PDA

View Full Version : laptop severely infected


cleblanc
2009-05-05, 00:39
need some help here, my laptop is severely infected. I'm bombarded my multiple popup, system crashes and IE crashes. A friend recommended this site and spoke highly of it. I think of myself as a beginner when it comes to computers so I apologize now if im having trouble understanding your instructions. here is a copy of my HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:04 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\ld08.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\pp06.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\Documents and Settings\charles leblanc\reader_s.exe
C:\WINDOWS\system32\DL32.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\2629321392.exe
C:\WINDOWS\system32\w.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dncyool64.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1561552
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHots.dll
O1 - Hosts: 63.119.44.200 www.ghen1.net
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {77193f1f-9b33-442d-b46b-e73b4eda0eac} - C:\WINDOWS\system32\fevadere.dll
O2 - BHO: C:\WINDOWS\system32\sjg9s8guigjs.dll - {b2ba40a2-74f0-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\sjg9s8guigjs.dll
O2 - BHO: C:\WINDOWS\system32\jkshfuiehi.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\jkshfuiehi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHots.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [7121865f] rundll32.exe "C:\WINDOWS\system32\wutivoba.dll",b
O4 - HKLM\..\Run: [vivusepunu] Rundll32.exe "C:\WINDOWS\system32\yasabetu.dll",s
O4 - HKLM\..\Run: [sysLDtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [CPM7212b5c3] Rundll32.exe "c:\windows\system32\diguweha.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\erhtl1w5v.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\2629321392.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\charles leblanc\reader_s.exe
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0809575090-9354082102-180630277-2969\service.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKCU\..\Run: [DL32] DL32
O4 - HKCU\..\Run: [uidenhiufgsduiazghs] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\lej039g8.exe
O4 - HKCU\..\Run: [A00F54246BF.exe] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\_A00F54246BF.exe
O4 - HKCU\..\Run: [A00F2D3B2.exe] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\_A00F2D3B2.exe
O4 - HKCU\..\Run: [A00F423E2.exe] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\_A00F423E2.exe
O4 - HKCU\..\Run: [A00F36465.exe] C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\_A00F36465.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wx8bg46k1.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\wx8bg46k1.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\741076880.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\charles leblanc\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\ludiwemi.dll c:\windows\system32\bowafefi.dll c:\windows\system32\diguweha.dll,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: __c00793ee - C:\WINDOWS\system32\__c00793EE.dat
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\diguweha.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\sjg9s8guigjs.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\jkshfuiehi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\diguweha.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10545 bytes
pskelley
2009-05-05, 14:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

C:\WINDOWS\System32\reader_s.exe >>> see this link:
http://www.systemlookup.com/Startup/19425.html

This machine needs to be formatted.

This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Information Links

http://free.avg.com/66558
http://www.avast.com/eng/win32-virut.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=66586
http://securitywatch.eweek.com/exploits_and_attacks/virut_delivers_polymorphic_punch.html

:sad: