Welcome Guest ( Log In | Register )

 
RSS feedBump TopicClosed TopicStart new topicStart Poll

Outline · [ Standard ] · Linear+

> [HELP] PC infected with virus, Isass.exe? (Virus/Malware)

Ray78
post Jun 28 2010, 08:13 PM


New Member
*
Group: Junior Member
Posts: 28

Joined: Sep 2004
From: Space-Monkey From Uranus
Hi.

Before I post HJT and SRE log files here is what happens:

"RECYCLER" , "SYSTEM VOLUME INFORMATION" folders created on both my C: and D: drives.I cannot delete these folders as they keep regenerating.I believe my PC got infected through USB flashdrive which I used.I am unable to delete autorun.inf files even using cmd.And there is Isass window on my C: drive.I tried deleting it but access is denied.


Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:02:03, on 6/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\ggktpfg.exe
C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\Adobe update.com
C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\Adobe Online.com
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\lsass.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [32740] C:\WINDOWS\TEMP\ggktpfg.exe
O4 - Startup: Adobe Online.com
O4 - Startup: Adobe update.com
O4 - Global Startup: Tenda W541U.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 1871 bytes
________________________________________________________________________________________________


Here is another log from SREng:

007-06-28,11:27:18

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
Process Privileges Scan


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<27378><C:\WINDOWS\TEMP\ggktpfg.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player 6.4><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
<N/A><"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player 8><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]

==================================
Startup Folders
[Tenda W541U]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Tenda W541U.lnk --> C:\PROGRA~1\Tenda\W541U\UI.exe []><N>
[Adobe Online]
<C:\Documents and Settings\Windows XP\Start Menu\Programs\Startup\Adobe Online.com --> [N/A]><N>
[Adobe update]
<C:\Documents and Settings\Windows XP\Start Menu\Programs\Startup\Adobe update.com --> [N/A]><N>

==================================
Services
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[NVIDIA Driver Helper Service / NVSvc][Running/Auto Start]
<C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Running/Auto Start]
<C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>

==================================
Drivers
[aeaudio / aeaudio][Running/Manual Start]
<system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[AEGIS Protocol (IEEE 802.1x) v3.5.3.0 / AegisP][Running/Auto Start]
<System32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[nv / nv][Running/Manual Start]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RT73 USB Wireless LAN Card Driver / RT73][Running/Manual Start]
<System32\DRIVERS\rt73.sys><Ralink Technology, Corp.>
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>
[smwdm / smwdm][Running/Manual Start]
<system32\drivers\smwdm.sys><Analog Devices, Inc.>

==================================
Browser Add-ons
shdoclc.dll,-866
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[&Radio]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, >
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash10h.ocx, Adobe Systems, Inc.>

