Spyware, Viruses, & Security forum

General discussion

Help! I'm dealing with nasty virus! HijackThis log included.

by bcs_4 / May 15, 2008 11:59 PM PDT

OS: Windows XP
Level: Intermediate - I do lots of tech stuff at work but I'm not comfortable enough with processes to do it all by myself.

Symptoms:

*PC runs very slowly
*pop up ads to random sites, whenever IE is open
*pop ups asking me to download dodgy-sounding security software

Here is my logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:22 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A 64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\avgtray.exe
O4 - HKLM\..\Run: [BM3f570861] Rundll32.exe "C:\WINDOWS\system32\ygpwdxsp.dll",s
O4 - HKLM\..\Run: [3c643bfd] rundll32.exe "C:\WINDOWS\system32\knjyddrd.dll",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: 7digital Locker.lnk = C:\Program Files\7digital Locker\7digitalLocker.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\avgwdsvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel

Discussion is locked
You are posting a reply to: Help! I'm dealing with nasty virus! HijackThis log included.
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Help! I'm dealing with nasty virus! HijackThis log included.
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Spyware & Virus invasion
by tanguska / May 19, 2008 9:36 AM PDT

Try Downloading the Free version of "Threatfire". I have done this and I find it a valuable asset. I'm not proposing that it will cure your problem, but you may find that it helps.

Just a suggestion!

tanguska

Collapse -
help
by albertonene1 / May 19, 2008 11:48 AM PDT
In reply to: Get rid of it
Collapse -
Get Rid of it
by jaybyrd3 / May 19, 2008 6:34 PM PDT
In reply to: Get rid of it

He probably should not use AVG anti virus since he already has Mcafee on his system.

Collapse -
Help! I'm dealing with nasty virus! HijackThis log included.
by Ektor3 / May 19, 2008 1:01 PM PDT

try running your cleaners on safe mode/that usually shed light into some very interesting visitors

Collapse -
Hi, bcs_4
by Bugbatter / May 19, 2008 1:25 PM PDT

bcs_4,
One of the infections showing in your log was easy for you to pick up because of your outdated, vulnerable version of Java. Even if you clean the infection, your computer is a magnet for malware with that old version of Java.
I suggest that you follow Roddy's instructions to post your log on another forum so the infections as well as the vulnerabilities can be handled by an expert.

Collapse -
Geez
by lantaipuo / May 19, 2008 4:14 PM PDT
In reply to: Hi, bcs_4

You wrote: One of the infections showing in your log was easy for you to pick up because of your outdated, vulnerable version of Java. Even if you clean the infection, your computer is a magnet for malware with that old version of Java.

This one doesn't seem "right"

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A 64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6

and a google search shows:

C:\WINDOWS\mrofinu572.exe

http://www.google.ca/search?q=C%3A%5CWINDOWS%5Cmrofinu572.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

and as I was googling I also saw these:
O4 - HKLM\..\Run: [BM3f570861] Rundll32.exe "C:\WINDOWS\system32\ygpwdxsp.dll",s
O4 - HKLM\..\Run: [3c643bfd] rundll32.exe "C:\WINDOWS\system32\knjyddrd.dll",b

I also came late to this threat as it is dated May 16,2008 but your reply is not helping bcs_4. He obviously read what moderator roddy32 wrote as he didn't reply in this thread.

Isn't it: Members are HELPING members?

I know, I know, I am only a LURKER, but oh well, have a good day.

Errare humanum est

Collapse -
Updating Java
by Bugbatter / May 22, 2008 4:15 AM PDT
In reply to: Geez

Great job! Thank you for your help. Now that you have identified some visible signs of infection for us, here are some instructions for removing older versions of Java and updating.

Download the latest version of http://java.sun.com/javase/downloads/index.jsp]Java Runtime Environment (JRE) 1.6.0
Scroll down to where it says " Java Runtime Environment (JRE) 6u6 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After installing, you can test here to see if the update has installed:
http://www.java.com/en/download/installed.jsp

Let us know if you have any other questions.

Collapse -
My 6-pence worth - Format The PC!
by VinceGP / May 19, 2008 6:46 PM PDT

I have never been able to get completely rid of viruses, spyware, trojans or any other malware, no matter what I used, how much I paid for it or how long it took.

So, now I find it is best (for me, my friends and my family) to make sure you have Norton Ghost (I have version 14 but I know 12 and higher also works on Vista, and I used v9 for XP), all the OS installation Disks, all the drivers, all software disks, a complete backup of your important files, documents, media (make sure its the legal, clean type of media, otherwise this is pointless), your email, contacts and calendar backups, favourites etc, then format your machine and do a clean install. You can use free Belarc Advisor to find all the software installed and serials on your machine - at www.belarc.com. To make sure you have all the drivers you need (in case you don't have the resource cd's for all your stuff), go get the free Driver Collector v1.2 from www.majorgeeks.com or www.softpedia.com. Its free, it works (I think only on Windows though?) and can only help you.

After you have re-installed the OS, and all the relevant software and email packages (e.g. MS Office), BUT BEFORE you load back all your important backups and data, go look for the latest updates, patches and drivers, and once your machine has been fully updated (this can take all night!), make an IMAGE of your drive with Norton Ghost (or whatever you want to use e.g. also go look at wwww.download.com or at www.pcworld.com for other free versions for making images - but Norton is the best for imaging a drive in my book).

Now copy back all your data, backups and media (taking care not to bring any suspect files, or "funnies" you got thru P2P) back on your machine. Voila, you have a prefectly clean machine. Run something like Avast Home (www.avast.com - free but very, very good) or AVG (also has a free version but slows your email down a bit)to protect your machine. Scan suspect files before copying it onto your machine with Avast (simple, right-click, scan function). Since you now have an image of you machine, you can perform a complete reinstall in less than 1 hour anytime you suspect you have a problem or suspect you have spyware or virus. It beats defrag or searching for malware, in my book. It only takes long the first time you do this (call it at most a weekend job), but with a proper image, you will be up and running in no time, and your machine is guaranteed to be as clean as it can be. Also, if you ever crash, it's a simple reload with the image, then load back your weekly (you do make backups at least weekly no?!) backup copy and voila, you're up and running!

People may say this is extreme ( I usually only hear people selling cleanup services or software say this though :-)), but it works for me, my friends, family and all my work mates. Use it, or lose it.

Collapse -
Help! I'm dealing with nasty virus!
by nibbon / May 20, 2008 11:16 PM PDT

Restore your system on a back date, I mean before this problem.

Collapse -
look...
by TurboSuper / May 24, 2008 7:54 AM PDT

Do matter what scanner you buy, what programs you use, they all have one common achilles heel: They need to be in Windows to run.

Modern viruses work their way into system processes such that even if a virus scanner detects them, they will not be able to be deleted, even if you boot into safe mode.

So, is there a way out? Of course! You need to load something other than Windows.

Avira makes a CD which will boot into a linux-based Os and run the scan, and best of all, it's free: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Collapse -
One Thing Obvious: You've Got.....
by tobeach / May 29, 2008 5:31 PM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?