View Full Version : Virus troubles + HJT log

03-03-2011, 01:25 PM
PC has continous pop ups for an AV program. OS is xp media centre.
so far i have disabled system restore, run RKill note has to run at the start of the desk top loading otherwise the infection wont allow it to run. then run Malware Bites, Spy S&D, Supper anti Spyware all in full mode. Do i need to reboot after each program or can i just reboot after all 3 as this is what i have done?
Note i turned on System restore before i rebooted, also the above programs did find and deleted infected files.
After reboot still infected am i missing an important step?

HJT log as below Many thanks Wayne

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:23 a.m., on 3/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
K:\Service programs\HiJackThis V2.02.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\s wg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [mpdxwwgi] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\wuvojjcoy\lphgu awhmof.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Run_DiskCleaner.lnk = C:\Program Files\Disk Cleaner\dclean.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E117 12C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D7B999-7E0C-484F-9644-16537FB197FD}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{06D7B999-7E0C-484F-9644-16537FB197FD}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{06D7B999-7E0C-484F-9644-16537FB197FD}: NameServer =
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

End of file - 7986 bytes

03-03-2011, 02:09 PM
This looks like its in the wrong place: - could be the bugger causing all the problems.

O4 - HKCU\..\Run: [mpdxwwgi] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\wuvojjcoy\lphgu awhmof.exe

Start in Safe mode with networking, then run Rkill, the infections usually wont run while in safe mode.

Also use ccleaner to clean out the temp files, a per where that exe is sitting.

If malware bytes and the others are missing it, then in safemode with networking , after running Rkill, download and run Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) - turn ON system restore.

Just a warning. on the odd occasion combofix after removing the infections, can cause the PC not to load windows. This normally happens on really badly infected PC's. Hence system restore being on, so IF it turns turtle, you can run system restore back via a command prompt.

Speedy Gonzales
03-03-2011, 02:27 PM
HJT is out of date too

You can tick these then tick fix checked. Close browsers

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [mpdxwwgi] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\wuvojjcoy\lphgu awhmof.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/COMPAQ~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

03-03-2011, 03:09 PM
Thanks guys Malware Bites is finding the infections just seems we are getting reinfected after reboot. Have just cleaned out temp files with CCleaner and running Malware bites again in safe mode. will then sort the HJT log. If no joy will download Combofix.
Cheers Wayne

03-03-2011, 03:15 PM
Might need to turn off sys restore then run malware bytes then

03-03-2011, 04:34 PM
Delete all the ctfmon's , they will auto recreate
In safe mode, empty all the temp dirs & the windows\prefetch dir
While your at it, disable the POS google update service (services.msc)
Disable ALL other av/spyawre scanners when running a different scanner, having one running in background while another is scanning may cause the infected file to not be removed (one will block the other on that file, so it gets left)

Also try Kaspersky tdsskiller, so quick just run it regardless (rootkit remover)

then spywaredoctor starter version(free version), make sure you update it to v6 (update button) . It will often find infections that the others miss.Use the full scan option.
UNINSTALL it when finished (not 100% stable)

Also look at just what these re-infections are & where they are before getting too panicked. could be an infected email, system restore, zipped files being detected & not cleaned etc etc etc
Try not using default scanning options on all you programs you are trying.
Set to scan every file, if having issues.

Unfortunately, some persistent infections really need a format & reload.

03-03-2011, 08:53 PM
Thanks all, have it sorted seems fixing the HJt issues and running CCleaner solved it. Didn't need Combo but have it downloaded Cheers Wayne

04-03-2011, 08:10 AM
Good that its fixed :thumbs:

Re downloading combo -- you may as well dump it, unless you are going to be using it within the next few days.

It DOES expire - one reason for this - they change it all the time, this is so the buggers who make the malware, cant download it then backward engineer it and have their malware resistant to it.

They also do it so a person doesn't go trying to use an out date version.

Just be careful though - Combofix is VERY powerful and can do several things (not just the simple scan you normally see) - it can screw up a PC if you are not careful, its not the average run of the mill software.Final words post 7 (http://www.bleepingcomputer.com/forums/topic117215.html)

04-03-2011, 10:29 AM
Combo gone, thanks again Cheers Wayne