PDA

View Full Version : Infected with Malware for 2 months; better after running spybot, but still here



schwabday
2008-08-16, 20:41
Infected with something about 2 months ago. I have tried every fix I could find. I think I may have erased some needed files in my frustration, because I lost internet for a while. I opened in Safe mode with internet, and downloaded spybot and ran it. Then I was able to get on the net and finally able to run Windows update. I rebooted and ran spybot again in safe mode. It showed virtualmonde (Sp? again, I didn't write it down) and fixed it. It ran again when I booted into regular mode and still showed the same infection. I again fixed it and then ran this log. It is working much better, but still get a few pop ups and the printer will not work. My son uses this machine for music, and "my space" drama. Oh, and homework. .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:04 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {0272E595-8A31-45CD-9297-C0D86E07DF9E} - (no file)
O2 - BHO: (no name) - {5EDF9CEA-393B-4D20-A1CB-7F2180A06B6F} - (no file)
O2 - BHO: (no name) - {63CD3173-B53F-4EA1-8BE8-9B9310CB98AB} - C:\WINDOWS\system32\ddcBRIXN.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {81C44682-509B-4077-9B20-D76483F7DD14} - C:\WINDOWS\system32\qoMcyWMC.dll (file missing)
O2 - BHO: {71d4ab96-7699-d069-96e4-c3f8d5ae0369} - {9630ea5d-8f3c-4e69-960d-996769ba4d17} - C:\WINDOWS\system32\oqckkj.dll
O2 - BHO: (no name) - {9BF52AA6-6199-4F43-B498-E283D6CDECC8} - C:\WINDOWS\system32\fccaWPhI.dll (file missing)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\geBuVpno.dll (file missing)
O2 - BHO: (no name) - {FFF99BAF-FF30-49B2-AEBA-058A99F2C15E} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fc95c78d] rundll32.exe "C:\WINDOWS\system32\txhaexdc.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F82A93.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F82A93.exe
O4 - HKCU\..\Run: [A00F354ACF9.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F354ACF9.exe
O4 - HKCU\..\Run: [A00FAE54E.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FAE54E.exe
O4 - HKCU\..\Run: [A00F3692B01.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F3692B01.exe
O4 - HKCU\..\Run: [A00FB53AEF8.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00FB53AEF8.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {8613571C-30D2-4BD4-9710-3DFDBADE8190} (AMI Pictorial Control CWeb 2.1 SPa05) - https://pacs.chhi.org/ami/install/amiviewer.cab
O20 - Winlogon Notify: geBuVpno - geBuVpno.dll (file missing)
O20 - Winlogon Notify: __c004002C - C:\WINDOWS\system32\__c004002C.dat
O20 - Winlogon Notify: __c00780D1 - C:\WINDOWS\system32\__c00780D1.dat (file missing)
O20 - Winlogon Notify: __c009B9E4 - C:\WINDOWS\system32\__c009B9E4.dat (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
O24 - Desktop Component 0: (no name) - http://myspace-507.vo.llnwd.net/00906/70/58/906628507_l.jpg

--
End of file - 7684 bytes

pskelley
2008-08-18, 01:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Sorry to be the bearer of bad news but you have backdoor trojans on this computer.

C:\WINDOWS\system32\wmsdkns.exe
http://www.google.com/search?hl=en&q=wmsdkns.exe%2C&btnG=Google+Search

C:\WINDOWS\b2new.exe
http://www.google.com/search?hl=en&q=b2new.exe+&btnG=Search

You also have Vundo, while hard to remove it is not considered as dangerous as those trojans, I need to give you this information.

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

schwabday
2008-08-19, 21:58
As I said, this has been going on for almost 2 months (although I have been out of the country for a portion of that time.)

The infected computer is used primarily by our sons for games and my space, however we have 2 laptops that we use at home for business. They connect wirelessly to the same router, and have lots of sensitive data. Would they be at risk from this backdoor trojan, too?

pskelley
2008-08-19, 22:08
Since I have never used a wireless router, hard for me to give you an answer, but my guess would be if they are on the same network they all could be infected. If they are just using the same router to access the internet, they may not be. This is a little beyond my technical expertise.

Thanks

schwabday
2008-08-19, 22:41
The kid who had time for all that web browsing and banner clicking can now busy himself with a clean install of Windows XP.

I am going to disable anything that looks like networking with the infected computer. Thanks again for all your help.

pskelley
2008-08-20, 00:01
Sounds like you are say you intend to reformat, that being the case here is information if needed.

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html