hijack scan please

[J Warrior]

Hello, I got a bug about three months back from using limewire and since then have rebooted and reformatted. After several attempts to clean my system with everything from AVG to Iobit the same virus keeps coming in a back door port and installing itself again. I figured out to keep it from installing its icons, i just turned off system restore. I ran scans before connecting to the web and everything looks clean. within two minutes all kinds of malware is running and installing. I've put in two scans, one just after a fresh format and reboot and one after the backdoor intrusion. I'm just about ready to get a new comp and burn that one to the ground. Sorry about being long winded. here are may scans. I'm a novice but i'm willing to learn. Thanks in advance.

 

Logfile of IObit HijackScan v0.2.0.0

Scan saved at 16:39:4, on 2010-5-23

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Grisoft\AVG7\avgemc.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

c:\Program Files\Norton AntiVirus\SAVScan.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\WinZip\WZQKPICK.EXE

c:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [VTTimer] VTTimer.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [LTMSG] LTMSG.exe 7

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.4.2_03 - http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}Java Plug-in 1.4.2_03 - http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

 

 

 

 

Logfile of IObit HijackScan v1.0.0.0

Scan saved at 20:41:46, on 2010-5-30

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Grisoft\AVG7\avgemc.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

c:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5

O4 - HKCU|\Software\Microsoft\Windows\CurrentVersion\Run\: [RecordNow!]

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [VTTimer] VTTimer.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [LTMSG] LTMSG.exe 7

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\: [vph1] C:\WINDOWS\TEMP\rr6n.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.4.2_03 - http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}Java Plug-in 1.4.2_03 - http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

[So_sad]

Hi there J Warrior, and welcome :smile:

 

Yikes. Looking at those logs, you have a very old version of AVG (you have version 7, while version 9 is out now). You also have Norton running, which should be removed. You have other outdated stuff running that are magnets for infections, as well.

 

Hijack isn't even showing which version of Windows you have running (*sigh*). We'll need that, with the Service Pack installed, please.

 

If you are getting infected after formats, that possibly means you have a file infector onboard, loaded from infected backups, again and again. We need more info though, before jumping to conclusions.

 

Just wait for a Mod or Malware fighter to give you more instructions.

 

Best of luck.

 

===

[J Warrior]

Running Windows XP service pack 3. got rid of norton as requested. upgraded to IOBIT 360 pro and updated. The updated version found a few more threats but still hasn't found the original bug. The malware i commonly find running is opeia.exe, peresvs.exe, and executable files with numbers like 3578.exe. I got rid of AVG altogether and I believe it was corrupted and not working anyway. I've disabled system restore back several reboots ago and it always comes back.

 

by the way, thanks for the quick responce, I had some issues logging in earlier, so I just managed to get back into the forum. Thanks for your help.

J

[So_sad]

Hi there J Warrior,

 

I was worried there. Nice to see you back ;-)

 

Those detections could be bad news indeed, meaning more than just a simple infection.

 

I've got something for you to check out before other tools are thrown at the machine :

 

Please go to this link :

http://www.virustotal.com/

 

Click on the "Browse..." button, then locate this file :

 

C:\Windows\System32\winlogon.exe

 

> Double-click the file to select it, then click on the big blue "Send File" button. If the server is busy, you'll be informed that you are in queue ; that's fine, just wait it out.

 

> Once the analysis begins, you'll be told that the file has already been analysed ; please click for a new analysis instead of viewing results from the previous analysis.

 

> Once the analysis is done, please bookmark the link

 

====

 

Repeat the above steps and have these files analysed also :

 

C:\Windows\System32\userinit.exe

 

C:\Windows\System32\opeia.exe

 

C:\Windows\Explorer.exe

 

===

 

Bookmark results for every scan page, then post those URLs here in your reply, one after the other.

 

We'll have a clearer picture once we view those. If it is indeed a file infector like Virut, then we'll look into how you reinstalled everything after those formats and find a safe way to do it again, with success.

 

See you back here soon I hope.

 

===

===

[J Warrior]

uhhhhhh!

 

I tried VirusTotal.com and the initial winlogon check froze up my computer for about two hours. while waiting the malware installed something called 99.exe and then i could not even visit virustotal.com website it kept sending me to bing search page and still couln't open the site.

 

I give up, I'm reformatting again and if i don't find something that can fix it i'm trashing the system and getting a newer one. Thanks for your time and your help. I learned that some virus are unbeatable. Do you reccommend any firewalls or security programs?

"Limewire sucks"

J Warrior

[So_sad]

LimeWire is a system trasher, more or less. Not just that one ; any P2P program (or torrent-type) that allows to download "direct" from other machines. Evil is everywhere, on the Net.

 

I can't be sure you have a file infector without confirmation from an analysis, but it sure does look like it. If it is Virut, there is no effective way to beat it via forums. If you have WinRar or 7-Zip on the machine, you could zip up one of those files, with password protection and then let me have it, for analysis (put it up on a free file hoster).

 

About the format... you have to be careful, meaning if you have backed up infected files and reinstall them, the virus will jump right back, fast and furious.

 

Here are the files you may not back up, with a file infector present :

 

- .exe

- .scr

- .zip /.rar (they may contain infected executables or programs)

- .php / .htm / .html (Virut uses iFrame exploits to spread)

- any program

 

Furthermore : extra disks or partitions may be infected as well ; if those contain programs, executable files or web pages, they need to be scrubbed as well.

 

If you don't allow infected backups onto the machine, then the format will succeed. Make sure you install a good antivirus as soon as the system is reinstalled (Avira Free or Microsoft Security Essentials are two good ones).

 

If you have any questions, just shoot..

 

===