Internet explorer/crypted.exe virus in Temp folder (log files attached)

[bhebepau]

Everytime I shut off the computer, the virus changes names.

also, a youtube video on internet explorer opens up! :O

I found out in local disc(C>users>Admin>AppData>Local>Temp, some sort of .exe and other .log files. I always delete it because it appears whenever I shut off the computer. the .exe file's name was always with "Crypted". I think its the virus, because my antivirus sometimes detects it but cannot delete it.

I followed the 8 steps, here are the logs

please help me

 

[Bobbye]

The infections you have are a danger to your security. Please change all of your passwords and monitor all online financial transactions.

Th symptoms you report are also suspect for a Virut malware infection:
Before we assume anything, do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

 

[bhebepau]

thank you Bobbye!! I'll do it !

and now, i cant open a webpage in internet explorer. its says "Internet Explorer cannot display the webpage".

i think its because of the 8 steps virus removal i did.

 

[bhebepau]

oh sorry. i know now how to operate internet explorer.

and

Here are the results

C:\WINDOWS\System32\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 21:30:46 (PHT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 50771ca86ff1adaf5fd1920f8cb5665e
SHA1 : d1f78ca95e60db74d37e2edf55d1c77b87ce4ffd
Online report : http://virscan.org/report/529ad48a933d79069e0abd93c0f6e78f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.13 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.12 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 0.19 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.22 -
AVAST! 4.7.4 091101-1 2009-11-01 0.01 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.32 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.91 -
CA (VET) 35.1.0 7094 2009-10-30 40.13 -
ClamAV 0.95.2 9971 2009-11-01 0.01 -
Comodo 3.12 2814 2009-11-02 40.13 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.26 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.25 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 0.04 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.13 -
GData 19.8693/19.531 20091102 2009-11-02 40.13 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.28 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.06 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.13 -
McAfee 5.3.00 5789 2009-11-01 3.40 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.12 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.13 -
Rising 20.0 21.54.04.00 2009-11-02 40.13 -
Sophos 3.00.1 4.46 2009-11-02 2.85 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.13 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 1.98 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 2.38 -


---------------------------------------------------------------------------------------

C:\WINDOWS\explorer.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 21:49:29 (PHT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2607616 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c133788b393eec01439ad997d24e66ed
SHA1 : 2546623a1e04f07a2bf2a8a7539eef1b2a2f89d2
Online report : http://virscan.org/report/c8c36fd94df38ba2084ffb648fd91c67.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.12 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.13 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 1.27 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.09 -
Authentium 5.1.1 200911011547 2009-11-01 2.77 -
AVAST! 4.7.4 091101-1 2009-11-01 0.11 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.35 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.90 -
CA (VET) 35.1.0 7094 2009-10-30 40.12 -
ClamAV 0.95.2 9971 2009-11-01 0.52 -
Comodo 3.12 2815 2009-11-02 40.13 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.27 -
F-Prot 4.4.4.56 20091101 2009-11-01 2.65 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 5.39 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.13 -
GData 19.8693/19.531 20091102 2009-11-02 40.12 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.35 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.07 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.12 -
McAfee 5.3.00 5789 2009-11-01 3.42 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.13 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.12 -
Rising 20.0 21.54.04.00 2009-11-02 40.12 -
Sophos 3.00.1 4.46 2009-11-02 2.85 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.12 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 2.41 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 3.23 -


---------------------------------------------------------------------------------------

C:\WINDOWS\System32\svchost.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 22:03:02 (PHT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 20992 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 5f1fe2f551e74b069c436152f06ccfdc
SHA1 : 97b0814bbedb3e4cfcda4f3282be234ddef794cd
Online report : http://virscan.org/report/3107c94bec1a4ec94e288d82876ceee3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.12 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.13 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 0.47 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.20 -
AVAST! 4.7.4 091101-1 2009-11-01 0.01 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.32 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.91 -
CA (VET) 35.1.0 7094 2009-10-30 40.12 -
ClamAV 0.95.2 9971 2009-11-01 0.01 -
Comodo 3.12 2815 2009-11-02 40.12 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.24 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.19 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 9.02 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.12 -
GData 19.8693/19.531 20091102 2009-11-02 40.13 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.23 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.07 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.13 -
McAfee 5.3.00 5789 2009-11-01 3.40 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.12 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.13 -
Rising 20.0 21.54.04.00 2009-11-02 40.13 -
Sophos 3.00.1 4.46 2009-11-02 2.84 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.13 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 1.94 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 2.39 -

 

[bhebepau]

Here are the results

C:\WINDOWS\System32\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 21:30:46 (PHT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 50771ca86ff1adaf5fd1920f8cb5665e
SHA1 : d1f78ca95e60db74d37e2edf55d1c77b87ce4ffd
Online report : http://virscan.org/report/529ad48a933d79069e0abd93c0f6e78f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.13 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.12 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 0.19 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.22 -
AVAST! 4.7.4 091101-1 2009-11-01 0.01 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.32 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.91 -
CA (VET) 35.1.0 7094 2009-10-30 40.13 -
ClamAV 0.95.2 9971 2009-11-01 0.01 -
Comodo 3.12 2814 2009-11-02 40.13 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.26 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.25 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 0.04 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.13 -
GData 19.8693/19.531 20091102 2009-11-02 40.13 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.28 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.06 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.13 -
McAfee 5.3.00 5789 2009-11-01 3.40 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.12 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.13 -
Rising 20.0 21.54.04.00 2009-11-02 40.13 -
Sophos 3.00.1 4.46 2009-11-02 2.85 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.13 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 1.98 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 2.38 -


---------------------------------------------------------------------------------------

C:\WINDOWS\explorer.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 21:49:29 (PHT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2607616 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c133788b393eec01439ad997d24e66ed
SHA1 : 2546623a1e04f07a2bf2a8a7539eef1b2a2f89d2
Online report : http://virscan.org/report/c8c36fd94df38ba2084ffb648fd91c67.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.12 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.13 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 1.27 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.09 -
Authentium 5.1.1 200911011547 2009-11-01 2.77 -
AVAST! 4.7.4 091101-1 2009-11-01 0.11 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.35 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.90 -
CA (VET) 35.1.0 7094 2009-10-30 40.12 -
ClamAV 0.95.2 9971 2009-11-01 0.52 -
Comodo 3.12 2815 2009-11-02 40.13 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.27 -
F-Prot 4.4.4.56 20091101 2009-11-01 2.65 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 5.39 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.13 -
GData 19.8693/19.531 20091102 2009-11-02 40.12 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.35 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.07 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.12 -
McAfee 5.3.00 5789 2009-11-01 3.42 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.13 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.12 -
Rising 20.0 21.54.04.00 2009-11-02 40.12 -
Sophos 3.00.1 4.46 2009-11-02 2.85 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.12 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 2.41 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 3.23 -


---------------------------------------------------------------------------------------

C:\WINDOWS\System32\svchost.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/02 22:03:02 (PHT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 20992 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 5f1fe2f551e74b069c436152f06ccfdc
SHA1 : 97b0814bbedb3e4cfcda4f3282be234ddef794cd
Online report : http://virscan.org/report/3107c94bec1a4ec94e288d82876ceee3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091102200214 2009-11-02 40.12 -
AhnLab V3 2009.11.02.00 2009.11.02 2009-11-02 40.13 -
AntiVir 8.2.1.53 7.1.6.177 2009-11-02 0.47 -
Antiy 2.0.18 20091102.3201984 2009-11-02 0.12 -
Arcavir 2009 200911012157 2009-11-01 0.03 -
Authentium 5.1.1 200911011547 2009-11-01 1.20 -
AVAST! 4.7.4 091101-1 2009-11-01 0.01 -
AVG 8.5.288 270.14.45/2476 2009-11-02 0.32 -
BitDefender 7.81008.4480747 7.28708 2009-11-02 3.91 -
CA (VET) 35.1.0 7094 2009-10-30 40.12 -
ClamAV 0.95.2 9971 2009-11-01 0.01 -
Comodo 3.12 2815 2009-11-02 40.12 -
CP Secure 1.3.0.5 2009.10.30 2009-10-30 0.00 -
Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 6.24 -
F-Prot 4.4.4.56 20091101 2009-11-01 1.19 -
F-Secure 7.02.73807 2009.11.02.09 2009-11-02 9.02 -
Fortinet 2.81-3.120 11.13 2009-11-02 40.12 -
GData 19.8693/19.531 20091102 2009-11-02 40.13 -
ViRobot 20091102 2009.11.02 2009-11-02 40.13 -
Ikarus T3.1.01.72 2009.11.02.74407 2009-11-02 4.23 -
JiangMin 11.0.800 2009.11.02 2009-11-02 40.13 -
Kaspersky 5.5.10 2009.11.02 2009-11-02 0.07 -
KingSoft 2009.2.5.15 2009.11.2.16 2009-11-02 40.13 -
McAfee 5.3.00 5789 2009-11-01 3.40 -
Microsoft 1.5202 2009.11.02 2009-11-02 40.13 -
Norman 6.01.09 6.01.00 2009-11-01 4.01 -
Panda 9.05.01 2009.10.31 2009-10-31 40.12 -
Trend Micro 8.700-1004 6.596.06 2009-11-02 0.03 -
Quick Heal 10.00 2009.11.02 2009-11-02 40.13 -
Rising 20.0 21.54.04.00 2009-11-02 40.13 -
Sophos 3.00.1 4.46 2009-11-02 2.84 -
Sunbelt 5482 5482 2009-11-01 40.13 -
Symantec 1.3.0.24 20091031.035 2009-10-31 0.00 -
nProtect 20091030.01 6063347 2009-10-30 40.13 -
The Hacker 6.5.0.2 v00058 2009-10-31 40.13 -
VBA32 3.12.10.11 20091101.2111 2009-11-01 1.94 -
VirusBuster 4.5.11.10 10.113.4/1996453 2009-11-02 2.39 -

