Are you a worm/trojan/virus expert?

[tiptopgemdotcom]

Does this "Hijack this" log file tell you what has gone so horribly wrong inside my pc?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:21:07 PM, on 1/18/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\stacsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\sttray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\diskperfm.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stivendor.exe
C:\WINDOWS\system32\dgdersvc.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Public\AppData\eMuleMorphXT\conime.exe
C:\Users\Public\AppData\Shareobj\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Users\Public\AppData\Aobj\ctfldr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=minipavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/LastPass/iehome.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AESTFltr] "C:\WINDOWS\system32\AESTFltr.exe" /NoDlg
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SystemPerfSync] C:\WINDOWS\diskperfm.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BatteryBar.lnk = ?
O4 - Startup: ScreenHunter 5.1 Free.lnk = C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
O4 - Global Startup: AutoDect.lnk = C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe
O4 - Global Startup: {77E7382E-8F9D-4af1-9FA0-CB0EADC9CD46}.lnk = C:\WINDOWS\system32\rundll32.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files\LastPass\LPBar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://merchant.auctivacommerce.com/js/ImageUploader57.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Device Error Recovery Service (dgdersvc) - Devguru Co., Ltd. - C:\WINDOWS\system32\dgdersvc.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\stacsv.exe

--
End of file - 10622 bytes

[1713296443]

1713296443

[1713296443]

1713296443

[1713296443]

1713296443

[1713296443]

1713296443

[tiptopgemdotcom]

I know something is going wrong because when I open the task manager I see Ares, Shareaza, and eMule running.  I've never downloaded these.  Plus, when I use task manager to close them they just come right back again.  My firewall is down and can not be turned back on in control panel. 

Any way to identify this so I can pin down the correct fix?

[amencon]

If it'll let you I'd hit it with Malwarebytes and maybe ComboFix to start and re-assess after that.

I'm no expert but I've found through my experience that the hardest part of clearing most infections is getting around the blocks the infection itself throws up to prevent you from running your virus scanners.  Usually once you get a scan from malwarebytes off the problem is gone or at least mostly gone allowing you to run more scans with other software.

In the past the only infections I've seen that weren't cleared by Malwarebytes/Combofix were usually rootkits and if thats the case you can try GMER.

As a warning I've had ComboFix remove critical system files after running so I then had to fix the boot issues, however after that the machine ran clean.

Good luck.

[Raoul Duke]

run this medicine http://www.surfright.nl/en/hitmanpro

If it doesn't let you run it with the computer running just take the HDD out, plug it in to other computer and run it from there

[theymos]

Here's part of eMule that is running:
C:\Users\Public\AppData\eMuleMorphXT\conime.exe
I don't see anything else wrong. Ares and Shareaza aren't running.

[Maged]

If it'll let you I'd hit it with Malwarebytes and maybe ComboFix to start and re-assess after that.

Absolutely this. The people on the malware removal forums will hate me for this, but post your ComboFix log when you're done.

[deslok]

Hmm, a few red flags but little jumping out at me, you have two septate av suites running which can be a recipe for a mess

[farfiman]

If it'll let you I'd hit it with Malwarebytes and maybe ComboFix to start and re-assess after that.

I'm no expert but I've found through my experience that the hardest part of clearing most infections is getting around the blocks the infection itself throws up to prevent you from running your virus scanners.  Usually once you get a scan from malwarebytes off the problem is gone or at least mostly gone allowing you to run more scans with other software.

In the past the only infections I've seen that weren't cleared by Malwarebytes/Combofix were usually rootkits and if thats the case you can try GMER.

As a warning I've had ComboFix remove critical system files after running so I then had to fix the boot issues, however after that the machine ran clean.

Good luck.

one tip    try running in "safe mode with network"

[Tuxavant]

The *ONLY* way to be 100% sure you've eradicated malware is by wiping your drive and rebuilding the OS.

IMO, If you've got money, i.e. Bitcoin, on that system, this is your only option.

[deslok]

The *ONLY* way to be 100% sure you've eradicated malware is by wiping your drive and rebuilding the OS.

IMO, If you've got money, i.e. Bitcoin, on that system, this is your only option.

False and overly paranoid, a little research turns up he's got a rather run of the mill trojan malwarebytes ought to take care of if based on the presented symptoms It'll take longer than doing it manually but is simpler to do.

Bonus point to magged for suggesting it first i usually forget that's available and do things the hard way

[Tuxavant]

False and overly paranoid, a little research turns up he's got a rather run of the mill trojan malwarebytes ought to take care of if based on the presented symptoms It'll take longer than doing it manually but is simpler to do.

If something has escalated privs enough to install "run of the mill trojans", they've escalated privs enough to install root kits to hide anything else.

[grue]

The *ONLY* way to be 100% sure you've eradicated malware is by wiping your drive and rebuilding the OS.

IMO, If you've got money, i.e. Bitcoin, on that system, this is your only option.

False and overly paranoid, a little research turns up he's got a rather run of the mill trojan malwarebytes ought to take care of if based on the presented symptoms It'll take longer than doing it manually but is simpler to do.

Bonus point to magged for suggesting it first i usually forget that's available and do things the hard way

False and overly naive
what if the virus was in control of the OS? your antivirus won't be able to do shit.

[bb113]

Combofix deleted everything related to bitcoin for me. I lost .01 BTC.

[tiptopgemdotcom]

All I can say is "Wow".  You guys took care of me.  Amencon hit the nail on the head- I ran Malwarebytes and it found and eradicated the Ares/Shareaza/eMule issue immediately.  One scan and a reboot and it was dead and has not reappeared.

I forgot to mention another really big issue that was troubling me that started the same time as the P2P invasion.  I get the BSOD and my machine reboots.  It is totally random.  It might run for hours, or just minutes before doing so.  There is no way to read the screen since it is up for only a fraction of a second.  Any ideas on how to remedy this?

Combofix scares me- I'm not an IT guy!

[P4man]

  Any ideas on how to remedy this?

Yeah.
http://www.ubuntu.com/ubuntu

[tiptopgemdotcom]

LOL- yes, P4man, I know.  Steep learning curve for someone who is not a "natural" with computers though.  I'm running XP, and even though it is utter trash it is probably not as bad as 7 or Vista or whatever they are trying to sell now.  Name any other product that gets consistently worse over time and still has the lead in market share. 

[P4man]

LOL- yes, P4man, I know.  Steep learning curve for someone who is not a "natural" with computers though.

Its actually the opposite. Anyone who is not a geek with 20 years experience in windows will find it much easier to adapt. For almost all common  (non hardcore gaming) applications ubuntu is, if anything, easier and more natural to use than windows. Its only when you start poking under the hood that windows experts will face a learning curve. For "ordinary" users, the most difficult part is getting used to close/minize buttons being on the left, and forgetting about antivirus, drivers and drivers updates, malware, reinstalls, product activation  etc and wrapping your head around the idea that you install most applications just by selecting them in the software center. Rather than going out buy, install,  update, patch, activate etc. Its like an iphone; turn it on, use it. But without all the DRM crap.

[tiptopgemdotcom]

I am getting this error when I start up also:



Any ideas?

[Tuxavant]

I'm certainly not coming here to say "I told you so", but why in the hell would anyone trust a system after it's had multiple malwares on it it? Can you ever have any confidence in the security and integrity of this system any more?

[naypalm]

1. Find a Nerd
2. Have them backup your important documents.
3. Reinstall a fresh copy of XP Pro SP3
4. Have the nerd restore your important documents.
5. Install Something similar to Deep Freeze.
6.
7. PROFIT!!!