brwnfilipina

Possible Viruses

5 posts in this topic

Can somebody please help me???...My internet searches always seem to reroute me once I get on my requested search page...here is my hijack this log file...

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 10:55:15 AM, on 12/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Belkin\F5D8013\Belkinwcui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\regedit.exe

C:\Program Files\CyberDefender\AntiSpyware\cdas17d.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/local/19904...archbox_localwx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080607

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.state.de.us:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.*;http://dorbsmp*;http://dorsam*;http://finrevi*;http://grt*;https://grt*;http://ncic*;http://intranet.dsp.*;https://dorwebz*;https://owa.state.de.us;https://autodiscover.state.de.us;https://onestopts*;<local>

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

O4 - HKLM\..\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas17d.exe" /minimize

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Go PlaySushi! - {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBd8eOa39 (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1249344929328

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {76392179-60A8-462D-8961-B95C14DAADF4} (PrintEngine ActiveX Control v4.2) - https://docdir.dti.state.de.us/ddrint/conte...printengine.cab

O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - http://lads.myspace.com/upload/MySpaceUploader2.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - https://access.delaware.gov/dana-cached/set...perSetupSP1.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://access.delaware.gov/dana-cached/sc/...SetupClient.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = state.de.us

O17 - HKLM\Software\..\Telephony: DomainName = state.de.us

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = state.de.us

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = state.de.us

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\SLClient.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe

--

End of file - 10782 bytes

0

Share this post


Link to post
Share on other sites

First, welcome to THE forums. Second, a few suggestions on your log (feel free to do what you wish with them):

If you don't need to print to PDF from applications other than the Acrobat app, this one is safe to remove from startup:

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

This is the MS Office alternative user input/language bar binary - unless you need to input text in ways other than a keyboard in MS Office, this one is safe to remove from startup:

C:\WINDOWS\system32\ctfmon.exe

Orphaned BHO entry for the CyberDefender security toolbar BHO - safe to remove:

O2 - BHO: (no name) - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - (no file)

Installed by Dell on your machine, responsible for redirection of 404 error pages to a custom (usually Google) search page. Unless you need this, I'd suggest removing it:

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)

Unless you need the Cyberlink PowerDVD UPnP server running on the machine, this is safe to remove from startup:

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

This is the IntelliSonic systray applet for the IntelliSonic Speech Enhancement application. Again, unless you need this, this is safe to remove from startup:

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

I'd suggest disabling this and then checking whether or not Adobe Acrobat takes a long time to load on your machine - if not, this can be removed from startup:

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

If you don't need to print to PDF from applications other than the Acrobat app, this one is safe to remove from startup:

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

Sun Java update scheduler - if you're ok with a process running all the time who's only purpose is to check for updates to the Java runtime, this is safe to remove from startup:

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

According to Symantec and McAfee (and I'm sure the others, but I didn't bother to check further), these are malicious and belong to Trojan.Virtumonde:

O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0

They are downloader trojans, so removal is definitely a good idea (not sure why the McAfee antivirus installation on your machine isn't catching them - might want to look into that).

Orphaned - safe to remove:

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

This is a Dell utility to check for a digital modem line - unless you're using the modem, this is safe to delete:

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

I'd suggest disabling this and then checking whether or not MS Office applications take a long time to load on your machine - if not, this can be removed from startup:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Orphaned button on the IE toolbar - safe to remove:

O9 - Extra button: Go PlaySushi! - {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBd8eOa39 (file missing)

Again, I'd suggest disabling this and then checking whether or not Java applications take a long time to load on your machine - if not, this service can be disabled:

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Given that this machine appears to be "unclean" and running at least one trojan that HJT found, it might be wise to see if McAfee on your system really is getting updated - and if so, why it isn't finding a running trojan. However, I'd get to work right away on cleaning this particular machine.

0

Share this post


Link to post
Share on other sites

thank you...do you have any tips for getting rid of the trojan?

I have tried deleting the registry keys, but they keep reappearing.

0

Share this post


Link to post
Share on other sites

The registry keys are a by-product of the trojan, they're not the cause. A quick Google search on "virtumonde removal" should get you started.

0

Share this post


Link to post
Share on other sites

A combination of Spybot Search & Destroy and MalwareBytes Anti-Malware should remove all traces of Virtumonde.

I recently had to use both apps to remove a similar infection called Fraud.Sysguard from my mom's computer.

What Spybot missed, MalwareBytes caught and the problem was solved.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.