Jump to content

Sherlockindo

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

Reputation

0 Neutral

About Sherlockindo

  • Birthday 08/03/1992

Profile Information

  • Location
    Indonesia
  1. Sherlockindo
    Sorry for my bad English. I mean I have installed it since four months ago, but I'm not running it or made it start automatically while running HijackThis. I'll post my installed software log soon. Thanks!
  2. Sherlockindo
    Hello, I'm back! Sorry, but I'm currently not running anything including VMware. I run Windows XP with SP2 as host not a guest OS. Moreover, I only installed Windows 3.1, Windows 95 and Windows 98 inside VMware. MALWAREBYTES' ANTI-MALWARE LOG Malwarebytes' Anti-Malware 1.31 Database version: 1507 Windows 5.1.2600 Service Pack 2 17/12/2008 19:29:50 0 mbam-log-2008-12-17 (19-29-50).txt Scan type: Quick Scan Objects scanned: 53885 Time elapsed: 3 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIJACKTHIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:24:55, on 17/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Apache\bin\httpd.exe C:\Program Files\Malwarebytes\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\Apache\bin\httpd.exe C:\Program Files\Compal\Wireless Select Switch\WLSS.exe C:\Program Files\Atheros\ACU.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Malwarebytes\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Apache\bin\ApacheMonitor.exe C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe E:\Program Files\Security\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - E:\Program Files\Security\Internal Security Service\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [WLSS] C:\Program Files\Compal\Wireless Select Switch\WLSS.exe O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\mbamgui.exe" /starttray It is strange because MBAM didn't run automatically. It seems the virus have blocked it too. O4 - HKLM\..\Run: [AVP] "E:\Program Files\Security\Internal Security Service\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\DOCUME~1\SHERLO~1\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: GomezPEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache\bin\ApacheMonitor.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Always come back like usual. O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Security\Internal Security Service\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O20 - AppInit_DLLs: E:\PROGRA~1\Security\INTERN~1\mzvkbd.dll,E:\PROGRA~1\Security\INTERN~1\adialhk.dll,E:\PROGRA~1\Security\INTERN~1\kloehk.dll O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Web Server\Apache.exe (file missing) O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache\bin\httpd.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - E:\Program Files\Security\Hotspot Shield\bin\openvpnas.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\mbamservice.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe (file missing) I forced to delete RTPSvc.exe from System32 using Command Prompt along with RTPScan.dll (I found it beside the RTPSvc.exe file). O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 8089 bytes RTPSVC.EXE SCAN RESULT 1. VirusTotal: https://www.virustotal.com/analisis/10b6557...2cd684a912a5f01 2. ThreatExpert: http://www.threatexpert.com/report.aspx?md...b14af2cee15be5e 3. VirSCAN: Sorry, I'll inform you later. The system seems very busy and I have scanned it for 30 minutes but stuck in Step 2 (Analyzing File). Thanks and sorry if I'm disturbing your holiday!
  3. Sherlockindo
    Thanks again for your response. Sorry, but when I try to update, MBAM told me that I already have the newest version. And for "O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe" entry, I think it is not dangerous because it is a local antivirus that help me very much against local virus (made in Indonesia). But, anyway, I'll try to follow your step ASAP.
  4. Sherlockindo
    I've followed your step carefully and after restart, nothing changed. My notebook is still infected. Below is the newest log of MBAM and HijackThis. MALWAREBYTES' ANTI-MALWARE LOG Malwarebytes' Anti-Malware 1.31 Database version: 1496 Windows 5.1.2600 Service Pack 2 16/12/2008 19:04:18 0 mbam-log-2008-12-16 (19-04-18).txt Scan type: Quick Scan Objects scanned: 53691 Time elapsed: 3 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HIJACKTHIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:05:46, on 16/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Apache\bin\httpd.exe C:\Program Files\Malwarebytes\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\RTPSvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\Apache\bin\httpd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Compal\Wireless Select Switch\WLSS.exe C:\Program Files\Atheros\ACU.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Malwarebytes\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\Security\Super Atni Syprawe\SUPERAntiSpyware.exe C:\Program Files\Apache\bin\ApacheMonitor.exe C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe E:\Program Files\Security\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - E:\Program Files\Security\Internal Security Service\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [WLSS] C:\Program Files\Compal\Wireless Select Switch\WLSS.exe O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\mbamgui.exe" /starttray O4 - HKLM\..\Run: [AVP] "E:\Program Files\Security\Internal Security Service\avp.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] E:\Program Files\Security\Super Atni Syprawe\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: GomezPEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache\bin\ApacheMonitor.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 This item previously has been deleted/fixed by HijackThis, but after restart, this item is always come back. O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Security\Internal Security Service\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O20 - AppInit_DLLs: E:\PROGRA~1\Security\INTERN~1\mzvkbd.dll,E:\PROGRA~1\Security\INTERN~1\adialhk.dll,E:\PROGRA~1\Security\INTERN~1\kloehk.dll O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\Security\Super Atni Syprawe\SASWINLO.dll O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Web Server\Apache.exe (file missing) O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache\bin\httpd.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - E:\Program Files\Security\Hotspot Shield\bin\openvpnas.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\mbamservice.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 8309 bytes I appreciate any help from you. Thanks!
  5. Sherlockindo
    Try delete it with Spybot. I could delete them with Spybot on the past time before my computer attacked with another malware. Good luck!
  6. Sherlockindo
    Thanks for your info, I'll inform you again ASAP.
  7. Sherlockindo
    Thanks for your response! I have cleaned that files over and over but they always come back with different name almost every 15-20 minutes, that's why I got frustated. Malwarebytes still couldn't help me to get rid of this malware and almost all .EXE files in my system is now infected with this f***ing malware. I'm a little intermediate with virus problem and I never seen such a virus like this before, its very difficult to get rid of it. Now I angry with my friends who clicked the *.pif file... I have kept my notebook for viruses and it was clean for almost a year, but now... Fortunately, I also have a clean desktop, so I often use it now although it is a bit slower (PIII with Windows XP SP2). Please help me...
  8. Sherlockindo
    Sorry if the attachment link in above post is missing. Here is my updated attachment. HELH.PIF AND AUTORUN.INF (SUSPECTED MALWARE, ZIPPED, FOUND IN FLASHDRIVE) thread_expert_report.zip Today, when after I scanned my system using Prevx CSI (http://www.prevx.com), it found 2 malicious softwares and 1 cloaked malware inside Temp folder. I attach the three files here (zipped) for examine purpose. One malware (ufvgww.exe) have a CPU usage of around 48-51% (looked with TuneUp Process Manager and Process Explorer), so my processor is overloaded now. The name of the malware always change everytime I restart my notebook. MALWARES FOUND IN TEMP FOLDER temp_folder_malware.zip helh_and_autorun.zip temp_folder_malware.zip thread_expert_report.zip
  9. Sherlockindo
    Sorry if my English isn't good, I hope you can understand it. My notebook got infected with this malware for almost one week and I don't know how to get rid of it anymore since I've tried almost all antivirus and antimalware solution, but the malware always come back. This tragedy began when my friend, who rented my notebook, clicked a file named helh.pif (I attached it here for examination: ). Thread Expert reported that this file is a variant of Win32.Sality (read report here: ). I couldn't open Task Manager and Regedit since it "disabled by your Administrator". My AVG and Spybot is also disabled, so I installed Avira AntiVir, but it didn't help me since it also blocked. I also can't access some antivirus site, like McAfee, Symantec, Sophos, and Kaspersky. I can run Malwarebytes, but the malware always get back after I restart my notebook. Please help me, I'm frustated with this problem. Malwarebytes Anti-Malware Log (Dec. 13, 2008) Malwarebytes' Anti-Malware 1.31 Database version: 1496 Windows 5.1.2600 Service Pack 2 13/12/2008 18:56:13 0 mbam-log-2008-12-13 (18-56-13).txt Scan type: Full Scan (C:\|E:\|) Objects scanned: 217696 Time elapsed: 53 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. This item always get back everytime I restart my notebook. Folders Infected: (No malicious items detected) Files Infected: C:\Downloads\Software\ECBarre_V_01.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Downloads\Crack and Trainer\Burger Rush Crack\burgerrushres.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully. Trend Micro HijackThis 2.0.2 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:28:14, on 13/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Apache\bin\httpd.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\RTPSvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\Apache\bin\httpd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Compal\Wireless Select Switch\WLSS.exe C:\Program Files\Compal\Smart Battery\SMBTray.exe C:\Program Files\Atheros\ACU.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\ctfmon.exe E:\Program Files\Internet\Free Download Manager\fumoei.exe C:\Program Files\Apache\bin\ApacheMonitor.exe C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe C:\PROGRA~1\Gomez\GOMEZP~1\jre\bin\java.exe C:\Program Files\Malwarebytes\mbamservice.exe C:\Program Files\Malwarebytes\mbamgui.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\fact.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\PROGRA~1\Internet\FREEDO~1\fdm.exe C:\DOCUME~1\SHERLO~1\LOCALS~1\Temp\winktev.exe C:\DOCUME~1\SHERLO~1\LOCALS~1\Temp\winygca.exe E:\Program Files\Security\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Internet\Free Download Manager\iefdm2.dll O4 - HKLM\..\Run: [WLSS] C:\Program Files\Compal\Wireless Select Switch\WLSS.exe O4 - HKLM\..\Run: [sMBTray] C:\Program Files\Compal\Smart Battery\SMBTray.exe O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\mbamgui.exe" /starttray O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Free Uploader Oe Integration] E:\Program Files\Internet\Free Download Manager\fumoei.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: GomezPEER.lnk = C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache\bin\ApacheMonitor.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Internet\Free Download Manager\dlall.htm O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Internet\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Internet\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Internet\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - E:\Program Files\Internet\Free Download Manager\fumiebtn.dll O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll O20 - AppInit_DLLs: C:\program,files\permissionresearch\prai.dll,C:\program,files\permissionresearch\prai.dll,C:\program files\permissionresearch\prai.dll O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Web Server\Apache.exe (file missing) O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache\bin\httpd.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - E:\Program Files\Security\Hotspot Shield\bin\openvpnas.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\mbamservice.exe O23 - Service: PCMAV RealTime Protector Service (PCMAVRTPService) - Unknown owner - C:\WINDOWS\system32\RTPSvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 9715 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.