==================================
Running Processes
[PID: 404 / SYSTEM][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 628 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 652 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 696 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 712 / SYSTEM][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 896 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 920 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 992 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1016 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1064 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[PID: 1364 / SYSTEM][C:\WINDOWS\System32\nvsvc32.exe] [NVIDIA Corporation, 6.14.10.4403]
[PID: 1396 / SYSTEM][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe] [Analog Devices, Inc., 3, 2, 5, 0]
[PID: 360 / Windows XP][C:\Program Files\Tenda\W541U\UI.exe] [, 1.0.0.1]
[C:\Program Files\Tenda\W541U\acAuth.dll] [, 4.1.0.65 2006-07-12 18:36:34]
[C:\Program Files\Tenda\W541U\dllPublicFunc.dll] [, 1.0.0]
[C:\Program Files\Tenda\W541U\dllCommonCtrl.dll] [, 1.0.0]
[C:\Program Files\Tenda\W541U\dllMultiLanguage.dll] [, 1.0.0.1]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 444 / Windows XP][C:\Documents and Settings\Windows XP\Start Menu\Programs\Startup\Adobe Online.com] [N/A, ]
[C:\WINDOWS\thumbs .db] [N/A, ]
[PID: 496 / SYSTEM][C:\WINDOWS\System32\wbem\wmiprvse.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 1840 / Windows XP][C:\WINDOWS\TEMP\ggktpfg.exe] [N/A, ]
[PID: 140 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 612 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1640 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 5356 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[PID: 5124 / Windows XP][C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\Adobe update.com] [N/A, ]
[C:\WINDOWS\thumbs .db] [N/A, ]
[PID: 4792 / Windows XP][C:\Program Files\Mozilla Firefox\firefox.exe] [Mozilla Corporation, 1.9.2.6]
[C:\Program Files\Mozilla Firefox\xul.dll] [Mozilla Foundation, 1.9.2.6]
[C:\Program Files\Mozilla Firefox\sqlite3.dll] [sqlite.org, 3.6.22]
[C:\Program Files\Mozilla Firefox\MOZCRT19.dll] [Mozilla Foundation, 8.00.0000]
[C:\Program Files\Mozilla Firefox\js3250.dll] [N/A, ]
[C:\Program Files\Mozilla Firefox\nspr4.dll] [Mozilla Foundation, 4.8.3]
[C:\Program Files\Mozilla Firefox\smime3.dll] [Mozilla Foundation, 3.12.6.2 Basic ECC]
[C:\Program Files\Mozilla Firefox\nss3.dll] [Mozilla Foundation, 3.12.6.2 Basic ECC]
[C:\Program Files\Mozilla Firefox\nssutil3.dll] [Mozilla Foundation, 3.12.6.2]
[C:\Program Files\Mozilla Firefox\plc4.dll] [Mozilla Foundation, 4.8.3]
[C:\Program Files\Mozilla Firefox\plds4.dll] [Mozilla Foundation, 4.8.3]
[C:\Program Files\Mozilla Firefox\ssl3.dll] [Mozilla Foundation, 3.12.6.2 Basic ECC]
[C:\Program Files\Mozilla Firefox\MOZCPP19.dll] [Mozilla Foundation, 8.00.0000]
[C:\Program Files\Mozilla Firefox\xpcom.dll] [Mozilla Foundation, 1.9.2.6]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll] [Mozilla Foundation, 1.9.2.6]
[C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll] [Mozilla Foundation, 1.9.2.6]
[C:\Program Files\Mozilla Firefox\softokn3.dll] [Mozilla Foundation, 3.12.4.6 Basic ECC]
[C:\Program Files\Mozilla Firefox\nssdbm3.dll] [Mozilla Foundation, 3.12.4.6 Basic ECC]
[C:\Program Files\Mozilla Firefox\freebl3.dll] [Mozilla Foundation, 3.12.4.6 Basic ECC]
[C:\Program Files\Mozilla Firefox\nssckbi.dll] [Mozilla Foundation, 1.78]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 5172 / Windows XP][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 4760 / Windows XP][C:\Program Files\Trillian\trillian.exe] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\SSLEAY32.dll] [The OpenSSL Project, http://www.openssl.org/, 0.9.8j]
[C:\Program Files\Trillian\LIBEAY32.dll] [The OpenSSL Project, http://www.openssl.org/, 0.9.8j]
[C:\Program Files\Trillian\MSVCR90.dll] [Microsoft Corporation, 9.00.21022.8]
[C:\Program Files\Trillian\zlib1.dll] [, 1.2.3]
[C:\Program Files\Trillian\MSVCP90.dll] [Microsoft Corporation, 9.00.21022.8]
[C:\Program Files\Trillian\images.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\core.dll] [Cerulean Studios, LLC, 4, 1, 0, 21]
[C:\Program Files\Trillian\jpeg62.dll] [Independent JPEG Group <www.ijg.org>, 6b.1961.25445]
[C:\Program Files\Trillian\libpng12.dll] [GnuWin32 <http://gnuwin32.sourceforge.net>, 1.2.34.3276]
[C:\Program Files\Trillian\libungif.dll] [, 4, 1, 4, 0]
[C:\Program Files\Trillian\expatxml.dll] [Cerulean Studios, 4, 1, 0, 24]
[c:\program files\trillian\languages\en\trillian.dll] [N/A, ]
[C:\Program Files\Trillian\toolkit.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\kdu_v43R.dll] [The University of New South Wales, 4, 3, 1, 1]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\Program Files\Trillian\events.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\crypto.dll] [Cerulean Studios, LLC, 4, 1, 0, 21]
[C:\Program Files\Trillian\list.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\buddy.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\talk.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\plugins\astra.dll] [Cerulean Studios, LLC, 4, 1, 0, 21]
[C:\Program Files\Trillian\libspeex.dll] [N/A, ]
[C:\Program Files\Trillian\plugins\MSVCP90.dll] [Microsoft Corporation, 9.00.21022.8]
[C:\Program Files\Trillian\plugins\MSVCR90.dll] [Microsoft Corporation, 9.00.21022.8]
[c:\program files\trillian\languages\en\toolkit.dll] [N/A, ]
[c:\program files\trillian\languages\en\events.dll] [N/A, ]
[c:\program files\trillian\languages\en\buddy.dll] [N/A, ]
[c:\program files\trillian\languages\en\talk.dll] [N/A, ]
[C:\Program Files\Trillian\plugins\mail.dll] [Cerulean Studios, 4, 1, 0, 24]
[C:\Program Files\Trillian\plugins\msn.dll] [Cerulean Studios, LLC, 4, 1, 0, 21]
[C:\WINDOWS\System32\wdmaud.drv] [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]
[C:\WINDOWS\System32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 5052 / Windows XP][C:\Documents and Settings\Windows XP\My Documents\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\WINDOWS\System32\SYNCOR11.DLL] [SoundMAX, 1.2.2]
[C:\Documents and Settings\Windows XP\My Documents\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR Error. [%1]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
[C:\]
[Autorun]
Open=Thumbs.com -a
ShellExecute=Thumbs.com
Shell\Auto\Command=Thumbs.com
Shell=Auto
[Definitions]
Launchpad=Thumbs.com
Vtype=1
[D:\]
[Autorun]
Open=Thumbs.com -a
ShellExecute=Thumbs.com
Shell\Auto\Command=Thumbs.com
Shell=Auto
[Definitions]
Launchpad=Thumbs.com
Vtype=1

