PDA

View Full Version : Hijack.windowsupdate--Small non-profit needs help fixing



staffnp
2009-11-18, 20:02
Hello,

We are a small non-profit organization in the mental health field and only have a few functional computers. One of our computers is infected (see log below) and our ISP is locking us out of our FTP access until we can verify that our local computer is virus free. We are facing a Hijack.WindowsUpdates virus that we cannot remove with our Malwarebytes program. I realize that the assistance in this forum is volunteer and I would like to sincerely thank the volunteers for being so generous with their time. If it is possible for someone to assist us with our virus situation we would be extremely grateful.

I've run ERUNT and I want to let you know that the System Restore is not turned on on this PC (not because of this event). I haven't tried any other fixes. AVG is the virus software.

Thank you very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:09 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TrueImageMonitor.exe
D:\Program Files\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
D:\PROGRA~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe
D:\Program Files\Conceptworld\RecentX\RecentX.exe
D:\PROGRA~1\avgnsx.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =

http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class -

{C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program

Files\AskSearch\bin\DefaultSearch.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} -

C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF}

- C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office

11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Samsung Common SM]

"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common

Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SmartRAM] D:\Program Files\IObit\Advanced WindowsCare

V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "D:\Program Files\Copernic Desktop

Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\RYOKAN\EPSON Stylus NX400 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU

"C:\DOCUME~1\Linda\LOCALS~1\Temp\E_S52.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Linda\Application

Data\Smilebox\SmileboxTray.exe"
O4 - Startup: RecentX.lnk = D:\Program Files\Conceptworld\RecentX\RecentX.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program

Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program

Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1

238598753046
O17 -

HKLM\System\CCS\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:

NameServer = 65.19.68.30,65.19.68.31
O17 -

HKLM\System\CS1\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}:

NameServer = 65.19.68.30,65.19.68.31
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

D:\Program Files\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - D:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program

Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

D:\PROGRA~1\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner -

C:\WINDOWS\
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 5874 bytes

Shaba
2009-11-22, 18:41
Hi staffnp

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..