 

[Bobbye]

That is good news. That was a check for the Virut malware- your description sounded very much like it could be Virut.

You need to do some Housekeeping:

1. Please tell me which operating system you're using. The HJT logs describes it as: Platform: Unknown Windows (WinNT 6.01.3004)
Some of the entries look like Vista, but you also have an entry showing that's in either Windows 7 or the Windows 2008 server.

2. You are running pieces of programs that have/had antivirus included. I suggest you clean these up. It "looks like" Avast is the current, main antivirus program. If that is the case, I suggest you remove the left-over bits and pieces, especially Norton, also Kaspersky:

Download the Norton Removal Tool.and save it to your desktop.

Then Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click on the Norton Removal Tool and follow the prompts.

Then go to Add/Remove Programs and uninstall these if present:
Norton SystemWorks cleanup utility (SYMClean)
Symantec
Kaspersky Internet Security 2010

Using Windows Explorer: (right click on Start> Explore> Local Drive (C) or D drive> Programs> remove the folders if present, using a right click> Delete:
Norton SystemWorks Premier Edition (D drive)
Symantec (C drive)
Kaspersky Internet Security 2010 (web scanner) (C drive)

Click on Start> Run> type in services.msc> find each of the following Services and double-click on each> Change the Startup tyep to Disabled> Stop the Service:
AluSchedulerSvc
LuComServer

3. You also have an entry:
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')[/]
mctadmin.exe is a microsoft tool in Windows 7 and Windows server 2008 R2 to allow Local Pack installation for a customized Windows 7 installation for a specific region.

It is also a hidden file, but it's 'showing'. this means that you have hidden files and folders showing and you should not:
Control Panel> Folder Options> View tab> UNCHECK 'show hidden files and folders'> Apply> OK.
IF it is already unchecked, then we have a problem!

4. Please reboot when you have completed the above.

5. Reopen HijackThis to 'do system scan only'. Check the following if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

If any of these processes from the removals you did still show in this log, please check each for removal:

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
O4 - HKLM\..\Run: [NswUiTray] D:\Program Files\Norton SystemWorks Premier Edition\NswUiTray.exe
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk

Close all Windows except HijackThis. Click on "Fix Checked."

When through, boot into Normal Mode.

Run a full system scan with Avast. Save the log and include it in your next reply.

I need to know which Os you have before going further.

 

[bhebepau]

Windows 7 Ultimate Version 6.1.7100 Build 7100

how do I scan the whole system with avast? what i did was I checked local c and d drive then i pressed the play button.

----------------------------------------
11/03/2009 17:43
Scan of all local drives

Number of searched folders: 14625
Number of tested files: 120476
Number of infected files: 0

where do i get the av log?

i dont get scan results. :O

 

[Bobbye]

Reply removed. Posts were merged.

 

[Bobbye]

This is what you're seeing:

Temp\JonanCrypted.exe]JonanCrypted.exe (Trojan.DDoS)

here C>users>Admin>AppData>Local>Temp, some sort of .exe and other .log files.

