iexplore.exe virus perhaps? have a HJT log, and some symptoms. Need help pls.

Question

reyjr80 0 Unverified User

15 Years Ago

Contracted a virus a week ago.

Main symptoms:

-multiple iexplore.exe processes running in task manager, both using a significant amount of processing power despite no IE windows being open (I use mozilla, not IE)

-upon bootup, window pops up explaining that explorer.exe (not ie) has experienced an error and asks if I would like to report it.

-I cannot update to SP3, or visit sites relating to SP3 updates. If I attempt to visit these sites or update virus registries of antivirus programs (such as malwarebyte and SUPERantispyware) the PC becomes extremely slow, processing is up to 95-100% and attempting to enter the task manager (ctrl+alt+del) brings up this error message:

“This application has failed to initialize properly (0xc0000017). Click okay to terminate application.”

-I have reformatted and reinstalled windows XP with SP1 and the problem persists.

-I have a DELL Dimension 8250. Please assist me in getting clean! Thanks in advance.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:28 PM, on 5/1/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Documents and Settings\Matt\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\3361\SVCHOST.exe
C:\WINDOWS\System32\sopidkc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BND6.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canpharmacynetwork.com/?aff=4303
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O1 - Hosts: 63.119.44.200 www.mybigcatch.com
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\System32\3361\SVCHOST.exe"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\System32\3361\SVCHOST.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-6219900304-8135244136-112338316-8665\service.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241104508859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241104498796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\System32\sopidkc.exe

--
End of file - 3147 bytes

windows-virus

3 Contributors
18 Replies
332 Views
1 Week Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

15 Years Ago

If you reformatted correctly the problem should be gone. Sure you never did an over-the-top install?

==

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new HJT log.

jbisono 51 Posting Pro in Training

15 Years Ago

Try this have worked for me couple of times
Reboot on Safe Mode with network options.
Delete your Malwarebyte shortcut from your desktop.
Go to your program files C:\Program Files\Malwarebytes' Anti-Malware and change the name of mbam.exe to something else but not similar to others antivirus programs, and now try to run malwarebytes, it should work.

crunchie 990 Most Valuable Poster

15 Years Ago

I have merged your new thread with your old one. Do not double post please.
==

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Do nothing other than the above. If you have problems, let me know.

crunchie 990 Most Valuable Poster

15 Years Ago

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

====

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.

[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Matt\reader_s.exe
C:\WINDOWS\TEMP\yxut18.exe
C:\WINDOWS\TEMP\1040880726.exe

Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.

[*]Ensure the following:

Scan for Rootkits is checked.
Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)

====

Try running combofix and/or MBA-M again.

Reboot and post ALL logs please.

crunchie 990 Most Valuable Poster

15 Years Ago

Can you do a fresh hijackthis log please.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

reyjr80 0 Unverified User · Answer 1 · 2009-05-06T08:14:58+00:00

Crunchie, thanks for the directions. Unfortunately, the virus prevents me even installing Malwarebytes' Antimalware. The same is true for SuperAntiSpyware. Whenever I double click the install for Mbam, the hourglass appears for a moment, disappears and then nothing follows. Whenever I double click the install for SuperAntiSpyware, I get this message: "SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience."

Again, my HJT Log shows this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:22 PM, on 5/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\37.tmp
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: C:\WINDOWS\System32\sdrgfcvbf.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Matt\LOCALS~1\Temp\1452345114.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1040880726.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241104508859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241104498796
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll

--
End of file - 3959 bytes

reyjr80 0 Unverified User · Answer 2 · 2009-05-06T09:52:53+00:00

Forget my last post, I got Malwarebytes Antimalware updated and working for a full scan.

Here's what the Malwarebyte log showed after removing everything:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 1

5/5/2009 10:42:52 PM
mbam-log-2009-05-05 (22-42-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99058
Time elapsed: 37 minute(s), 57 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001090.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001091.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001092.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001094.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe.vir (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

reyjr80 0 Unverified User · Answer 3 · 2009-05-06T09:55:50+00:00

And here's my HJT Log after rebooting:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:42 PM, on 5/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Matt\reader_s.exe
C:\WINDOWS\system32\7.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1040880726.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241104508859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241104498796

--
End of file - 2724 bytes

reyjr80 0 Unverified User · Answer 4 · 2009-05-07T02:04:04+00:00

The Malware running on my computer is particularly clever in that it restricts me from accessing sites at which I can download anitmalware programs, prevents microsoft windows update websites from loading, and prevents antimalware programs that I DO have from updating (Malwarebyte, SuperAntispyware, Counterspy).

I am also restricted from accessing sites that feature online scanners like Panda, ESET, Kaspersky, TrendMicro Housecall, or F-Secure. By restricted I mean, the page attempts to load, but never does, the bottom left had corner of the browser simply says done, with a blank screen loaded in the main window. The same is true for the above paragraph.

My browser is Firefox. I have a Dell Dimension 8250 running XP SP1 after a complete reformatting and reinstallation of my OS. The problem has somehow carried over. Thank you in advance for any help you can provide.

