Results 1 to 3 of 3
  1. #1
    Member lupus's Avatar
    Join Date
    Dec 2005
    Posts
    7
    Points
    0

    Default security virus only lets me post hijack log

    soooo. i got a xp security 2012 virus and the reason i can't post my maleware and super antispyware logs is because the virus won't let me. i am also suspicious that there may be another virus called BHO.

    the virus does not let me post on the internet nor will it let me use the help2go detector. but i still have access to the internet and i can download programs, it jut won't let you run them.

    the virus continues to work even in safe mode. but the 1 good thing is that SUPER antispyare starts up running before the virus can stop it at startup so i can still scan and remove some threats. but the down side is that as soon as spyware gets rid of it it comes back instantly.

    so far S&D has kept registry changes from happening but 2 registry files are infected or found to be a virus says super antispyware.

    since i cannot post the log should i post the names of the files super antispyware lists as it scans?




    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:42:48 PM, on 6/17/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\\WINDOWS\System32\smss.exe
    C:\\WINDOWS\system32\winlogon.exe
    C:\\WINDOWS\system32\services.exe
    C:\\WINDOWS\system32\lsass.exe
    C:\\WINDOWS\system32\svchost.exe
    C:\\WINDOWS\System32\svchost.exe
    C:\\WINDOWS\Explorer.EXE
    C:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net | Entertainment | News | Sports | Email | Watch TV Online | Comcast Deals | On Demand
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    02 - BHO: (no name) - {01A9EFF7-C140-4470-AC00-54CDDF32713a} - (no file)
    02 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    02 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    02 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    02 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    02 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    02 - BHO: Window Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Fies\Microsoft Shared\Windows Live
    \WindowsLiveLogin.dll
    02 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    02 - BHO: b061ec06 - {D54A6DAE-9B7D-1331-2F81-CB9EBF7D0F64} - C:\WINDOWS\system32\oleaut3232.dll
    02 - BHO: Java(tm) Plug-in 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    02 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    03 - Toolbar: Comcast Tolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    03 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    04 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    04 - HKLM\..\Run: [CellVision WLAN Monitor] C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
    04 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    04 - HKLM\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    04 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    04 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    04 - HKCU\..\Run: [30606544] C:\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe
    04 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    04 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\\WINDOWS\system32\ctfmon.exe (USER 'Default user')
    09 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    09 - Extra 'Tools' menuitem: spybot Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1
    \SDHelper.dll
    016 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http//update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129422761284
    016 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
    020 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSPYware\SASWINLO.DLL
    022 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0c90312E1} - C:\WINDOWS\System32\browseui.dll
    022 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    023 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 4580 bytes

  2. #2
    Member lupus's Avatar
    Join Date
    Dec 2005
    Posts
    7
    Points
    0

    Default

    ok i got bad news and good news and more bad news.

    bad news is i knew the xp security 2012 virus was under the name twf.exe from the task manager. so after disabling twf.exe from startup using msconfig, i tracked the file back to where it was located and deleted it. this might have been stupid and i am unsure if any registry was damaged by my action.

    the good news is now with twf.exe gone, all programs can run again. i can now post all 3 logs needed. i also ran Rkill and TDSSkiller just because i thought it might help. also i can post on forums again and hijack detective works for me again. the virus was blocking those actions.

    the more bad news but small thing is all programs now ask now what would i like to open them with, so to run a program i now have to open it with itself from the program files. kind of annoying having to open everything with itself to run it every time.

    i hope this change of fate helps a lot more than my 1st post.



    Malwarebytes' Anti-Malware 1.51.0.1200
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 6883

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    6/18/2011 11:39:05 PM
    mbam-log-2011-06-18 (23-39-05).txt

    Scan type: Quick scan
    Objects scanned: 154264
    Time elapsed: 16 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\twf.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\temp\nbuo\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.




    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 06/18/2011 at 11:41 PM

    Application Version : 4.54.1000

    Core Rules Database Version : 7282
    Trace Rules Database Version: 5094

    Scan type : Quick Scan
    Total Scan Time : 00:28:45

    Memory items scanned : 331
    Memory threats detected : 0
    Registry items scanned : 1363
    Registry threats detected : 2
    File items scanned : 4641
    File threats detected : 8

    System.BrokenFileAssociation
    HKCR\exefile\shell\open\command

    Trojan.Agent/Gen
    HKU\S-1-5-21-1715567821-1078145449-854245398-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#30606544

    Adware.Tracking Cookie
    secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\6F344FCP ]
    C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
    C:\Documents and Settings\NetworkService\Cookies\system@ads.intergi[1].txt
    C:\Documents and Settings\NetworkService\Cookies\system@advertising.sheknows[2].txt




    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:56:15 PM, on 6/18/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net | Entertainment | News | Sports | Email | Watch TV Online | Comcast Deals | On Demand
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    O2 - BHO: (no name) - {01A9EFF7-C140-4470-AC00-54CDDF32713a} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O2 - BHO: b061ec06 - {D54A6DAE-9B7D-1331-2F81-CB9EBF7D0F64} - C:\WINDOWS\system32\oleaut3232.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [CellVision WLAN Monitor] C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129422761284
    O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} (Java Plug-in 1.6.0_14) -
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 4881 bytes

  3. #3
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello and welcome to

    We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

    Please take note:

    1. If you have since resolved the original problem you were having, we would appreciate you letting us know.
    2. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
      • If you are unsure about any of these characteristics just post what you can and we will guide you.
    3. Please tell us if you have your original Windows CD/DVD available.
    4. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
    5. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
    6. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
    7. If you have already posted a DDS log, please do so again, as your situation may have changed.
    8. Use the 'Add Reply' and add the new log to this thread.


    We need to see some information about what is happening in your machine. Please perform the following scan again:

    • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results.
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


    We also need a new log from the GMER anti-rootkit Scanner.

    Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

    Please first disable any CD emulation programs using the steps found in this topic:

    Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:


    Note:
    If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.




    Thanks and again sorry for the delay.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-