Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
## Logs ## (description at the bottom)

HijackThis (before shutting down everything not needed):
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:08 PM, on 2/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Live\Messenger8.5\msnmsgr.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Apache\bin\httpd.exe
C:\Program Files\RBTray\RBTray.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\taskmgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 1936 bytes
(after)
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:52 PM, on 2/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Live\Messenger8.5\msnmsgr.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Apache\bin\httpd.exe
C:\Program Files\RBTray\RBTray.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner3\Desktop\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 2071 bytes
malwarebytes log:
Code:
Malwarebytes' Anti-Malware 1.40
Database version: 2706
Windows 5.1.2600 Service Pack 2

2/09/2009 6:37:54 PM
mbam-log-2009-09-02 (18-37-54).txt

Scan type: Quick Scan
Objects scanned: 152761
Time elapsed: 24 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\ijlkqycrfx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Install.exe (Trojan.Agent) -> Not selected for removal.
(Install.exe is an installer for a program i made for my girlfriend - false positive probably due to the lack of user confirmation before creating the files and registry settings (one of which is in Run))

combo fix crashes and restarts my pc without doing anything, otherwise it's log would be here

my firewall detected and stopped a series of attempts to connect to what it marks as spy sites(too fast to see what the attempts were), if it's log were intact i would include that, but it's been erased; and it can not scan from the context menu (ZoneAlarm Internet Security Suite)
## /Logs ##

around the 19th i got a trojan and i've been keeping it at bay so far, but it's getting really annoying as i'm in school now and i can't fight it 24/7 (my mother also doesn't care about it and demands i shut the computer down when i leave, so who knows what it changes while she's on it playing freecell)

there was an SDRA64.exe in my sys32 dir, but that's no longer appearing, instead i get randomly named programs in my windows temp dir attempting to access the internet or other programs, so the virus is still on my computer, possibly as a dll loaded by one of the god knows how many services windows uses but i'm not having any luck finding the last bits of it. dfrag.msc can't defrag my NTFS partition either, but the FAT partition it can do just fine; i also have autochk (no idea if this is the virus or windows boot version of chkdsk) running at boot and telling me it can't check my C: (NTFS) partition because it's formatted as RAW, which makes no sense; any and all help is appreciated, i will provide more info if it is required. thank you

~skyboy
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #2 ·
Code:
Malwarebytes' Anti-Malware 1.40
Database version: 2659
Windows 5.1.2600 Service Pack 2

19/08/2009 7:21:08 PM
mbam-log-2009-08-19 (19-21-08).txt

Scan type: Quick Scan
Objects scanned: 140892
Time elapsed: 29 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\Iasv32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netskt (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ias (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\netskt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\[email protected]@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Iasv32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Code:
Malwarebytes' Anti-Malware 1.40
Database version: 2670
Windows 5.1.2600 Service Pack 2

22/08/2009 9:39:58 AM
mbam-log-2009-08-22 (09-39-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 375355
Time elapsed: 9 hour(s), 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\Systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Code:
Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 2

27/08/2009 3:09:02 PM
mbam-log-2009-08-27 (15-09-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 392257
Time elapsed: 5 hour(s), 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Install.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
in addition my computer crashed this morning, no blue screen, it sounded almost as though it shut down but some of the hardware kept working, but there was no more windows but the monitor stayed on and the tower's light kept burning, i have no idea what this was about... this thing appears to be getting worse, all help is appreciated

~skyboy

edit: to clarify, the windows OS went down, errorlessly, and my hard drive/fan shut down but the CPU and graphics chip (probably most everything else aswell) kept running, i have never had this happen before, and i have never seen anything like it, nor read anything about it on Windows XP; but it does sound much like what windows 95 does when you select shut down, so it would not be impossible
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #4 ·
i can't use any microsoft services specific to IE either, trying to access them with IE 8 results in it crashing multiple times; and with IE6 it doesn't install the update i require to actually use the service and exits with error code 0x8007041D; according to microsoft this is caused by NOD32 AV, but i do not, and have not ever had this on my computer. and again, i'm getting desperate for help because i can not afford a new computer; reinstalling windows insn't an option because i can't back anything up and i need msot of what's on my computer, and i do not have the space i need to back it up
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top