Ergebnis 1 bis 8 von 8

Thema: Malware removal

  1. #1
    Einsteiger
    Registriert seit
    18.04.2006
    Beiträge
    3

    Malware removal

    Hi there,

    I've installed and analysed my HiJackThis! log file and I DO have an infection which has installed itself as a service onto my machine. Any ideas on how I go about removing this service?

    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 10:56:42 AM, on 18/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\acer\Acer eConsole\MediaServerService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
    C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HiJackThis\HijackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\acer\Acer eConsole\MediaServerService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: JVFCP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe
    Geändert von Cage (18.04.2006 um 02:23 Uhr)

  2. #2
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware removal

    Welcome to HijackThis.de @ Cage

    Please load down the windatfindbat of Karl83. Double-click onto this file, now you will see a DOS Window. A new report-file will be created under C:\
    Please copy and paste the last 30 days of this file to your thread.

    C:\
    C:\%WinDir%\%System%
    C:\%WinDir%
    C:\%WinDir%\TEMP

    Note:
    %WinDir%, %System% are variable (?). By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. #3
    Einsteiger
    Registriert seit
    18.04.2006
    Beiträge
    3

    Re: Malware removal

    Thanks, I apologise for the delay in my reply.
    Code:
     Volume in drive C is ACER
     Volume Serial Number is 320D-180E
    
     Directory of C:\
    
    27/04/2006  08:22 AM                 0 dirdat.txt
    27/04/2006  08:22 AM                22 windatfind.zip
    27/04/2006  08:20 AM       234,278,912 hiberfil.sys
    27/04/2006  08:20 AM       301,989,888 pagefile.sys
    19/04/2006  03:52 PM            13,030 PDOXUSRS.NET
    19/04/2006  03:50 PM               533 APD.TRC
    19/04/2006  03:50 PM             7,783 APD.LOG
    18/04/2006  12:23 PM               135 RootkitReveal.txt
    18/04/2006  11:08 AM         1,280,000 MBSASetup-EN.msi
    18/04/2006  10:56 AM             4,237 hijackthis.log
    24/03/2006  10:17 AM           386,858 cpu-z-132.zip
    23/03/2006  08:00 AM        12,241,103 AVG7QT.DAT
    22/03/2006  02:43 PM        21,343,795 audio.zip
    22/03/2006  02:39 PM        11,539,293 Chipset.zip
    16/03/2006  07:58 AM               211 boot.ini
    06/03/2006  11:39 PM               582 windatfind.bat
    03/03/2006  05:52 PM           902,873 cpuz.exe
    03/03/2006  03:10 PM             6,901 cpuz-readme.txt
    03/03/2006  03:09 PM               146 cpuz.ini
    02/11/2005  01:38 AM                 6 ISACER.ID
    18/06/2005  09:33 AM                76 PRELOAD.AAA
    18/06/2005  07:43 AM                50 AUTOEXEC.BAT
    18/06/2005  07:32 AM                 0 MSDOS.SYS
    18/06/2005  07:32 AM                 0 IO.SYS
    18/06/2005  07:32 AM                 0 CONFIG.SYS
    18/06/2005  07:08 AM               512 BOOTSECT.DOS
    25/03/2005  05:08 PM            49,152 latency.exe
    04/08/2004  05:00 AM            47,564 NTDETECT.COM
    04/08/2004  05:00 AM           250,032 ntldr
                  29 File(s)    584,343,694 bytes
                   0 Dir(s)  33,786,462,208 bytes free
    
     Volume in drive C is ACER
     Volume Serial Number is 320D-180E
    
     Directory of C:\WINDOWS\system32
    
    27/04/2006  08:21 AM               736 eRLog.ini
    27/04/2006  08:20 AM             1,158 wpa.dbl
    07/04/2006  05:48 AM         5,143,456 MRT.exe
    30/03/2006  07:16 PM         1,492,480 shdocvw.dll
    30/03/2006  11:00 AM            16,384 xpsp3res.dll
    24/03/2006  06:32 AM         3,053,568 mshtml.dll
    23/03/2006  06:02 AM            53,640 perfc009.dat
    23/03/2006  06:02 AM           382,022 perfh009.dat
    23/03/2006  06:02 AM           441,142 PerfStringBackup.INI
    23/03/2006  04:57 AM                75 LuResult.txt
    23/03/2006  04:19 AM           103,418 Autorun.ini
    22/03/2006  03:18 PM           176,264 FNTCACHE.DAT
    18/03/2006  09:09 PM           613,376 urlmon.dll
    
    Volume in drive C is ACER
     Volume Serial Number is 320D-180E
    
     Directory of C:\WINDOWS
    
    27/04/2006  08:20 AM                 0 0.log
    27/04/2006  08:20 AM             3,630 ModemLog_Lucent Win Modem.txt
    27/04/2006  08:20 AM             2,048 bootstat.dat
    19/04/2006  03:53 PM            11,970 SchedLgU.Txt
    19/04/2006  03:53 PM           688,659 WindowsUpdate.log
    19/04/2006  11:53 AM               254 hpbafd.ini
    18/04/2006  04:25 PM           991,941 setupapi.log
    18/04/2006  10:06 AM            16,769 KB911562.log
    18/04/2006  10:06 AM           123,941 comsetup.log
    18/04/2006  10:06 AM            52,998 iis6.log
    18/04/2006  10:06 AM           358,674 FaxSetup.log
    18/04/2006  10:06 AM           137,424 tsoc.log
    18/04/2006  10:06 AM            74,342 ntdtcsetup.log
    18/04/2006  10:06 AM             1,374 imsins.log
    18/04/2006  10:06 AM            17,507 msgsocm.log
    18/04/2006  10:06 AM            19,629 ocmsn.log
    18/04/2006  10:06 AM           178,862 ocgen.log
    18/04/2006  10:06 AM            27,408 updspapi.log
    18/04/2006  10:06 AM             1,374 imsins.BAK
    18/04/2006  10:06 AM            19,005 KB912812.log
    18/04/2006  10:06 AM            11,526 KB908531.log
    18/04/2006  10:06 AM            10,736 KB911567.log
    24/03/2006  06:05 PM               905 wiadebug.log
    
     Volume in drive C is ACER
     Volume Serial Number is 320D-180E
    
     Directory of C:\DOCUME~1\ACER\LOCALS~1\Temp
    
    27/04/2006  08:20 AM                 0 JETB45B.tmp
    27/04/2006  08:20 AM             6,760 jusched.log
    19/04/2006  07:51 AM                 0 INMEM000.REM
    31/03/2006  09:38 AM             1,223 logfile.txt
    31/03/2006  09:33 AM             2,729 CdMkr70.ini
    23/03/2006  07:54 AM            32,768 RMS7.tmp
    23/03/2006  07:54 AM            32,768 RMS6.tmp
    23/03/2006  07:50 AM           158,974 avg7inst.log
    23/03/2006  07:28 AM            13,318 netfxupdate.log
    23/03/2006  07:27 AM            17,060 netfxsl.log
    I ran RootkitRevealer as well and it turned up a data mismatch between WindowsAPI and raw hive data. Should I just reformat and reinstall? I dont know if the infection came with the computer or not, this machine is only a month or two old and did not come with a true WinXP disk but rather it forced me to burn a recovery disk upon first boot.
    Geändert von Cage (26.04.2006 um 23:34 Uhr)

  4. #4
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware removal

    Hello Cage

    Don't know which infection you have, by the moment.

    You have some new malware on your system.
    We need to know all about new malware to be able to help you.
    That is why we ask you to scan some files online,
    to put them through to our colleguas who will analyse them
    and send it to the Vendors of Antivirus to add their signatures.
    So, in future you and other's systems will be protected from this malware.

    Make sure you set windows to see the hidden files and folders.

