Jump to content


Photo

Malware in my TabletPC


  • This topic is locked This topic is locked
3 replies to this topic

#1 JoeLaV

JoeLaV

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 June 2007 - 11:56 AM

Hello. A couple of weeks ago, I noticed that when I was running IE, random webpages would pop up for different advertisements. Once it started, this would occur even if I was not running IE but simply connected to the internet. Then, the Windows Task bar would die on me when I booted the machine. I would get an hourglass whenever I moved the cursor to the TaskBar. In addition, when I minimized a window, it would not appear on the TaskBar. Over the next few days things got progressively worse and I began to run anti-malware programs to get rid of any bad stuff on the machine. However, whenever I did this, it would appear that the bad stuff was gone, but it would come back and my Taskbar would crash as soon as I started up again. I followed the instructions from your post. I ran the AVG spyware program in Safe mode (it took like 6 hours) and my computer appears to be running okay now, but I have not connected to the internet. I am posting the log files from AVG and hijackthis in the hopes that you can tell me if, indeed, the bad stuff is gone. Thank you very much. This is the first time this has happened to me and it has been hell. :eek:

AVG LOG
-----------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:58:51 AM 6/1/2007

+ Scan result:



C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432537.exe -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444456.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432532.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444470.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444455.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444447.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444448.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444449.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444450.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444451.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444452.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444453.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T6\dlwr.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0436168.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0436173.exe -> Hijacker.Delf.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432817.exe -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dnsersnd.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432522.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432816.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444468.dll -> Proxy.Agent.lb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444454.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0436171.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1044\A0444446.exe -> Trojan.VB.nhr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432519.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5C698C25-75B8-408B-9541-16068DBADF18}\RP1037\A0432813.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).


::Report end

HIJACK LOG
--------------

Logfile of HijackThis v1.99.1
Scan saved at 12:09:43 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Q Menu\QIcon.exe
C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cs.brown.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44a07196-2382-46b8-a5dc-a59c18c7ba34} - C:\WINDOWS\system32\himcpl.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: H - {943CBD6C-F4DE-40e4-AA43-7B964FAE81F1} - C:\WINDOWS\system32\comi2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: 0 - {CA47BEF9-3ED0-4806-748B-A473F8DBCB14} - C:\Program Files\Internet Explorer\xukas.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Q Menu] C:\Program Files\HPQ\Q Menu\QIcon.exe -QICON
O4 - HKLM\..\Run: [hpqMcSrv] "C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{BD-D0-01-1C-ZN}] C:\windows\system32\mkdsregq.exe CHD001
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\iihiji.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: MindManager PDF Writer.lnk = C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1180547818470
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....bex/ieatgpc.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: c:\windows\system32\ljjihif.dll
O20 - Winlogon Notify: himcpl - himcpl.dll (file missing)
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: msvcrt64.dll - {17BED5CE-E299-4295-9A5C-9317AE89A86F} - msvcrt64.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 04 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 16 June 2007 - 03:38 AM

Hi,

Sorry you’ve had to wait for a few days but all of the helpers here are volunteers and we’ve been really busy recently.

If you still need help, please post a fresh HijackThis log into this thread so I can make sure nothing has changed and I will be happy to review it for you.

:)
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#4 Chancellor

Chancellor

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 27 June 2007 - 12:58 PM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Chancellor

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button