Jump to content

Need some Help removing Malware

jon vazquez
 Share

Recommended Posts

jon vazquez

jon vazquez

Posted
Posted

Good day,

I have been having some trouble with my computer lately with trojans beening picked up by AVG & Spybot, Sometimes the same trojan have come up after cleaning, yesterday I installed MBAM and found 3 more...I am now in the proces of doing a panda online scan.

this afternoon I disabled Tea Timer......

I

Link to post
Share on other sites
Raid

Raid

Posted
Posted

Download and Run RSIT

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Then start MBAM and go to the UPDATE tab and update the program. Then do a Quick Scan and fix anything found.

Then restart the computer again and run another HJT scan and save log.

Post back the most recent MBAM and HJT logs please.

Link to post
Share on other sites
jon vazquez

jon vazquez

Posted
  • Author
Posted
Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.

  • Click Continue at the disclaimer screen.

  • Once it has finished, two logs will open:

    • log.txt will be opened maximized.

    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Then start MBAM and go to the UPDATE tab and update the program. Then do a Quick Scan and fix anything found.

Then restart the computer again and run another HJT scan and save log.

Post back the most recent MBAM and HJT logs please.

OK, Here we go..!

here are the RSIT logs:

this is the LOG.txt

Logfile of random's system information tool 1.04 (written by random/random)

Run by hot mobile xp at 2008-12-05 23:30:08

Microsoft Windows XP Professional Service Pack 3

System drive C: has 10 GB (15%) free of 69 GB

Total RAM: 1014 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:30:17, on 05/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe

C:\Archivos de programa\Bonjour\mDNSResponder.exe

C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\ARCHIV~1\AVG\AVG8\avgrsx.exe

C:\ARCHIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\rundll32.exe

C:\Archivos de programa\Canon\MyPrinter\BJMyPrt.exe

C:\ARCHIV~1\AVG\AVG8\avgtray.exe

C:\Archivos de programa\Hp\HP Software Update\HPWuSchd2.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\Archivos de programa\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\Archivos de programa\Mozilla Firefox\firefox.exe

C:\Documents and Settings\hot mobile xp\Escritorio\RSIT.exe

C:\Archivos de programa\Trend Micro\HijackThis\hot mobile xp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jonvazquez.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V

Link to post
Share on other sites
jon vazquez

jon vazquez

Posted
  • Author
Posted

Sorry, forgot to add the MBAM log...anyways here it is followed by the HJT log after restart.

Malwarebytes' Anti-Malware 1.31

Database version: 1463

Windows 5.1.2600 Service Pack 3

05/12/2008 23:59:12

mbam-log-2008-12-05 (23-59-12).txt

Scan type: Quick Scan

Objects scanned: 53540

Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0:11:26, on 06/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe

C:\Archivos de programa\Bonjour\mDNSResponder.exe

C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\ARCHIV~1\AVG\AVG8\avgrsx.exe

C:\ARCHIV~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\rundll32.exe

C:\Archivos de programa\Canon\MyPrinter\BJMyPrt.exe

C:\ARCHIV~1\AVG\AVG8\avgtray.exe

C:\Archivos de programa\Hp\HP Software Update\HPWuSchd2.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Archivos de programa\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jonvazquez.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V

Link to post
Share on other sites
jon vazquez

jon vazquez

Posted
  • Author
Posted

Sorry, ignore that last log......I forgot to restart the computer after the fixes.

Here is the last log after restart from HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:01:58, on 06/12/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\rundll32.exe

C:\Archivos de programa\Canon\MyPrinter\BJMyPrt.exe

C:\ARCHIV~1\AVG\AVG8\avgtray.exe

C:\Archivos de programa\Hp\HP Software Update\HPWuSchd2.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Archivos de programa\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe

C:\Archivos de programa\Bonjour\mDNSResponder.exe

C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Archivos de programa\Java\jre6\bin\jqs.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

C:\ARCHIV~1\AVG\AVG8\avgrsx.exe

C:\ARCHIV~1\AVG\AVG8\avgemc.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jonvazquez.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Archivos de programa\Winamp Toolbar\winamptb.dll

O2 - BHO: Aplicaci

Link to post
Share on other sites
Raid

Raid

Posted
Posted

Very Good.

Let's do this to ensure a nice tidy system:

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...
  • Browse to C:\Program Files\Java and remove the JAVA folder.
  • Once ALL older versions are removed you will no longer need to remove them in the future. This update includes a new method of updating that will update the files in place. So with the next version 11 update it will actually update 10 instead of a new installation.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

If you have your windows cd handy with the correct service pack, please follow these instructions:

Click on
START - RUN
and type in
SIGVERIF
and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Link to post
Share on other sites
Raid

Raid

Posted
Posted

No problem.

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand
how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
http://www.malwarebytes.org/forums/index.php?showtopic=2936' rel="external nofollow">
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.