I can't identify "JonanCrypted.exe" but you didn't get a log because Avast didn't find anything-

But this Trojan is a Win32 DDoS (Distributed Denial of Service attack) Trojan that was distributed by a hacker (or hackers group) in November 2000. The Trojan was sent as an e-mail message with an attached file.

Since it is showing in the temp files, let's get rid of them and see if that clears it up:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

When you finish please do this:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Follow with a new scan in Hijackthis.

Handling logs:

The only log that needs to be pasted in the reply is the HijackThis log.

All other logs and reports can be attached unless your helper asks otherwise.

 

[bhebepau]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:09 PM, on 11/4/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\taskhost.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Windows\System32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files

\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:

\PROGRA~1\MICROS~3\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:

\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader

\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows

\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office

\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes'

Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger

\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:

\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:

\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:

\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) -

http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) -

http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:

\PROGRA~1\MICROS~3\Office12\GRA32A~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files

\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software

\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software

\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software

\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) -

Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files

\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows

\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows

\system32\nvvsvc.exe

--
End of file - 6050 bytes

 

[bhebepau]

double post sorry sorry

 

[Bobbye]

For the next time, when you open Notepad> Format> UNCHECK 'Word wrap'. That will allow the log to read straight across instead of breaking at the end.

In the Kaspersky log, all but one malware found was found in ProgramData for Windows Defender. So WD found if and quarantined it. Please delete the contents now.

The remaining one not in Defender is:
C:\Windows\winlogin.exe Infected: Trojan.Win32.Buzus.clgi 1

Normally this would be 'winlogon' instead of 'winlogin'. winlogin.exe is added to the system as a result of the RANDEX.E virus. It is an IRC Trojan horse gives remote access to your computer using IRC.

I've been playing on Google with it asking me if I want a spelling correction to 'winlogon'- I kept declining it and finally identified it!

From Symantec:

W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC. It is also a worm that can use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself.

Are you using Windows 7?

Platform: Unknown Windows (WinNT 6.01.3004)

Antivirus Alert for Windows 7
Microsoft’s “Compatible with Windows 7” logo can now be used with Avast! version 4.8 software.

If you have Windows 7, update to v4.8. Alwil is preparing v5 for Avast now.

There was a patch for earlier versions. Let me know on the operating system please.

You can go ahead and delete the quarantined Windows Defender entries. Follow with this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Apparently the system is vulnerable- Avast wasn't much good.

Attach the Combofix report. After I view that and you let me know if you have Windows 7, I'll know where to go.

 

[bhebepau]

Combofix doesnt work. there was a bug

 

[kimsland]

Are you using Windows 7?

Your log states: Incompatible OS

Are you using: Windows Vista Home Premium 64Bit ?
If so then this is incompatible with Combofix

 

[bhebepau]

Your log states: Incompatible OS

Are you using: Windows Vista Home Premium 64Bit ?
If so then this is incompatible with Combofix

im using windows 7.

 

[kritius]

It's windows 7, ComboFix not supported yet.

 

[Bobbye]

We're going to have to make a list of what does and doesn't work on Windows 7- what tools we can use in place of others.

bhebepau, please download OTS to your Desktop

• Close all other programs.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  [o] Reg - Shell Spawning
  [o] File - Lop Check
  [o] File - Purity Scan
  [o] Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the report in next reply.

kritius, I'm going to need your help with the report.

 

[bhebepau]

here it is

 

[Bobbye]

Let's get rid of this:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

I'm going to need help with the Windows 7 processes in the OTS log. It's so new that I'm not very familiar with it yet. But it will be Monday before I can get help.

Please wait if you can and don't run any other cleaning programs, download or uninstall. Be sure the antivirus program is compatible and up to date.

Edited out 2 lines of text from Combofix uninstall.

 

[bhebepau]

Let's get rid of this:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  
• When shown the disclaimer, Select "2"
• This will delete ComboFix's related folders and files, reset your clock settings, hide file extensions/system files and reset System Restore.

I'm going to need help with the Windows 7 processes in the OTS log. It's so new that I'm not very familiar with it yet. But it will be Monday before I can get help.

