Malware [Archive] - Safer-Networking Forums

View Full Version : Malware

Q_bert

2007-03-18, 03:26

Ok,

I reformatted yesterday for my six month cleaning. Had my nephews over and I think they jumped on some malware sites.

The major culprit is browser hijacking. Winantivirus 2006 is what I see the most and it is constantly trying to install itself.

I have run SBS&D and scoured my registry.

Here is my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:21 PM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{721695AD-5148-4D0B-87D8-CA001C4AD631}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

any help would be appriciated.

Q_bert

2007-03-18, 03:40

Ok, ran Vundofix. Here are the vundofix log and a new hijackthis log...waiting to see if it worked..

VundoFix V6.3.16

Checking Java version...

Sun Java not detected
Scan started at 6:34:01 PM 3/17/2007

Listing files found while scanning....

C:\WINDOWS\System32\flqhajvf.dll
C:\WINDOWS\system32\ljjhhfe.dll
C:\WINDOWS\System32\llnmp.bak1
C:\WINDOWS\System32\llnmp.ini
C:\WINDOWS\System32\pmnll.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\flqhajvf.dll
C:\WINDOWS\System32\flqhajvf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhhfe.dll
C:\WINDOWS\system32\ljjhhfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.bak1
C:\WINDOWS\System32\llnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\llnmp.ini
C:\WINDOWS\System32\llnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\pmnll.dll
C:\WINDOWS\System32\pmnll.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 6:37:51 PM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {00482855-58F5-4536-B09A-B5AA6C2F14A3} - C:\WINDOWS\System32\tqjenupp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C3AE80DC-CE36-41E6-A011-E498F909614B} - C:\WINDOWS\System32\ljjhhfe.dll (file missing)
O2 - BHO: (no name) - {F339A268-2A44-42D9-9ABF-E5E77AC6BE6A} - C:\WINDOWS\System32\pmnll.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{721695AD-5148-4D0B-87D8-CA001C4AD631}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

pskelley

2007-03-19, 01:01

Welcome to the fourm, that was a good call because the Vundo infection is not showing in the first log. Missing BHO's and 020 Winlogons are clues as well as Winfixer popups. There is talk of Class Action concerning this junk if you are interested:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html

It looks like Vundofix killed the infection, all Vundo files "Has been deleted!" let's do this to cleanup the junk and see what happens.

1) HJT need a folder, return to C:\ and right click a blank spot then make a new folder and call it HJT. Move the HJT.exe that is there and the logfile into that folder. Backups for safety will also store there.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {00482855-58F5-4536-B09A-B5AA6C2F14A3} - C:\WINDOWS\System32\tqjenupp.dll
O2 - BHO: (no name) - {C3AE80DC-CE36-41E6-A011-E498F909614B} - C:\WINDOWS\System32\ljjhhfe.dll (file missing)
O2 - BHO: (no name) - {F339A268-2A44-42D9-9ABF-E5E77AC6BE6A} - C:\WINDOWS\System32\pmnll.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log for a final check, let me know how the computer is running.

Thanks

tashi

2007-03-27, 08:46

Due to lack of a response to helper this topic has been archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.