Not sure if this is the correct place to post this, but my mom’s computer is crazy-go-nuts infected with malware-gens and trojan gens. Scheduled boot time scan with avast! twice and scanned with spybot, but still having problems. If anyone is well versed in HJT and wouldn’t mind looking over a log for me, please reply and i’ll post it. Thanks in advance!
ElmntEarth1,
Download it from http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
Then attach it as a txtfile to your next posting, and we will have a look,
polonus
I appreciate the quick reply. Here comes the ****storm.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:03 PM, on 10/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\system32\nsmss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {919F6A7D-F5B1-AF13-BB5C-8B8A46F82C97} - C:\WINDOWS\system32\kisbwj.dll (file missing)
O2 - BHO: (no name) - {9FCC6B7E-F6B7-A010-BB5C-8B8A46F82F93} - C:\WINDOWS\system32\vhbuk.dll (file missing)
O2 - BHO: (no name) - {AA2E3895-A958-AEAF-0C27-8C9AF7F34DC6} - C:\WINDOWS\system32\wacr.dll (file missing)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [POINTER] point32.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Microsoft (R) Windows Network Service Monitor] C:\system32\nsmss.exe
O4 - HKLM..\Run: [mede] C:\Program Files\Common Files\mede77798.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [Ncao] “C:\WINDOWS\system32\FNTS~1\nslookup.exe” -vt yazb
O4 - HKCU..\Run: [QdrModule9] “C:\Program Files\QdrModule\QdrModule9.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Ecocmk] “C:\Program Files\S?mantec\m?hta.exe”
O4 - HKCU..\Run: [EventLog] C:\WINDOWS\system32\event.exe
O4 - HKUS\S-1-5-18..\Run: [Ncao] “C:\WINDOWS\SKS~1\rundll.exe” -vt ndrv (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [Nwzcnu] C:\WINDOWS\s?mbols?vchost.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Ncao] “C:\WINDOWS\SKS~1\rundll.exe” -vt ndrv (User ‘Default user’)
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181681700871
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181681684738
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: AOL Spy Watch (LD-AOL-Spy_Watchv1) - Unknown owner - C:\WINDOWS\Help\aolsw.exe (file missing)
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\rteqehdace.html
–
End of file - 7392 bytes
Try this
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]
F2 - REG:system.ini: Shell=Explorer.exe C:\system32\nsmss.exe
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
THEN
Please download the OTMoveIt3 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
[-HKEY_CLASSES_ROOT\CLSID\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{919F6A7D-F5B1-AF13-BB5C-8B8A46F82C97}]
[-HKEY_CLASSES_ROOT\CLSID\{919F6A7D-F5B1-AF13-BB5C-8B8A46F82C97}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FCC6B7E-F6B7-A010-BB5C-8B8A46F82F93}]
[-HKEY_CLASSES_ROOT\CLSID\{9FCC6B7E-F6B7-A010-BB5C-8B8A46F82F93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA2E3895-A958-AEAF-0C27-8C9AF7F34DC6}]
[-HKEY_CLASSES_ROOT\CLSID\{AA2E3895-A958-AEAF-0C27-8C9AF7F34DC6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mede"=-
"Microsoft (R) Windows Network Service Monitor"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"QdrModule9"=-
"Ecocmk"=-
"EventLog"=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"Nwzcnu"=-
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
:Files
C:\Program Files\ISM
C:\WINDOWS\system32\kisbwj.dll
C:\WINDOWS\system32\vhbuk.dll
C:\WINDOWS\system32\wacr.dll
C:\system32\nsmss.exe
C:\Program Files\Common Files\mede77798.exe
C:\Program Files\QdrModule
C:\Program Files\RcvSystem
C:\WINDOWS\system32\event.exe
:Commands
[purity]
[emptytemp]
[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
FINALLY
Please download Malwarebytes’ Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Howdy ElmntEarth1,
As my friend Essexboy have beaten me to it, you can use my evaluation as a check up of what he has analyzed. You are advised to follow his cleansing suggestions first and then go over mine as a check-up.
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one.
F2 - REG:system.ini: Shell=Explorer.exe C:\system32\nsmss.exe Unknown application.
Consider the info on this malware here: http://spywarefiles.prevx.com/RRIDHD14704177/NSMSS.EXE.html
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
Must be fixed! Unnecessary (deactivated) entry that can be fixed. BndDrive5.dll - “Hyperlinks Rotator” aka ISMonitor adware hailing from zredirector.com - installs a “Internet Speed Monitor” sidebar - file detected by Kaspersky, http://www.kaspersky.com/ antivirus as AdWare.Win32.AdBand.a
B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing) Dangerous
Read here: http://www.greatis.com/appdata/d/b/bnddrive5.dll.htm
02 - BHO: (no name) - {919F6A7D-F5B1-AF13-BB5C-8B8A46F82C97} - C:\WINDOWS\system32\kisbwj.dll (file missing) Unknown application. Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {9FCC6B7E-F6B7-A010-BB5C-8B8A46F82F93} - C:\WINDOWS\system32\vhbuk.dll (file missing) Unknown application. Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {AA2E3895-A958-AEAF-0C27-8C9AF7F34DC6} - C:\WINDOWS\system32\wacr.dll (file missing) Unknown application. Unnecessary (deactivated) entry that can be fixed.
Unknown
O4 - HKCU..\Run: [Ncao] “C:\WINDOWS\system32\FNTS~1\nslookup.exe” -vt yazb Nasty (1.92 / 5.00)
Visitor’s assessment Analyzerdetails
O4 - HKCU..\Run: [QdrModule9] “C:\Program Files\QdrModule\QdrModule9.exe” Nasty Nasty (2.17 / 5.00)
Check on these three unknown entries (update to virus total)
O4 - HKCU..\Run: [EventLog] C:\WINDOWS\system32\event.exe
O4 - HKUS\S-1-5-18..\Run: [Ncao] “C:\WINDOWS\SKS~1\rundll.exe” -vt ndrv (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [Nwzcnu] C:\WINDOWS\s?mbols?vchost.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Ncao] “C:\WINDOWS\SKS~1\rundll.exe” -vt ndrv (User ‘Default user’)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects,
or ActiveX-Objects from unknown sites should always be fixed.
If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc,
it should be fixed!
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
Check these also whether malware…
O23 - Service: AOL Spy Watch (LD-AOL-Spy_Watchv1) - Unknown owner - C:\WINDOWS\Help\aolsw.exe (file missing)
Unknown service. (aolsw.exe) Visitor’s assessment Analyzerdetails Unknown
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
Unknown service. (nsmss.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\rteqehdace.html
polonus
Hi Damian good to see you are on the ball. He also has a nasty case of purity there but OTMoveit will kill that one . MBAM should get the majority of the rest
Hi ElmntEarth1,
It could well be that you have to start up in SafeMode (how to do this read here:
http://www.pchell.com/support/safemode.shtml ) in order to be able to fix this entry, else it will reappear in your hjt log:
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll This is a Trojan/Backdoor that should be cleansed from your computer both the dll and the process at start-up,
polonus
essexboy and polonus, thank you so incredibly much for all the help. Sorry I haven’t gotten back to you, but I’ve been very busy and I wanted to make sure I had the time to really sit down and kill this right and proper. Since this post would be silly-long with the logs copy and pasted, I’m including them as attachments, so let me know if there are any more issues. These include the OTMoveIt, Mbam anti-malware, and an updated HiJackthis. Once again i must thank you, you guys were so above and beyond helpful.
polonus, I couldn’t manage to remove this:
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
I restarted in safe mode and attempted to remove it through hijackthis, but it just came right back in the next scan. Any suggestions?
A few more bits and bobs to go I feel. How is it running now ?
@echo off sc stop LD-AOL-Spy_Watchv1 sc delete LD-AOL-Spy_Watchv1 sc stop nsmss sc delete nsmss exitNext you will need to create the batch fix to do that copy and paste [b]ALL[/b] of the above in the quote box to a notepad file. Then in the text file go to [b]FILE > SAVE AS [/b] and in the dropdown box select [b]SAVE AS TYPE [/b] to[b] ALL FILES [/b] Then in the [b]FILE NAME [/b] box type [b]fix.bat[/b]
This will create a batch file
http://img524.imageshack.us/img524/9383/batmp6.jpg
Then run fix.bat by double clicking you may see a black box appear this is normal
ElmntEarth1,
Delete this folder if still present.
C:\Program Files\RcvSystem\
If you have any problems in delete it let us know,
polonus
Hi Damien the folder has gone and it is now classified as an orphan entry. HJT has no file information after it
C:\Program Files\RcvSystem moved successfully.
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)
Computer’s running much faster and cleaner. You should’ve seen how it was before. On the startup, there was always a popup, a system error, and some audio that sounded like a commercial playing in the background even though nothing was open. Just ran the .bat fix, and the RcvSystem folder isn’t in Program Files. Thanks alot!
No problems, it is nice to have an easy one now and then ;D