==================================
HOSTS File
127.0.0.1 www.Brenz.pl
127.0.0.1 localhost

==================================
Process Privileges Scan
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1064, C:\WINDOWS\SYSTEM32\SPOOLSV.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 360, C:\PROGRAM FILES\TENDA\W541U\UI.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 444, C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\ADOBE ONLINE.COM]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1840, C:\WINDOWS\TEMP\GGKTPFG.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 5124, C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\ADOBE UPDATE.COM]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 5172, C:\WINDOWS\EXPLORER.EXE]

==================================
API HOOK
Entrypoint Error: NtCreateFile (Dangerous Level: High, Hooked by Module: 0x7FFA64D2)
Entrypoint Error: NtCreateProcess (Dangerous Level: High, Hooked by Module: 0x7FFA6561)
Entrypoint Error: NtCreateProcessEx (Dangerous Level: High, Hooked by Module: 0x7FFA656E)
Entrypoint Error: NtQueryInformationProcess (Dangerous Level: High, Hooked by Module: 0x7FFA65AF)
Entrypoint Error: ZwCreateFile (Dangerous Level: High, Hooked by Module: 0x7FFA64D2)
Entrypoint Error: ZwCreateProcess (Dangerous Level: High, Hooked by Module: 0x7FFA6561)
Entrypoint Error: ZwCreateProcessEx (Dangerous Level: High, Hooked by Module: 0x7FFA656E)
Entrypoint Error: ZwOpenFile (Dangerous Level: High, Hooked by Module: 0x7FFA6557)
Entrypoint Error: ZwQueryInformationProcess (Dangerous Level: High, Hooked by Module: 0x7FFA65AF)

==================================
Hidden Process
[1932] c:\lsass.exe

==================================

________________________________________________________________________________________________

BTW,I have also tried Combofix removal tool from bleepingcomputer.com but unfortunately it could not start and says there could be file-patching virus in my PC.

Tried DR.Web CureIt too(in safe mode) but it just halts saying "Invalid path to virus database".


Please help.Thanks!

This post has been edited by Ray78: Jun 29 2010, 07:15 AM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xixo_12
post Jun 28 2010, 08:15 PM


i!Retired!i
*******
Group: Senior Member
Posts: 6,936

Joined: Nov 2006
From: Pulau Sipadan
Hi,
Observe this rule :
No respond within 2 days after each reply from me, I will unsubscribe to your topic.

First,
Uninstall List.
  • Run the HiJack This.
  • Click on Open the Misc Tools section button.
  • Click on Misc Tools tab.
  • Under the System tools, click on Open Uninstall Manager button.
  • Find the Save list… button and save to the Desktop
  • Copy the content and paste the uninstall list here.

What you need to post
Checklist.
  • Content of uninstall list.

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Ray78
post Jun 28 2010, 08:28 PM


New Member
*
Group: Junior Member
Posts: 28

Joined: Sep 2004
From: Space-Monkey From Uranus
Here is the uninstall list as requested:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
CCleaner (remove only)
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.6)
NVIDIA Windows 2000/XP Display Drivers
Real Alternative 2.0.2 Lite
SoundMAX
SpywareBlaster 4.3
The KMPlayer (remove only)
Trillian
Unlocker 1.8.9
W541U

-----------------------------------------------------


User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xixo_12
post Jun 28 2010, 08:35 PM


i!Retired!i
*******
Group: Senior Member
Posts: 6,936

Joined: Nov 2006
From: Pulau Sipadan
Hi,
Let's proceed.

First,
Fix entries.
  • Run the HiJack This.
  • Click on Do a system scan only button.
  • Search the entries as below and tick at the small box.
    QUOTE
    O4 - HKLM\..\Run: [32740] C:\WINDOWS\TEMP\ggktpfg.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

  • Close any other program and leave HiJackThis program alone.
  • Click Fix checked.


