security virus only lets me post hijack log

Printable View

06-18-2011, 04:45 AM
lupus

security virus only lets me post hijack log

soooo. i got a xp security 2012 virus and the reason i can't post my maleware and super antispyware logs is because the virus won't let me. i am also suspicious that there may be another virus called BHO.

the virus does not let me post on the internet nor will it let me use the help2go detector. but i still have access to the internet and i can download programs, it jut won't let you run them.

the virus continues to work even in safe mode. but the 1 good thing is that SUPER antispyare starts up running before the virus can stop it at startup so i can still scan and remove some threats. but the down side is that as soon as spyware gets rid of it it comes back instantly.

so far S&D has kept registry changes from happening but 2 registry files are infected or found to be a virus says super antispyware.

since i cannot post the log should i post the names of the files super antispyware lists as it scans?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:42:48 PM, on 6/17/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\\WINDOWS\System32\smss.exe
C:\\WINDOWS\system32\winlogon.exe
C:\\WINDOWS\system32\services.exe
C:\\WINDOWS\system32\lsass.exe
C:\\WINDOWS\system32\svchost.exe
C:\\WINDOWS\System32\svchost.exe
C:\\WINDOWS\Explorer.EXE
C:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net | Entertainment | News | Sports | Email | Watch TV Online | Comcast Deals | On Demand
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
02 - BHO: (no name) - {01A9EFF7-C140-4470-AC00-54CDDF32713a} - (no file)
02 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
02 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
02 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
02 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
02 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
02 - BHO: Window Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Fies\Microsoft Shared\Windows Live
\WindowsLiveLogin.dll
02 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
02 - BHO: b061ec06 - {D54A6DAE-9B7D-1331-2F81-CB9EBF7D0F64} - C:\WINDOWS\system32\oleaut3232.dll
02 - BHO: Java(tm) Plug-in 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
02 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
03 - Toolbar: Comcast Tolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
03 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
04 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
04 - HKLM\..\Run: [CellVision WLAN Monitor] C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
04 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
04 - HKLM\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
04 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
04 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
04 - HKCU\..\Run: [30606544] C:\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe
04 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
04 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\\WINDOWS\system32\ctfmon.exe (USER 'Default user')
09 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
09 - Extra 'Tools' menuitem: spybot Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1
\SDHelper.dll
016 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http//update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129422761284
016 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
020 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSPYware\SASWINLO.DLL
022 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0c90312E1} - C:\WINDOWS\System32\browseui.dll
022 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
023 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4580 bytes
06-19-2011, 03:02 AM
lupus

ok i got bad news and good news and more bad news.

bad news is i knew the xp security 2012 virus was under the name twf.exe from the task manager. so after disabling twf.exe from startup using msconfig, i tracked the file back to where it was located and deleted it. this might have been stupid and i am unsure if any registry was damaged by my action.

the good news is now with twf.exe gone, all programs can run again. i can now post all 3 logs needed. i also ran Rkill and TDSSkiller just because i thought it might help. also i can post on forums again and hijack detective works for me again. the virus was blocking those actions.

the more bad news but small thing is all programs now ask now what would i like to open them with, so to run a program i now have to open it with itself from the program files. kind of annoying having to open everything with itself to run it every time.

i hope this change of fate helps a lot more than my 1st post.

Malwarebytes' Anti-Malware 1.51.0.1200
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 6883

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/18/2011 11:39:05 PM
mbam-log-2011-06-18 (23-39-05).txt

Scan type: Quick scan
Objects scanned: 154264
Time elapsed: 16 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\temp\nbuo\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/18/2011 at 11:41 PM

Application Version : 4.54.1000

Core Rules Database Version : 7282
Trace Rules Database Version: 5094

Scan type : Quick Scan
Total Scan Time : 00:28:45

Memory items scanned : 331
Memory threats detected : 0
Registry items scanned : 1363
Registry threats detected : 2
File items scanned : 4641
File threats detected : 8

System.BrokenFileAssociation
HKCR\exefile\shell\open\command

Trojan.Agent/Gen
HKU\S-1-5-21-1715567821-1078145449-854245398-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#30606544

Adware.Tracking Cookie
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\6F344FCP ]
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.intergi[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising.sheknows[2].txt

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:56:15 PM, on 6/18/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net | Entertainment | News | Sports | Email | Watch TV Online | Comcast Deals | On Demand
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {01A9EFF7-C140-4470-AC00-54CDDF32713a} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: b061ec06 - {D54A6DAE-9B7D-1331-2F81-CB9EBF7D0F64} - C:\WINDOWS\system32\oleaut3232.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129422761284
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4881 bytes
06-23-2011, 05:46 PM
fireman4it
Hello and welcome to http://www.help2go.com/images/help2go-logo7.png

We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:
1. If you have since resolved the original problem you were having, we would appreciate you letting us know.
2. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  - If you are unsure about any of these characteristics just post what you can and we will guide you.
3. Please tell us if you have your original Windows CD/DVD available.
4. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
5. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
6. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
7. If you have already posted a DDS log, please do so again, as your situation may have changed.
8. Use the 'Add Reply' and add the new log to this thread.
We need to see some information about what is happening in your machine. Please perform the following scan again:
- Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  - DDS.scr
  - DDS.pif
- Double click on the DDS icon, allow it to run.
- A small box will open, with an explanation about the tool. No input is needed, the scan is running.
- Notepad will open with the results.
- Follow the instructions that pop up for posting the results.
- Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice
Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
- Double click the aswMBR.exe icon to run it
- Click the Scan button to start the scan
- On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Thanks and again sorry for the delay.