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 8/3/2009 16:36:07
    ANTIVIR3.VDF : 7.1.5.85 445952 Bytes 8/7/2009 16:48:21
    Engineversion : 8.2.0.248
    AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
    AESCRIPT.DLL : 8.1.2.23 455033 Bytes 8/7/2009 16:51:13
    AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
    AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
    AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
    AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
    AEHEUR.DLL : 8.1.0.154 1917302 Bytes 8/7/2009 16:51:03
    AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 14:59:39
    AEGEN.DLL : 8.1.1.55 356723 Bytes 8/7/2009 16:48:34
    AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
    AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
    AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
    AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
    AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
    AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
    AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
    AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
    AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
    SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
    SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
    NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
    RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
    RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium
    Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

    Start of the scan: Monday, August 10, 2009 10:19

    Starting search for hidden objects.
    '34917' objects were checked, '0' hidden objects were found.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned
    Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
    Scan process 'tt.exe' - '1' Module(s) have been scanned
    Scan process 'jucheck.exe' - '1' Module(s) have been scanned
    Scan process 'mcsysmon.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'fxssvc.exe' - '1' Module(s) have been scanned
    Scan process 'winvnc4.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
    Scan process 'novacomd.exe' - '1' Module(s) have been scanned
    Scan process 'MpfSrv.exe' - '1' Module(s) have been scanned
    Scan process 'Mcshield.exe' - '1' Module(s) have been scanned
    Scan process 'McProxy.exe' - '1' Module(s) have been scanned
    Scan process 'McNASvc.exe' - '1' Module(s) have been scanned
    Scan process 'mcmscsvc.exe' - '1' Module(s) have been scanned
    Scan process 'MBackMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned
    Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
    Scan process 'ramaint.exe' - '1' Module(s) have been scanned
    Scan process 'jqs.exe' - '1' Module(s) have been scanned
    Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned
    Scan process 'AsfIpMon.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'MGS.exe' - '1' Module(s) have been scanned
    Scan process 'KMFtp.exe' - '1' Module(s) have been scanned
    Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'acrotray.exe' - '1' Module(s) have been scanned
    Scan process 'McAfeeDataBackup.exe' - '1' Module(s) have been scanned
    Scan process 'mcagent.exe' - '1' Module(s) have been scanned
    Scan process 'LogMeInSystray.exe' - '1' Module(s) have been scanned
    Scan process 'CID6LNCH.EXE' - '1' Module(s) have been scanned
    Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
    Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
    Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
    Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    60 processes with 60 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '66' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\Program Files\cesar\HijackThis.exe
    [WARNING] The file could not be opened!
    C:\Program Files\McAfee\VirusScan\mcods.exe
    [WARNING] The file could not be opened!
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    [WARNING] The file could not be opened!
    C:\Program Files\Trend Micro\cesar\HijackThis.exe
    [WARNING] The file could not be opened!
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    [WARNING] The file could not be opened!
    C:\SDFix\catchme.exe
    [WARNING] The file could not be opened!
    C:\SDFix\apps\Cghtme.exe
    [WARNING] The file could not be opened!
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP523\A0030797.nfo
    [DETECTION] Is the TR/Dldr.Small.alyl.4 Trojan
    C:\WINDOWS\system32\scecli.dll
    [WARNING] The file could not be opened!

    Beginning disinfection:
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP523\A0030797.nfo
    [DETECTION] Is the TR/Dldr.Small.alyl.4 Trojan
    [NOTE] The file was moved to '4ab03756.qua'!


    End of the scan: Monday, August 10, 2009 11:05
    Used time: 45:43 Minute(s)

    The scan has been done completely.

    4128 Scanned directories
    310545 Files were scanned
    1 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    1 Files were moved to quarantine
    0 Files were renamed
    10 Files cannot be scanned
    310534 Files not concerned
    3149 Archives were scanned
    10 Warnings
    3 Notes
    34917 Objects were scanned with rootkit scan
    0 Hidden objects were found
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    d12littlec, you need to start over with guidance. We have none here at this time. Please see if this site can help you: http://www.tech-101.com/virus-malware-removal/

    All forums have a guide for running the programs. If they can't be run, others will be suggested and/or you will be assisted.. Please follow that. The log you left will have to be replaced.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...