TechSpot

Virus/malware attack - please help

By derekbutch
Aug 3, 2009
  1. I just had this problem yesterday. All of a sudden I noticed my firewall was turned off. I turned it on, and then what seems to be a windows security icon (looks like a red shield with x in middle) started to shine in my right-bottom corner saying "virus warning! your computer is infected." I clicked on it, unsuspecting, and it tried to load a page that looks like a regular folder file but didn't properly and everytime I tried to close it it would pop up again in a few minutes, but never loading properly. Then internet explorer starts to run automatically, and I could hear strange ads in the background even when I turned it off. I checked the task manager, and the iexplorer only showed up in "processes".

    Being the computer novice that I am, the only thing I knew what to do is start running a bunch of malware detection programs. I started with AVG, Trend and spybot. All ran for unusually long time, though AVG did catch a few trojans, but I had to end them before they finish when I started malwarebyte. After malwarebyte scan, it rebooted and the iexplorer stopped turning on automatically. I then proceeded to run superantispybot, trend housecall, and malwarebyte again. The first caught a couple more cookies and a trojan, and the rest came out clean. I then ran hijacker (plz see log below) and deleted a url search it found.

    As I do not know much about computers, these are all I can do. Please let me know if I am still at risk, and what kind/level of damage my computer just suffered (e.g.,was my personal info all hijacked?) I am also very confused about the hijacker log as I do not know how to read it.... PLEASE HELP ME!!! Thank you.

    *Note: I did not run anything in safemode because I didn't know about it till afterwards, and plus it didn't work when I tried to restart in safemode anyway. I think it all started in normal mode*

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:45:29 PM, on 02/08/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\sistray.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\InterVideo\DVD5R\SchSvr.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] "D:\=Download=\Software\Webroot Spy Sweeper 3.0.0 (Build 113)\_Crack\SpySweeper.exe" /0
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...35/mcfscan.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    --
    End of file - 6723 bytes
     
  2. derekbutch

    derekbutch TS Rookie Topic Starter

    I've also done a search in my windows files and found that I have these for iexplore files in there:

    iexplore.chm/iexplore.chw/iexplore.hlp in c:\windows\help
    IEXPLORE.EXE-27122324.pf in c:\windows\prefetch
    iexplore.exe in c:\windows\softwaredistribution\download

    I'm confused as to whether or not these files are supposed to be there or are they spyware/trojan virues as I've read that any "iexplore" should only be in program files and not in windows. Can any1 help?

    Thanks.
     
  3. strategic

    strategic TechSpot Paladin Posts: 1,020

    Hi there!
    I'm not qualified to give any assistance on your virus problems, but I can however dierct you to the thread whre you'll need to do some procedures to help the techs give you ananswer.
    http://www.techspot.com/vb/topic58138.html
    Please follow the above link step by step, and disable or uninstall your AVG for this test.
     
  4. strategic

    strategic TechSpot Paladin Posts: 1,020

    By the way, it's just a hunch but that error you received in that red sheild is more than likely a virus in itself. I have never heard of that sheild giving a virus warning, it's only there to tell you your security software is running/not running, that's all.
     
  5. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Firewall shut down. Which Firewall.. Windows or other.

    AVG (7.5, 8.0, 8.5 ??) None of these have been effective for a while.
    MalwareByte is not MalwareBytes
    Trend Housecall is this the antivirus or the antispyware.
    SpyBot
    SuperAntiSpybot
    HiJackThis? No log that I have found

    If you spelled these correctly, you do not have any of the top removal tools installe. AVG went out of favor over 8 to 10 months ago. Spybot does nothing. Never used SuperAntiSpyBot? What is your firewall?

    There was no Firewall info.
    No HiJackThis log found.

    Recommend you use Avast or Avira Antivir for antivirus for this test. Use MalWareBytes from MalwareBytes.org, not the other one. Spybot and SuperAntispybot are perhaps not effective,
    but you will need at least two spyware screeners... so I recommend SuperAntiSpyware.

    Run all and post their logs, and run HiJackThis afterward. It is best if you run these in <Safe Mode>.

    For paid programs, I like SpySweeper still, and Spyware Doctor, and Kaspersky antivirus.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...