PDA

View Full Version : Need help cleaning up after infection



Havoc
2009-07-23, 04:43
Sorry for the length of this, but I’ve been slack on my malware protection lately, and just got a major infection. I tried cleaning it up on my own, and wanted to be clear on everything that happened and what I did. Thank you in advance for any help and advice you can offer.

I was online the other night going through some old bookmarks and found myself at some. . . "questionable" sites (yes, I should've known better), when my system started bogging down. A message then popped up saying that Windows Firewall had been disabled (since adding a router with a hardware firewall, I never got around to finding a replacement for the free version of ZoneAlarm I had become disappointed with and quit using), and TeaTimer messages began popping up about allowing various changes. Realizing that I had just gotten infected with something, I denied all the TeaTimer requests and turned off my DSL modem to prevent anything else from getting in or out of my system. A fake “scan” and warning that I was infected with various things and needed to purchase something from “System Security” took over my desktop.

I ran SpyBot to try to clean things up, but hadn’t updated it in months (version 1.6.0 I think it was). It found multiple things, including a trojan and some keyloggers, and I had it remove all of them. I also ran a full scan of Avast! (updated that day), which found and removed some things. Rebooting left me with the malware still in control of my desktop, SpyBot would no longer open, and ctrl-alt-del would bring the Windows Task Manager up for just a second before it would disappear. Booting into Safe Mode allowed me to run SpyBot and Avast! again, but still did not remove the System Security hold on my computer. Some of the files found by these two included CNwAQdN.zip, sdra64.exe, and Win32.Agent.pz.

Looking around the areas where problems had been found, I came across a folder under documents and settings that contained the icon for the System Security garbage that had taken over my desktop, so I moved it to the recycle bin and then deleted it permanently. Rebooting brought me to a blank blue screen with nothing but a mouse cursor on it. No icons or taskbar or anything else. Safe Mode was the same except for being a black screen with the Safe Mode tags on it. From that, I found that I could call up the Task Manager and run things from there, so I got into the System Restore and reverted to a save point from the previous week. Everything loaded fine and things seemed normal, so I connected to the internet again and:

1. Updated and ran SpyBot, which found and removed another file related to System Security.
2. Immunized my system again.
3. Downloaded and ran SpywareBlaster
4. Downloaded and ran Malwarebytes Anti-Malware, which found and removed 4 or 5 more infections
5. Downloaded and ran SUPERAntiSpyware, which found and removed several more infections.

Currently, everything appears to be running normally, but reading the forums here has me worried that things may still be hidden in my system. I kept the system offline until after the system restore got my desktop back, and haven’t visited any sites where I had to enter a password or other personal information for fear of that information being stolen.

What I am thinking of doing now is to back up the things I feel are vital (photos, emails, bookmarks, Word files, and maybe a few other things), then reformatting and reinstalling, just in case. Below is my HJT log. Could you please look over it and see if anything appears problematic yet? Also, any idea of the odds any data has been stolen from my system? Finally, how much of a risk is there in transferring the files I mentioned to a clean install? Are there certain types that are safe and others that are not? Thank you so much for any help and guidance you can provide.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:40 PM, on 7/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230790931421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe

--
End of file - 6281 bytes

shelf life
2009-07-25, 04:28
hi,


Could you please look over it and see if anything appears problematic yet looks ok:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [GEST] m‘|\ü



any idea of the odds any data has been stolen from my system?
cant tell from the malware you listed. disabling internet networking was good as alot of malware will fetch more malware.


how much of a risk is there in transferring the files I mentioned to a clean installsome malware/virus can infect external drives or usb flash drives then get transferred to a clean machine. You look to be safe here.
With all your updating, have you been to windows update lately?

Havoc
2009-07-25, 04:58
hi,

looks ok:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [GEST] m‘|\ü

Done.


some malware/virus can infect external drives or usb flash drives then get transferred to a clean machine. You look to be safe here.
With all your updating, have you been to windows update lately?

Not since I got the infection. I thought about it, but figured I'd wait for more knowledgeable guidance before proceeding. For safety's sake, I think I am going to go ahead with a file backup and reformat and reinstall - unless you have other directions for me before that?

shelf life
2009-07-25, 21:57
For safety's sake, I think I am going to go ahead with a file backup and reformat and reinstall
ok then. Good luck. Some tips to help reduce your risk to malware:

10 Tips for Reducing Your Risk To Malware:

1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. All browsers can have vulnerabilities but statistically it is the most commonly used browser that will tend to be targeted the most. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

Havoc
2009-07-25, 23:24
ok then. Good luck.

Thanks. And thank you very much for taking your time to go over this. It's great to see people going out of their way to help others for no personal gain. Much appreciated! :thanks::bigthumb: