staffnp
2009-11-18, 20:02
Hello,
We are a small non-profit organization in the mental health field and only have a few functional computers. One of our computers is infected (see log below) and our ISP is locking us out of our FTP access until we can verify that our local computer is virus free. We are facing a Hijack.WindowsUpdates virus that we cannot remove with our Malwarebytes program. I realize that the assistance in this forum is volunteer and I would like to sincerely thank the volunteers for being so generous with their time. If it is possible for someone to assist us with our virus situation we would be extremely grateful.
I've run ERUNT and I want to let you know that the System Restore is not turned on on this PC (not because of this event). I haven't tried any other fixes. AVG is the virus software.
Thank you very much.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:09 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TrueImageMonitor.exe
D:\Program Files\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
D:\PROGRA~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe
D:\Program Files\Conceptworld\RecentX\RecentX.exe
D:\PROGRA~1\avgnsx.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class -
{C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program
Files\AskSearch\bin\DefaultSearch.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} -
C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}
- C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office
11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common
Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SmartRAM] D:\Program Files\IObit\Advanced WindowsCare
V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "D:\Program Files\Copernic Desktop
Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\RYOKAN\EPSON Stylus NX400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU
"C:\DOCUME~1\Linda\LOCALS~1\Temp\E_S52.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Linda\Application
Data\Smilebox\SmileboxTray.exe"
O4 - Startup: RecentX.lnk = D:\Program Files\Conceptworld\RecentX\RecentX.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program
Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program
Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1
238598753046
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:
NameServer = 65.19.68.30,65.19.68.31
O17 -
HKLM\System\CS1\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:
NameServer = 65.19.68.30,65.19.68.31
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
D:\Program Files\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - D:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program
Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -
D:\PROGRA~1\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner -
C:\WINDOWS\
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5874 bytes
We are a small non-profit organization in the mental health field and only have a few functional computers. One of our computers is infected (see log below) and our ISP is locking us out of our FTP access until we can verify that our local computer is virus free. We are facing a Hijack.WindowsUpdates virus that we cannot remove with our Malwarebytes program. I realize that the assistance in this forum is volunteer and I would like to sincerely thank the volunteers for being so generous with their time. If it is possible for someone to assist us with our virus situation we would be extremely grateful.
I've run ERUNT and I want to let you know that the System Restore is not turned on on this PC (not because of this event). I haven't tried any other fixes. AVG is the virus software.
Thank you very much.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:09 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TrueImageMonitor.exe
D:\Program Files\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
D:\PROGRA~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe
D:\Program Files\Conceptworld\RecentX\RecentX.exe
D:\PROGRA~1\avgnsx.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class -
{C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program
Files\AskSearch\bin\DefaultSearch.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} -
C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}
- C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office
11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common
Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SmartRAM] D:\Program Files\IObit\Advanced WindowsCare
V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "D:\Program Files\Copernic Desktop
Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\RYOKAN\EPSON Stylus NX400 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU
"C:\DOCUME~1\Linda\LOCALS~1\Temp\E_S52.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Linda\Application
Data\Smilebox\SmileboxTray.exe"
O4 - Startup: RecentX.lnk = D:\Program Files\Conceptworld\RecentX\RecentX.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program
Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program
Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1
238598753046
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:
NameServer = 65.19.68.30,65.19.68.31
O17 -
HKLM\System\CS1\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:
NameServer = 65.19.68.30,65.19.68.31
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
D:\Program Files\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - D:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program
Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -
D:\PROGRA~1\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner -
C:\WINDOWS\
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5874 bytes