PDA

View Full Version : Infected?



jonboy
08-06-2007, 03:21 PM
So I pluged my Portable HDD into my pc today and it must have picked something up on the network at uni.

I have a file named: udjudwq.exe on me external HDD and one of my internals.

There are processes named: sybqnub.exe and gwthtis.exe that I cant end. They are installed in the System 32 folder.

I have run Ad aware 2007, Spybot, and Avg. Ad aware and spybot picked up something, but its still there.

Any help is appreciated.

The_End_Of_Reality
08-06-2007, 03:38 PM
Get Hijackthis (http://www.spywareinfo.com/~merijn/programs.php) and extract it into a flder and run it, save the log file and post the whole log file here and we will see what it says... try Googleing the filenames... I googled sybqnub.exe and got many options but are all in a foriegn language...

jonboy
08-06-2007, 03:45 PM
Thanks, will do. I tried searching the file names as well and got chinese. Spybot says it is the Hupigon13 trojan.

SurferJoe46
08-06-2007, 03:47 PM
Shut off System Restore (you DO have a full-install disc..right?)
Run your anti-stuff while you are in Safe Mode.....
Run CCleaner in a reboot to Safe Mode again.

Run HJT in a normal boot and post it here...be sure to put HJT in a permanent folder, not a temp file area.

jonboy
08-06-2007, 03:57 PM
I do have an install disk. What will shutting of system restore do? I wont loose data will I?

The_End_Of_Reality
08-06-2007, 04:07 PM
Turning off system restore will get rid of the restore points that the system has created incase you change a setting or whatever and want to revert back and can't change the setting back... but no, you will not loose data such as documents but it is possible that any nasties have gotten saved into a restore point and will be back if you have to restore... so turn offf system restor and run everything and get the system clean and turn it back on if you wish...

You will also free up HDD space by deleting to old restore points :D

jonboy
08-06-2007, 04:08 PM
Thanks. Will get back to you all soon.

jonboy
08-06-2007, 04:46 PM
By the way, is there any way I can save old restore points to CD so that I can reload them once all this is done? Turning off system restore will delete them.

SurferJoe46
08-06-2007, 04:53 PM
Why? They aren't valid after a short while anyway..and you might just re-introduce what you are trying to remove from the system all over again..too risky!

Speedy Gonzales
08-06-2007, 04:54 PM
You could try it but then you may have to add yourself as admin to get into the folders for SR. In safe mode.

Since u cant get into the SR folder normally in XP. But then you'll be lucky to run anything in safe mode.

I wouldnt worry about backing them up.. Whatever these files are, they maybe in the SR folder. And if u can put them back in you may get re-infected.

jonboy
08-06-2007, 10:00 PM
Scan saved at 9:03:23 p.m., on 8/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\gwthtis.exe
C:\WINDOWS\System32\sybqnub.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Genius TVR\remote.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Remote] C:\Program Files\Genius TVR\Remote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe
O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Mouse Remote] C:\WINDOWS\system32\control.exe C:\WINDOWS\System32\msii.cpl
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137571625968
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5959 bytes

The_End_Of_Reality
08-06-2007, 10:13 PM
OK, run it again in safe mode and tick these:

C:\WINDOWS\System32\gwthtis.exe
C:\WINDOWS\System32\sybqnub.exe
O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe
O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe
O4 - HKCU\..\Run: [Mouse Remote] C:\WINDOWS\system32\control.exe C:\WINDOWS\System32\msii.cpl
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/...erAX_Win32.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

Those are the bad ones, Speedy might pickup on others, but tose are the nasty ones

jonboy
08-06-2007, 10:47 PM
Ok I did that, apart from mouse remote. Thats my Marmitek X10 remote and is something I have put there.

The trojan is still on the HDD's and showing up in the process list. It is trying to access the net. Luckily Zone Alarm is stopping it.

The file is called udjudwq.exe and also has an autorun.inf file with it.

The_End_Of_Reality
08-06-2007, 10:52 PM
OK, what is the name of the proccess?

And are the 2 files still in the system folder?

EDIT: oh that one... hmm, get Killbox (http://killbox.net/) and select those nasty files and set it to delete them on boot then restart your PC

jonboy
08-06-2007, 11:21 PM
The process names are: sybqnub.exe
gwthtis.exe

They are both in the system32 folder.

The_End_Of_Reality
08-06-2007, 11:32 PM
OK and what happens if you DL and run Killbox like I suggested on those 2 files?

Actually run Hijackthis again and post the new log and we will see if it has done anything to help

jonboy
08-06-2007, 11:53 PM
I tried killbox twice and set it to remove the files in system32 as well as the install files on boot. Still there.

I tried Trojan Remover which picked it up, but it comes back on restart.

This is turning out to be a real *#$@%^*&.

Should I be running these removers in safe or normal mode?

I will run HJT again and post.

Edit:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:01:03 p.m., on 8/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\gwthtis.exe
C:\WINDOWS\System32\sybqnub.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Genius TVR\remote.exe
C:\Program Files\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Remote] C:\Program Files\Genius TVR\Remote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe
O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137571625968
O17 - HKLM\System\CCS\Services\Tcpip\..\{33EC06D9-0A40-49F7-9227-4B63CAA0F69F}: NameServer = 202.27.158.40 202.27.156.72
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5089 bytes

SurferJoe46
09-06-2007, 04:00 AM
If you are sincere about cleaning things out, you should always use Safe Mode to get to it.

