Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

just got infected [CLOSED]


  • This topic is locked This topic is locked

#1
chinadian

chinadian

    New Member

  • Member
  • Pip
  • 1 posts
well.. i just got infected by a backdoor and a trojan and i used spybot search and destroy along with ad-aware se personal to clean it. However, when i rebooted my computer, it was as slow as ever! Here's a log from Hijack This.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:03 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ymjvspou.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
E:\Program Files\UltraMon\UltraMon.exe
C:\PROGRA~1\COMMON~1\FNTS~1\services.exe
C:\Documents and Settings\Tony Li\My Documents\?racle\?ti2evxx.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\TimeLeft3\TimeLeft.exe
E:\Program Files\Winamp\winamp.exe
E:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\wscntfy.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hypqjakn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\TONYLI~1\LOCALS~1\Temp\qrjatydi.exe"
O4 - HKLM\..\Run: [9c84f0d9] rundll32.exe "C:\WINDOWS\system32\mlbwjyaf.dll",b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [UltraMon] "E:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [Racd] "C:\PROGRA~1\COMMON~1\FNTS~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Ftyi] "C:\Documents and Settings\Tony Li\My Documents\?racle\?ti2evxx.exe"
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TimeLeft.lnk = E:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Startup: Winamp.lnk = E:\Program Files\Winamp\winamp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...._2.3.6.108.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.....Plugin9USA.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ymjvspou.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



any help would be appreciated :)
  • 0

Advertisements


#2
racenutalways

racenutalways

    Member 1K

  • Retired Staff
  • 1,649 posts

Hello chinadian and welcome to G2G. You have quite a few infections. Not surprisingly, what anti-virus program you running, I don't see any in the log.?
these are free for personal use

AVG Anti-Virus
Avast Home Edition
Avira Anti-vir

Choose one and run a full system scan.

Let's start by removing the vundo infection.
Please go HERE and click the "Download VundoFix" link.
Download VundoFix to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Please open Notepad and copy & paste in the following:

sc stop "DomainService"
sc delete "DomainService"
del fix1.bat


Save it as fix1.bat and double-click on it to run it.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I need you to enable hidden files and locate a file to submit for analysis;
To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Press the Apply button and then the OK button and shutdown My Computer.
8. Now your computer is configured to show all hidden files

Submit Samples:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

Please download File Submitter by Grinler. I suggest you save the file where it is easy to locate i.e. the root of the drive (C:\submitter.exe).

Create a right-click option:

1. Navigate to this folder in Windows Explorer: C:\Documents and Settings\username\SendTo
2. Right-click inside the folder and select New > Shortcut.
3. Enter the location of the item: C:\submitter.exe (or wherever you saved it)
4. Name the shortcut: Submit Malware
5. The select Finish.

Configure the tool:

1. Navigate to the tool in Windows Explorer: C:\submitter.exe (or wherever you saved it)
2. Double-click the file to open it.
3. The put a check in these boxes:

Jotti
VirusTotal
Advanced
BleepingComputer.com


4. Then click Save and OK the confirmation window.
5. Then click Exit to close the tool.

Upload Samples:

1. Locate this file/s in Windows Explorer:

C:\WINDOWS\system32\ymjvspou.exe

2. For each file you need to right-click and select Send To > Submit Malware (or whatever you named the shortcut)
3. Copy/paste the results of the scans in your next reply. You should have two results for each file scanned.


  • 0

#3
racenutalways

racenutalways

    Member 1K

  • Retired Staff
  • 1,649 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP