Trojan HijackThis log

[bato1994]

I have a very severe trojan affecting my laptop.

Trojan:Win32/Alureon.gen!U

Its causing my computer to freeze after the welcome screen.
I ran my computer in safe mode but no luck. I have tried removing it with avast and some other programs but also no luck.

can somebody please help?

Im in urgent need of some help!

I ran this in safemode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:32 PM, on 18/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Enhanced search Toolbar - {abb88e4e-75f4-4fdc-8f42-d101484c4b3f} - C:\Program Files\Enhanced_search\tbEnha.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Enhanced search Toolbar - {abb88e4e-75f4-4fdc-8f42-d101484c4b3f} - C:\Program Files\Enhanced_search\tbEnha.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [UsbMonitor] "C:\Program Files\TrueSuite Access Manager\usbnotify.exe"
O4 - HKLM\..\Run: [HDMICtrlMan] C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [winlogen.exe] C:\Windows\winlogen.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Authentec memory manager service (Authentec memory manager) - AuthenTec Inc. - C:\Windows\system32\TAMSvr.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c95e418ad821a6) (gupdate1c95e418ad821a6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 8868 bytes

[ankur16]

1) Have "HijackThis" fix the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [winlogen.exe] C:\Windows\winlogen.exe

2) Malwarebyte Antimalware is already installed in your system.Perform a full scan with it as follows.Make sure it is updated before performing a scan.


* Open Malwarebyte Antimalware.Under the "Scanner" tab, select "Perform Full Scan" and click "Scan".In the dialog box select all your drives except CD/DVD drives.

* Now click "Start Scan".

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy&Paste the entire report in your next reply.

PLEASE NOTE:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.





3) Next download RootRepeal.rar and unzip it to your Desktop. You'll need WinRAR to extract it

    * Double click RootRepeal.exe to start the program
    * Click on the Report tab at the bottom of the program window
    * Click the Scan button
    * In the Select Scan dialog, check:
          o Drivers
          o Files
          o Processes
          o SSDT
          o Stealth Objects
          o Hidden Services
    * Click the OK button
    * In the next dialog, select all drives showing
    * Click OK to start the scan
 

The scan can take some time. DO NOT run any other programs while the scan is running
*  When the scan is complete, the Save Report button will become available
 * Click this and save the report to your Desktop as RootRepeal.txt
 * Go to File, then Exit to close the program
*Attach this log in your next  post.

4) Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, allow it.

    * Double click DDS.scr to run it and wait for the scan to finish
    * When finished DDS.txt will open
    * A small while later, a prompt will open. Answer Yes
    * DDS will continue scanning
    * When done, Attach.txt will open

Copy and paste the DDS.txt and attach Attach.txt

[harry 48]

edit ; ankur16, did not see your post , harry

[bato1994]

MalwareBytes LOG:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6001 Service Pack 1 (Safe Mode)

19/10/2009 6:45:22 PM
mbam-log-2009-10-19 (18-45-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 249765
Time elapsed: 43 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Downloads\KazulahSetup2.3.50.45.ZQman000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Downloads\VLCSetup.exe (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\valued customer\AppData\Local\VirtualStore\Windows\System32\28463\FMPB.006 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Users\valued customer\AppData\Local\VirtualStore\Windows\System32\28463\FMPB.007 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.

DDS TEXT:

DDS (Ver_09-10-13.01) - NTFSx86 NETWORK
Run by SYSTEM at 19:05:29.22 on Mon 19/10/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.3069.2550 [GMT 11:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)   {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\config\systemprofile\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: Enhanced search Toolbar: {abb88e4e-75f4-4fdc-8f42-d101484c4b3f} - c:\program files\enhanced_search\tbEnha.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Enhanced search Toolbar: {abb88e4e-75f4-4fdc-8f42-d101484c4b3f} - c:\program files\enhanced_search\tbEnha.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Enhanced search Toolbar: {abb88e4e-75f4-4fdc-8f42-d101484c4b3f} - c:\program files\enhanced_search\tbEnha.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"
mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2008-10-22 42608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-6 7168]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-19 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-19 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-4-19 53328]
S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2008-10-22 49152]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
S2 gupdate1c95e418ad821a6;Google Update Service (gupdate1c95e418ad821a6);c:\program files\google\update\GoogleUpdate.exe [2008-12-15 133104]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-4 126976]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]

=============== Created Last 30 ================

2009-10-18 15:13   <DIR>   --d-----   c:\program files\Trend Micro
2009-10-17 17:33   <DIR>   --d-----   c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
2009-10-17 17:33   38,224   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 17:33   19,160   a-------   c:\windows\system32\drivers\mbam.sys
2009-10-17 17:33   <DIR>   --d-----   c:\programdata\Malwarebytes
2009-10-17 17:33   <DIR>   --d-----   c:\program files\Malwarebytes' Anti-Malware
2009-10-17 17:33   <DIR>   --d-----   c:\progra~2\Malwarebytes
2009-10-15 18:53   21,052   a-------   c:\windows\system32\SIntfNT.dll
2009-10-15 18:53   15,144   a-------   c:\windows\system32\SIntf32.dll
2009-10-15 18:53   12,067   a-------   c:\windows\system32\SIntf16.dll

==================== Find3M  ====================

2009-09-21 15:17   209,788,507   a-------   c:\windows\DUMP737a.tmp
2009-09-14 14:36   615,992   a-------   c:\windows\system32\ci.dll
2009-09-12 10:29   318,976   a-------   c:\windows\winlogen.exe
2009-08-24 19:08   143,360   a-------   c:\windows\inf\infstrng.dat
2009-08-24 19:08   51,200   a-------   c:\windows\inf\infpub.dat
2009-08-24 18:58   86,016   a-------   c:\windows\inf\infstor.dat
2009-08-24 18:57   47,360   a-------   c:\windows\system32\drivers\pcouffin.sys
2009-08-15 03:29   104,960   a-------   c:\windows\system32\netiohlp.dll
2009-08-15 03:29   17,920   a-------   c:\windows\system32\netevent.dll
2009-08-15 01:16   17,920   a-------   c:\windows\system32\ROUTE.EXE
2009-08-15 01:16   9,728   a-------   c:\windows\system32\TCPSVCS.EXE
2009-08-15 01:16   11,264   a-------   c:\windows\system32\MRINFO.EXE
2009-08-15 01:16   27,136   a-------   c:\windows\system32\NETSTAT.EXE
2009-08-15 01:16   19,968   a-------   c:\windows\system32\ARP.EXE
2009-08-15 01:16   10,240   a-------   c:\windows\system32\finger.exe
2009-08-15 01:16   8,704   a-------   c:\windows\system32\HOSTNAME.EXE
2009-07-25 06:23   411,368   a-------   c:\windows\system32\deploytk.dll
2008-11-22 21:03   665,600   a-------   c:\windows\inf\drvindex.dat
2008-01-21 13:43   174   a--sh---   c:\program files\desktop.ini
2007-05-06 17:32   389,120   a-------   c:\program files\DaShRelease.exe
2006-11-02 23:42   287,440   a-------   c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 23:42   287,440   a-------   c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 23:42   30,674   a-------   c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 23:42   30,674   a-------   c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 20:20   287,440   a-------   c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 20:20   287,440   a-------   c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 20:20   30,674   a-------   c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 20:20   30,674   a-------   c:\windows\inf\perflib\0000\perfc.dat
2003-08-05 00:36   171,008   a-------   c:\program files\ePSXe.exe
2008-12-18 18:43   16,384   a--sh---   c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-18 18:43   32,768   a--sh---   c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-18 18:43   16,384   a--sh---   c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:06:15.19 ===============


[Saving space, attachment deleted by admin]

[ankur16]

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let me  know what you have decided to do in your next post.

[bato1994]

Ok. continue with the process.

[ankur16]

Bato, sorry for the delay, as per your decision we will move ahead from here.

1) Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.


2)  Please download combofix from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe  directly to your Desktop


a) Click Start>>Run. (Alternatively Press windows logo and r simultaneously )

b) Type "notepad" without quotes.Click ok.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are performing below portion of the instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

a). Close any open browsers.
b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::

DDS::

File::
c:\windows\winlogen.exe

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.Now drag CFScript.txt into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply.

[bato1994]

I cannot drag CFScript to ComboFix. Its not working.
When I drag it, it brings up a blue box thats named : Administrator. Then it starts scanning my computer and stops and says : PEV.cfxxe has stopped working.

[ankur16]

Delete all of these files/folders (if found)

*Delete the ComboFix.exe file

*C:\ComboFix folder,

*C:\QooBox folder,

*C:\WINDOWS\nircmd.exe,

* C:\combofix.txt

*C:\ComboFix-quarantined-files.txt

Restart the computer and download a new copy of ComboFix to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now try to drag and drop the CFScript again.

[bato1994]

still not working.
BTW. I downloaded ComboFix from my other laptop and put it on a USB. Then put ComboFix on the infected laptop's desktop.
I am running in safe mode with networking, but i have a modem so I cannot use the internet with the infected laptop.

[ankur16]

Download Dr.Web CureIt and save it to your desktop.

Note: Be sure to update Dr Web from your good computer before transferring it over to the infected one.

 Scan with DrWeb-CureIt as follows:

    * Double-click on drweb-cureit.exe and then click Start
    * An information notice will appear, click OK.
    * This starts a short scan that will scan the files currently running in memory.
    * If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
    * If or when something is found, click the Yes button when it asks you if you want to cure it.

    * Once the short scan has finished, Click Settings > Change Settings
    * Under the Scanning tab UNcheck Heuristic analysis and click OK
    * Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
    * Click Yes to all if it asks if you want to cure/move any file(s).
    * When the scan is done.
    * In the Dr.Web CureIt menu on top left, click File and choose Save report list.
    * Save the DrWeb.csv report to your Desktop.
    * Exit Dr.Web Cureit.
    * Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[bato1994]

I have good news and bad news.
Bad news: The scan froze when it finished and I was forced to restart the computer.
Then the computer booted running chkdsk. Once that finished, I finally got passed the welcome screen then this sign popped up : "Administrator: Winlogen" in a CMD.

Good news: I clicked the cross to get out of it and windows finished loading properly.

Could be better: Now I am left with half the stuff I had previously (before the infection)

I still have a feeling something is still there - maybe a backdoor?

Mixed feelings. Not sure. Post back to tell me if its safe to start downloading and surfing the web.

[bato1994]

I can post HijackThis Logs and others. Only If you want me to.

[ankur16]

Try combofix one more time.




Delete all of these files/folders (if found)

*Delete the ComboFix.exe file

*C:\ComboFix folder,

*C:\QooBox folder,

*C:\WINDOWS\nircmd.exe,

* C:\combofix.txt

*C:\ComboFix-quarantined-files.txt

Restart the computer and download a new copy of ComboFix to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now try to drag and drop the CFScript again. as follows.

* IMPORTANT !!! Save ComboFix.exe  directly to your Desktop


a) Click Start>>Run. (Alternatively Press windows logo and r simultaneously )

b) Type "notepad" without quotes.Click ok.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are performing below portion of the instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

a). Close any open browsers.
b. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::

DDS::

File::
c:\windows\winlogen.exe

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.Now drag CFScript.txt into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt  in your next reply.

[bato1994]

When I drag the script into combofix, it doesnt bring up a log.