| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 82553 | 2007-08-31 06:34:00 | Spyware infection | Greven (91) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 586587 | 2007-08-31 06:34:00 | In a momentary lapse of reason, I installed some pirated software & got a very nasty infection. I cleaned it out well enough that avast, spybot & hijackthis didn't show anything dodgy, but explorer wouldn't load. I ended up reinstalling windows over top, re-running the virus scan to get rid of the remenants (that in theory would not be loaded by the new install of windows) but it has come back on its own :badpc: My hijackthis log below is before I clean anything out this time incase anyone can get any clues from it. I would love to get away with not formatting the drive - I have my entire CD & DVD collection ripped to this computer so it would take a while to spread out all my data over the smaller hard drives in my other computer. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 5:50:33 p.m., on 31/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\SOUNDGRAPH\iMON\iMON.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\retadpu.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\downloads\hijackthis\HiJackThis_v2.exe c:\wjiio.exe C:\WINDOWS\system32\wuauclt.exe c:\qxtkcxs.exe c:\jmakvee.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\c87932aed ce288373d0b6a6c23f00c8a\update\update.exe O2 - BHO: (no name) - {90F75E47-94D2-48AC-8D32-863356FA6578} - C:\WINDOWS\system32\hgggfdd.dll O2 - BHO: 0 - {DEC2E1BD-3D0D-46B3-81A6-1ABDE3B038F6} - C:\Program Files\ComPlus Applications\lawuneci.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [iMON] C:\Program Files\SOUNDGRAPH\iMON\iMON.exe /startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ShareSearcher] C:\jmakvee.exe O4 - HKLM\..\Run: [hosy] C:\Program Files\Windows Media Player\hosy22011.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: 4.exe~ O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O20 - Winlogon Notify: hgggfdd - C:\WINDOWS\SYSTEM32\hgggfdd.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2FybA\command.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\progycavy.html -- End of file - 4849 bytes |
Greven (91) | ||
| 586588 | 2007-08-31 06:46:00 | I would tick these entries and delete the nasty entries / files in safe mode, you may have to disable system restore too. C:\WINDOWS\retadpu.exe c:\wjiio.exe c:\qxtkcxs.exe c:\jmakvee.exe These are safe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup 4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit Nasty O4 - HKLM\..\Run: [ShareSearcher] C:\jmakvee.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu.exe O4 - Global Startup: 4.exe~ O20 - Winlogon Notify: hgggfdd - C:\WINDOWS\SYSTEM32\hgggfdd.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2FybA\command.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\progycavy.html I would also get trojan remover in my sig. If you cant go anywhere here's a link (www.simplysup.com) Somehow I dont think this folder / file is meant to be here either C:\WINDOWS\SoftwareDistribution\Download\c87932aed ce288373d0b6a6c23f00c8a\update\update.exe |
Speedy Gonzales (78) | ||
| 586589 | 2007-08-31 06:49:00 | thanks. Your hijackthis choices are the same as mine first time round. I forgot about trojanremover though. hopefully that will help me. | Greven (91) | ||
| 586590 | 2007-08-31 06:51:00 | thanks. Your hijackthis choices are the same as mine first time round. I forgot about trojanremover though. hopefully that will help me. Hopefully it does something! After u install it update it then scan. Then select all options under utilities. |
Speedy Gonzales (78) | ||
| 586591 | 2007-08-31 08:26:00 | It got a lot more than shows up in hijackthis, but it keeps coming back. I thought I might be able to kill it using the offline registry editor included in the offline password reset CD, but it errors saying read only filesystem. I don't know why it says that - I've used it to reset passwords on a lot of NTFS drives. |
Greven (91) | ||
| 586592 | 2007-08-31 08:33:00 | Did u turn SR off and run TR?? And delete those files in safe mode? |
Speedy Gonzales (78) | ||
| 586593 | 2007-08-31 08:36:00 | Did u turn SR off and run TR?? And delete those files in safe mode? I did indeed |
Greven (91) | ||
| 586594 | 2007-08-31 09:11:00 | OK, leave SR off boot into safe mode, open my computer, show all files and system folders. Right mouse on System Vol Info folder. Then properties / security tab / advanced. Click on add type in the name that appears in the top of the start menu. Click on check names, if its right it'll appear. Then OK, tick full control, then OK till you get out of its properties. Then open the System Vol Info folder and delete everything in it. If theres more than 1 partition do the same for the other partitions. Then reboot...Then see what happens. Highlight C right mouse select scan with trojan remover. See what that finds then. |
Speedy Gonzales (78) | ||
| 586595 | 2007-09-01 07:26:00 | I reinstalled windows again & found that it infects exe files & avast doesn't pick it up :badpc: I'll get a nod32 lisence on monday & see if that can clean it out. |
Greven (91) | ||
| 586596 | 2007-09-01 07:31:00 | And did you do a CLEAN install?? It doesnt sound like it. | Speedy Gonzales (78) | ||
| 1 2 | |||||