If the spyware/trojan/virus is running, you will have a much harder time killing it if it's got open folders or is constantly being morphed to avoid capture.. ..some do things like that.

If you use Safe Mode, it's like not telling the problem child that the puter's on..and it lies dormant for that time...making it easier to destroy while it's sleeping..see?

If you've ever installed a new program or had some serious updates that make registry changes to your system, a reboot is required to make those changes.

Same's true for malware...most need a reboot to "turn them on" as it were.

Killing something that's registry-based is the same thing..a reboot OR not having it running at the time of extermination is required.

NOT having the whole system up and running gives you a better chance to capture and impound or destroy the problem. Safe Mode is a "minimally required programs" way of having the system running. You can run certain devices, have control of others and generally made changes that aren't likely to fall apart like they might be if the whole house (computer) was awake.

Speedy Gonzales
09-06-2007, 07:30 AM
Run HJT again tick these entries and tick fix checked.

Turn system restore off, boot into safe mode, and delete these 2 files.

If this doesnt fix it, u may have to boot into safe mode, add yourself as Admin to the System Volume Information folder, and delete everything in it.

C:\WINDOWS\System32\gwthtis.exe

C:\WINDOWS\System32\sybqnub.exe

O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe

O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

What's trojan remover picking them up as??

In trojan remover, also select the 3rd to 7th option under utilities, if u havent done this yet.

jonboy
09-06-2007, 01:38 PM
Well thanks to everyone who helped me out. I finally got rid of it.

I needed to format my Portable HDD while in safe mode, then run HJT, Killbox and Trojan Remover while logged in as Admin, then repeat under User.

Again, thanks. Your help is really apreciated.

pctek
09-06-2007, 03:33 PM
By the way, is there any way I can save old restore points to CD so that I can reload them once all this is done? Turning off system restore will delete them.

Thats the whole point.
What do you want to keep them for? You'd restore all the malware back again.

Just create a new restore point after you have cleaned it out.

Jangos
21-06-2007, 08:38 PM
These two are bad files.. get rid of them

O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe

O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe

run in safe mode and run hijackthis to get rid of them

turnbullm
24-07-2007, 01:38 PM
Have the same virus..

It's disabled my NOD32 virus scanner, and is stopping HijackThis from running.

I tried rebooting into safe mode so I can run these programs, but the virus processes still load in safe mode! Argh!

What to do??

FoxyMX
24-07-2007, 02:38 PM
Try MoveOnBoot (http://www.snapfiles.com/get/moveonboot.html).

Speedy Gonzales
24-07-2007, 04:21 PM
I have a feeling its this (http://www.symantec.com/security_response/writeup.jsp?docid=2006-062310-0921-99&tabid=1)

Its what affected some Ipods (http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089)

Here's the Symantec removal tool (http://securityresponse.symantec.com/avcenter/FxRajump.exe)

turnbullm
24-07-2007, 06:25 PM
I ran MoveOnBoot which worked great - got rid of those 2 processes from starting on startup!

However, the virus still has blocked access to some programs.
Running nod32.exe won't work - says it can't find the file.

To get 'HijackThis' to work I had to rename it to HijackThiss.exe - obviously the virus has done something to the registry?

Here is the log file, if anyone has some ideas:

Logfile of HijackThis v1.99.1
Scan saved at 2:17:38 PM, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bubbles\BubbleBox.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HijackThis\HijackThiss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: BubblesBHO - {FF344242-A1AF-4343-A223-FC3DA42990C8} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Bubbles] "C:\Program Files\Bubbles\BubbleBox.exe" -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O4 - Startup: Macromedia Dreamweaver 8.lnk = C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\UltraMon\UltraMonShortcuts.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bubble This URL - {A3A0268C-3146-431d-84EE-2789B750ABD2} - C:\Program Files\Bubbles\BubblesHBO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191
O17 - HKLM\System\CS1\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191
O17 - HKLM\System\CS2\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

Speedy Gonzales
25-07-2007, 09:42 AM
Did u try that removal tool?

Run hijackthis again tick these entries then tick fix checked.

Do you know what this is?

C:\Program Files\Bubbles\BubbleBox.exe

O2 - BHO: BubblesBHO - {FF344242-A1AF-4343-A223-FC3DA42990C8} - (no file)

If you dont tick them.

Safe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Not known

O4 - HKLM\..\Run: [Bubbles] "C:\Program Files\Bubbles\BubbleBox.exe" -startup

Safe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

This belongs to a worm.

O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe

Looks like u have this (http://www.sophos.com/virusinfo/analyses/w32slomirca.html)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O9 - Extra button: Bubble This URL - {A3A0268C-3146-431d-84EE-2789B750ABD2} - C:\Program Files\Bubbles\BubblesHBO.dll

If you use IRC get out of it.

Uninstall ALL versions of Sun Java. The latesxt is in my sig below.

I would get trojan remover in my sig as well, install it update it, then click on scan. Then select all options under the utilities menu.

turnbullm
26-07-2007, 12:41 PM
Thanks - that trojan removal worked great, it found alot of references in the registry to those 2 nasty processes. Now I can run nod32 and hijackthis.

Thanks again :)

Speedy Gonzales
26-07-2007, 12:43 PM
Cool, good to hear its fixed :)