Trojan or Worm? Logs included

I Ran:
Avast Anti-Virus
Ad-Aware
CWShreder
SpyBot SD
Ewido
Trend House Call
Windows Update

Still have a hijacked system, Trojans come back, Malware seems to be rampant.
Logs are posted below. Just for fun I’ll also include a log of my Avast Anti Virus results.


ewido anti-spyware - Scan Report

  • Created at: 10:48:11 AM 9/30/2006

  • Scan result:

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll → Adware.Aws : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar → Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\SafetyBar.dll → Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\Uninstall.bat → Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\opnmkhh.dll → Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frD6EC → Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ismini.exe → Downloader.Zlob.adq : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\45QVWXQZ\popup[1].htm → Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\A14B6HA5\popup[1].htm → Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G943GN0V\popup[1].htm → Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJRPV5JW\popup[1].htm → Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TJB3L5GE\popup[2].htm → Hijacker.Agent.a : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 11:57:28 AM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM..\Run: [Gateway Extended Warranty] “C:\Program Files\Gateway\GWCares\GWCares.exe”
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Any Help is greatly appreciated.

Wouldn’t allow too many characters so here is the rest of it.

AVAST ANTIVIRUS LOG
09/10/2006 12:16
Scan of all local drives
File C:\Documents and Settings\Owner\Local Settings\Temp\mst36.tmp is infected by Win32:Klone-N [Trj], Deleted
File C:\Documents and Settings\Owner\Local Settings\Temp\mst45.tmp is infected by Win32:Klone-N [Trj], Deleted
File C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr9BA9 is infected by Win32:Trojan-gen. {Other}, Deleted
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\28QHBTWK\l11[1].exe[Upack] is infected by Win32:Zlob-HM [Trj], Deleted
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EL5Y7YLC\srvnjq[1].exe is infected by Win32:Trojan-gen. {Other}, Deleted
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EL5Y7YLC\the_sims_makin_magic_expansion_keygen[1].exe is infected by Win32:Small-BEM [Trj], Deleted
File C:\pagefile.sys is infected by Win32:Klone-N [Trj], Deleted
File C:\Program Files\InetGet2\MTE3MTk6ODoxNg.exe is infected by Win32:Trojano-2873 [Trj], Deleted
File C:\Program Files\Microsoft Works\WKSv7std.sbs is infected by Win32:SdBot-3324 [Trj], Deleted
File C:\System Volume Information_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019357.dll is infected by Win32:Trojan-gen. {Other}, Deleted
File C:\System Volume Information_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019381.exe is infected by Win32:Trojano-2873 [Trj], Deleted
File C:\WINDOWS\system32\winwpa32.dll is infected by Win32:Klone-N [Trj], Deleted
File C:\WINDOWS\Temp\winF.tmp.exe is infected by Win32:Trojan-gen. {Other}, Deleted

Number of searched folders: 3880
Number of tested files: 64035
Number of infected files: 13


09/10/2006 13:45
Scan of all local drives
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8LUJ4D2J\104[1].net is infected by Win32:Adware-gen. [Adw], Deleted
File C:\System Volume Information_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019382.dll is infected by Win32:Klone-N [Trj], Deleted
File C:\System Volume Information_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP348\A0019570.dll is infected by Win32:Adware-gen. [Adw], Deleted
File C:\WINDOWS\system32\components\flx6.dll[UPX] is infected by Win32:Renos-L [Adw], Deleted

Number of searched folders: 3862
Number of tested files: 63861
Number of infected files: 4


09/26/2006 10:05
Scan of all local drives
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJRPV5JW\bgates[1].exe[UPX] is infected by Win32:Dialer-BN [Trj], Moved to chest
File C:\System Volume Information_restore{8D8A52C0-A17A-4EA1-A9EB-0CDDF315434D}\RP349\A0019663.dll[UPX] is infected by Win32:Renos-L [Adw], Moved to chest

Number of searched folders: 3853
Number of tested files: 63624
Number of infected files: 2

:slight_smile: Hi “Dummy” :

  Your ewido scan mentioned "Zlob"; this is a multi-facet
  malware best dealt with by Experts on an antiSPYWARE
  forum ; since you mentioned Ad-Aware, I recommend the
  Ad-Aware oriented forums at www.landzdown.com .

  Also noticed a severely outdated Sun Java program, which
  is a breeding ground to get infected. Should uninstall
  your current version, then go to :
  www.majorgeeks.com/download4648.html  to get a
  newer version which includes "Update 8" .

Hi DummyNewB,

Here is an analysis of your log, saved for three days:

http://hijackthis.de/logfiles/5a823ca8402b68931149185e3fe0f7d5.html

You’ve had some serious infections, and Windows firewall is probably down and out, so you really need to download a third party firewall- Zone Alarm Free is the most user friendly. Do this on another computer and burn it to a CD if you need to.

Check out the info on Zone Alarm here for later:

http://www.zonelabs.com/store/content/support/zasc/gettingStarted.jsp?anchor=alerts&lid=zasupp_u

If you can update your anti-malware programs from your computer, do so, otherwise download definition files for Ad-Aware, Spybot, Ewido and avast! on another computer.

Download the SmitFraudFix tool from here:

http://siri.geekstogo.com/SmitfraudFix.php

Print off the instructions for later.

Now Go off line on your computer: pull out the internet connection plug if necessary.

If you downloaded updates for avast! update now and run a boot time scan.

Run the SmitFraudFix tool, following the instruction on the page.

If you have downloaded updates for the other programs, update them now and run scans in safe mode:

http://www.pchell.com/support/safemode.shtml

Repeat this process until nothing new is found- often more malware is remove the second time around.

Install your firewall and reconnect to the internet.

Report any symptoms still occurring.

Update Java as Spiritsongs advised.

NB You need to do some detective work on this entry:

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

From a bit of research it seems it may be legit, but check with your computer supplier to see if they installed it. See this thread:

http://www.wilderssecurity.com/showthread.php?t=99865