Please wait if you can and don't run any other cleaning programs, download or uninstall. Be sure the antivirus program is compatible and up to date.

there was an error : "Windows cannot find 'Combofix' Make sure you typed the name correctly, and then try again"

im sure that i put space between x and /

 

[Bobbye]

Okay, sorry- I had two lines in the uninstall directions that I removed.

You do not need to copy the quote in the reply, but see if the revised direction works: this is just the part that is above the image.

• 
  * Click START then RUN
  * Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If it doesn't, we'll handle it Monday.

 

[bhebepau]

its the same, space between X and /

it doesnt work

 

[kritius]

Here is the fix for the OTS log.

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (824 bytes and 21 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> Reset Hosts ->
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> Combo-Fix -> C:\Combo-Fix
NY -> SWXCACLS.exe -> C:\Windows\SWXCACLS.exe
NY -> SWREG.exe -> C:\Windows\SWREG.exe
NY -> SWSC.exe -> C:\Windows\SWSC.exe
NY -> NIRCMD.exe -> C:\Windows\NIRCMD.exe
NY -> ERDNT -> C:\Windows\ERDNT
NY -> Qoobox -> C:\Qoobox
[Files/Folders - Modified Within 30 Days]
NY -> PEV.exe -> C:\Windows\PEV.exe
NY -> coimtb.exe -> C:\Windows\System32\coimtb.exe
NY -> wwialc.exe -> C:\Windows\System32\wwialc.exe
NY -> bgdamv.exe -> C:\Windows\System32\bgdamv.exe
NY -> fcsgmg.exe -> C:\Windows\System32\fcsgmg.exe
NY -> MBR.exe -> C:\Windows\MBR.exe
[File - Lop Check]
NY -> C:\Users\Admin\AppData\Roaming\BitTorrent -> C:\Users\Admin\AppData\Roaming\BitTorrent
NY -> C:\Users\Admin\AppData\Roaming\uTorrent -> C:\Users\Admin\AppData\Roaming\uTorrent
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

 

[bhebepau]

All Processes Killed
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
[Files/Folders - Created Within 30 Days]
C:\Combo-Fix\N_ folder moved successfully.
C:\Combo-Fix\en-US folder moved successfully.
C:\Combo-Fix folder moved successfully.
C:\Windows\SWXCACLS.exe moved successfully.
C:\Windows\SWREG.exe moved successfully.
C:\Windows\SWSC.exe moved successfully.
C:\Windows\NIRCMD.exe moved successfully.
C:\Windows\ERDNT\Hiv-backup\Users\00000004 folder moved successfully.
C:\Windows\ERDNT\Hiv-backup\Users\00000003 folder moved successfully.
C:\Windows\ERDNT\Hiv-backup\Users\00000002 folder moved successfully.
C:\Windows\ERDNT\Hiv-backup\Users\00000001 folder moved successfully.
C:\Windows\ERDNT\Hiv-backup\Users folder moved successfully.
C:\Windows\ERDNT\Hiv-backup folder moved successfully.
C:\Windows\ERDNT folder moved successfully.
C:\Qoobox\TestC folder moved successfully.
C:\Qoobox\Test folder moved successfully.
C:\Qoobox\Quarantine\Registry_backups folder moved successfully.
C:\Qoobox\Quarantine folder moved successfully.
C:\Qoobox\LastRun folder moved successfully.
C:\Qoobox\BackEnv folder moved successfully.
C:\Qoobox folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Windows\PEV.exe moved successfully.
C:\Windows\System32\coimtb.exe moved successfully.
C:\Windows\System32\wwialc.exe moved successfully.
C:\Windows\System32\bgdamv.exe moved successfully.
C:\Windows\System32\fcsgmg.exe moved successfully.
C:\Windows\MBR.exe moved successfully.
[File - Lop Check]
C:\Users\Admin\AppData\Roaming\BitTorrent folder moved successfully.
C:\Users\Admin\AppData\Roaming\uTorrent folder moved successfully.
[Empty Temp Folders]


User: Admin
->Temp folder emptied: 91015981 bytes
->Temporary Internet Files folder emptied: 17376782 bytes
->Java cache emptied: 13817519 bytes
->FireFox cache emptied: 80295443 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 105689 bytes
RecycleBin emptied: 7130649 bytes

Total Files Cleaned = 200.03 mb

< End of fix log >
OTS by OldTimer - Version 3.1.4.0 fix logfile created on 11092009_174629

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

 

[bhebepau]

what would i have to do now?