Here's my Malwarebytes' Antimalware log after removal:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 1

5/5/2009 10:42:52 PM
mbam-log-2009-05-05 (22-42-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99058
Time elapsed: 37 minute(s), 57 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001090.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001091.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001092.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{988E9517-1A95-4954-92A0-C7EEB4403369}\RP6\A0001094.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe.vir (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Here's my latest HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:58 PM, on 5/6/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\yxut18.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1040880726.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\yxut18.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

--
End of file - 2574 bytes

reyjr80 0 Unverified User · Answer 5 · 2009-05-07T03:41:21+00:00

Try this have worked for me couple of times
Reboot on Safe Mode with network options.
Delete your Malwarebyte shortcut from your desktop.
Go to your program files C:\Program Files\Malwarebytes' Anti-Malware and change the name of mbam.exe to something else but not similar to others antivirus programs, and now try to run malwarebytes, it should work.

I am intermittently able to run Malwarebyte's antimalware or other programs. The problem is, whenever I remove the problems these programs find, they are simply recreated the next time I reboot. Something somewhere on my machine is not being found and is capable of duplicating the problem files that these antimalware programs discover and remove. Someone please take a look at my logs and help me out if possible! Thanks.

reyjr80 0 Unverified User · Answer 6 · 2009-05-07T08:31:08+00:00

Sorry for the double post. I thought my situation had changed after getting malwarebyte to work, and worried that it was going to confuse you to explain it. Thanks for sticking with me!

I tried downloading from both sites. Niether loaded the first time (same thing happened as when I try to connect to sites with other antimalware, or windows updater). After a reboot, I was able to download it from either site. I tried from both but the same thing happened:

After downloading, I disconnected my ethernet wire, ran ComboFix, and after the progress bar reached completion, a message came up in a box stating:

"!!Alert!! It is NOT SAFE to continue!

The contents of the ComboFix Package has been compromised. Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus (Virut)"

Again, this happened both times I tried. Thoughts?

reyjr80 0 Unverified User · Answer 7 · 2009-05-07T12:58:54+00:00

Ran ATF with no problems. Ran avenger and after reboot it showed this log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\services.exe" deleted successfully.
File "C:\WINDOWS\System32\reader_s.exe" deleted successfully.
File "C:\Documents and Settings\Matt\reader_s.exe" deleted successfully.

Error: file "C:\WINDOWS\TEMP\yxut18.exe" not found!
Deletion of file "C:\WINDOWS\TEMP\yxut18.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\TEMP\1040880726.exe" not found!
Deletion of file "C:\WINDOWS\TEMP\1040880726.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Then attempted to run ComboFix and the same error message as previously posted appeared.

reyjr80 0 Unverified User · Answer 8 · 2009-05-07T20:02:40+00:00

Can you do a fresh hijackthis log please.

Sorry. This is my HJT directly after running Avenger as seen on my previous post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:48 AM, on 5/7/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\sopidkc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: C:\WINDOWS\System32\sdrgfcvbf.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Matt\LOCALS~1\Temp\1571538584.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yblq81.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\yblq81.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3629823436.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\yblq81.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: sopidkc Service (sopidkc) - 123.987.654.31 - C:\WINDOWS\System32\sopidkc.exe

--
End of file - 3038 bytes

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2009-05-08T02:44:44+00:00

I have never seen a log with more infection entries than legitimate ones than yours. Your system is severely compromised and this is one of the few times where I would advise a reformat.
We can try to plough ahead, but it may be to no avail?

==

Can you please do the following.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Dhcp server (DhcpSrv) owner ... (C:\WINDOWS\dhcp\svchost.exe)
sopidkc Service (sopidkc) - 123.987.654.31 ... (C:\WINDOWS\System32\sopidkc.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\System32\sopidkc.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe,

O2 - BHO: C:\WINDOWS\System32\sdrgfcvbf.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll

O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Matt\LOCALS~1\Temp\1571538584.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yblq81.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\yblq81.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3629823436.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Matt\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\yblq81.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
...(Unless you've restricted the use of registry editing, have HiJackThis fix this.)

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\System32\sdrgfcvbf.dll

O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: sopidkc Service (sopidkc) - 123.987.654.31 - C:\WINDOWS\System32\sopidkc.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\WINDOWS\dhcp

files...

C:\WINDOWS\System32\sopidkc.exe
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\sdrgfcvbf.dll
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Matt\reader_s.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\1571538584.exe
C:\WINDOWS\TEMP\yblq81.exe
C:\WINDOWS\TEMP\3629823436.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

reyjr80 0 Unverified User · Answer 10 · 2009-05-09T00:33:23+00:00

Crunchie
Thanks for the advice. I have reformatted before and it didn't seem to take care of the problem. But, I am going to give it a try once more. Keep this thread open, and if the problem persists I'll post new logs here, hopefully later today. If the problem is fixed, I'll post to let you know it has been solved.

Can you conceive of a way for a virus to carry over to a newly reformatted system? Or should a clean sweep take care of it? Because it seems as though the last time I reformatted, the problem simply persisted. Talk to you soon.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2009-05-09T02:28:19+00:00

Provided you do a clean install and not a repair, the problem should be gone after :).

reyjr80 0 Unverified User · Answer 12 · 2009-05-09T02:32:41+00:00

Crunchie,
I reformatted this time and it worked. My issue with the reformatting was that when I was choosing a partition to install to. I was choosing the same partition without deleting the partition first, and then reformatting it to NTFS. I was simply reinstalling windows over the same formatted partition, thus, allowing corrupt files to carry over.

I really appreciate your help with my issues. Perhaps next time, it will be a more easily solvable problem. Good luck to you in the future.

Rey

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2009-05-09T02:43:15+00:00

crunchie 990 Most Valuable Poster

15 Years Ago

No worries :).