Next,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:
QUOTE
C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\Adobe update.com
C:\DOCUMENTS AND SETTINGS\WINDOWS XP\START MENU\PROGRAMS\STARTUP\Adobe Online.com

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :
user posted image

Next,
OTM by Old Timer.
Please download from HERE and save to the desktop.
  • Double-click on OTM.exe.
  • Copy the lines in the codebox below.
    QUOTE
    :processes
    :services
    IS360service
    :files
    C:\Program Files\IObit
    C:\WINDOWS\TEMP\ggktpfg.exe
    :commands
    [resethosts]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.

Note:
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
  • If you are asked to reboot the machine choose Yes.
  • In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,
Malwarebytes' Anti-Malware - Run
  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    user posted image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


What you need to post
Checklist.
  • Web links = 2
  • Content of OTM log
  • Content of MBAM log

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Ray78
post Jun 28 2010, 09:30 PM


New Member
*
Group: Junior Member
Posts: 28

Joined: Sep 2004
From: Space-Monkey From Uranus
1.NONE (Browser unable to load jotti virusscan webpage.)


2.As requested,content of OTM log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Service IS360service stopped successfully!
Service IS360service deleted successfully!
========== FILES ==========
C:\Program Files\IObit\IObit Security 360\Update folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Quarantine Zone folder moved successfully.
C:\Program Files\IObit\IObit Security 360\log\Scan folder moved successfully.
C:\Program Files\IObit\IObit Security 360\log folder moved successfully.
C:\Program Files\IObit\IObit Security 360\language folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Images folder moved successfully.
C:\Program Files\IObit\IObit Security 360\Downloaded folder moved successfully.
C:\Program Files\IObit\IObit Security 360 folder moved successfully.
C:\Program Files\IObit folder moved successfully.
C:\WINDOWS\TEMP\ggktpfg.exe moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: Windows XP
->Temp folder emptied: 50355457 bytes
->Temporary Internet Files folder emptied: 100890 bytes
->FireFox cache emptied: 45045530 bytes
->Flash cache emptied: 1675 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1099790 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 541952 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1933312 bytes

Total Files Cleaned = 95.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06282010_210907

Files moved on Reboot...

Registry entries deleted on Reboot...
____________________________________________________________________________________



3.As requested,content of MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4249

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2800.1106

6/28/2010 9:34:15 PM
mbam-log-2010-06-28 (21-34-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 120274
Time elapsed: 15 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
c:\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (%1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\lnyan.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\VRT1.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\System32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

____________________________________________________________________________________

This post has been edited by Ray78: Jun 28 2010, 09:32 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xixo_12
post Jun 28 2010, 09:34 PM


i!Retired!i
*******
Group: Senior Member
Posts: 6,936

Joined: Nov 2006
From: Pulau Sipadan
Hi,
Just formatted...but infected with backdoor? huh.. quite weird.

First,
No Antivirus!.
  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only one antivirus running on the system.
  • Please consider one of this program and install it now:

Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

What you need to post
Checklist.
  • Content of GMER.txt


This post has been edited by xixo_12: Jun 28 2010, 09:43 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Ray78
post Jun 28 2010, 10:54 PM


New Member
*
Group: Junior Member
Posts: 28

Joined: Sep 2004
From: Space-Monkey From Uranus
Running GMER gives a blue screen Fatal Error on my PC.

However I re-installed AVAST and it did a boot scan and deleted mostly Win32:WB-EIK infections.

Now my PC seems back to normal except that I still cannot delete just one 'RECYCLER' folder in drive C:.Everything else looks okay.

THANKS.

This post has been edited by Ray78: Jun 28 2010, 10:56 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xixo_12
post Jun 29 2010, 06:04 AM


i!Retired!i
*******
Group: Senior Member
Posts: 6,936

Joined: Nov 2006
From: Pulau Sipadan
no worries about recycler.. it's legit folder. Suppose it's hidden

You may consider to update your service pack wink.gif
If no other problem, you may proceed to close this topic.

This post has been edited by xixo_12: Jun 29 2010, 06:19 AM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Ray78
post Jun 29 2010, 09:33 AM


New Member
*
Group: Junior Member
Posts: 28

Joined: Sep 2004
From: Space-Monkey From Uranus
Actually I was already using newest and updated AVAST (Home edition) when I was infected through usb port.

May I know how do I close this thread?

User is offlineProfile CardPM
Go to the top of the page
+Quote Post
xixo_12
post Jun 29 2010, 12:52 PM


i!Retired!i
*******
Group: Senior Member
Posts: 6,936

Joined: Nov 2006
From: Pulau Sipadan
Sometimes, antivirus not catch some new variant.. but make sure you have that protective.

You may scroll down until bottom, there is moderation option to close this topic wink.gif
User is offlineProfile CardPM
Go to the top of the page
+Quote Post

Bump TopicClosed TopicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.0567sec    3.14    5 queries    GZIP Disabled
Time is now: 21st April 2014 - 11:06 PM