    STEP 1
    Please load this file/these files

    C:\cpuz.exe
    C:\latency.exe

    -> up to ST-Adware-Upload
    -> up to http://siri.urz.free.fr/upload/

    If you need a zip-tool we suggest zipgenius (It is free).

    STEP 2
    Please mail this file/these files as a password protected zipfile to both these Mail Addresses:
    Virus(at)protecus.de and vms(at)drweb.com (replace the (at) with @):

    C:\cpuz.exe
    C:\latency.exe

    You may want to use the password virus.
    Please add this password to your mail.
    Make us know all about the results, which you will get in an backanswer per eMail.

    STEP 3
    Please scan this file/these files with HJT and Virustotal and/or Jotti

    C:\cpuz.exe
    C:\latency.exe

    You will want to make us know all about the results of the scans by copy&paste (look for an example).

    STEP 4
    Lets have a look if you have Win32.Polipos on your system.

    Please read the Instructions, save it as a txt-file or print it out, that you can also read it offline. If the Virus Win32.Polipos will be found on your system, you need to disinfect these files because your system needs them to run. You may want to delete all worms and trojans, adware and spyware, but not the files infected with Virus Win32.Polipos.

    Please load down Dr.Web CureIt!
    (Dr.Web Solutions, Free services).

    Run it, have it save a logfile and post it.

    Since you will not be able to load it down, please use an other secure Web Browser.
    Please have a look here for more Information.

  5. #5
    Einsteiger
    Registriert seit
    18.04.2006
    Beiträge
    3

    Re: Malware removal

    Hi,

    cpuz.exe and latency.exe were unzipped by me into C:\ when checking the motherboard and ram and is not the source of the infection as far as I am aware. cpuz.exe and latency.exe are both part of the cpu-z program found at http://www.cpuid.com/cpuz.php

  6. #6
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware removal

    Hello Cage

    You told us that you "DO have an infection which has installed itself as a service onto my machine'. How do you know about it? Which kind of infection? Please give me some more details? How does it show up? What is happening? I need to know more about it? Did any Antivirus discover it? What did you do? Where does this infection come from?

    Pease run HijackThis > Misc tools > put a checkmark to both items > make us see a full Startuplist.

    I am waiting for your answers.
    Thank you.

  7. #7
    Unregistered
    Gast

    Re: Malware removal

    I reasoned that I had a malware/rootkit installed as I was receiving return emails that I had apparently sent spamming hosts. I investigated the matter, running first ad-aware, then spybot s & d which both returned negative.

    Next, I tried running HiJackThis! and showed a service that I do not recognise which appears at the bottom of my log file.
    Code:
    O23 - Service: JVFCP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe
    Finding this, I posted on this board with the copy of the hijackthis log file. In an attempt to resolve this issue on my own, I conducted a registry search and deleted any reference to JVFCP that I could and rebooted which resulted in the service disappearing.

    After performing this, I checked my forum thread and ran the windatfind program you suggested, posting the results. In hindsight I should have waited for you to reply .

    To double check that the spambot was really gone, I ran a scan with rootkit revealer from Sysinternals which revealed a data mismatch in a registry key, according to their website, any occurences would indicate a rootkit.

  8. #8
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware removal

    Ok Guest,

    Now I have got informated in words. What do you think about showing us all these logfiles? And at which time do you think to run Dr.Web CureIt! ? May we please see all these logfiles you have got?

    C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe

    You can clean up this folder "Temp" using any of these Cleaning Tools.

    I am waiting to see your logs.

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. vxddirectx32.exe removal
    Von Ruby im Forum Sicherheits-News
    Antworten: 0
    Letzter Beitrag: 03.04.2006, 21:33
  2. PestTrap Removal
    Von Ruby im Forum Solutions
    Antworten: 0
    Letzter Beitrag: 19.02.2006, 00:14
  3. Help with derbiz removal...
    Von Unregistered im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 24.06.2005, 00:20
  4. HJT/Removal of SearchAssistant
    Von catschool im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 19.02.2005, 09:51

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •