Gaming, Computer Tech & Electronics Fortnite.CounterStrike.CallOfDuty.Dota.MineCraft.
Tips & tricks, tech support, home theatre, online gaming, reviews, latest news... |
 | 
12-13-2010, 10:18 PM
|
#1 | | OMGWTFBBQ is a common word I say everyday
Join Date: Jun 2002 Location: Richmond
Posts: 5,229
Thanked 48 Times in 18 Posts
Failed 24 Times in 6 Posts
| Help: Trojan-Dropper.win32.docb
Sigh... Somehow I got infected with this trojan and it's causing a lot of problems on my computer. Here is the Hijackthis log below. It seems it has infected Kaspersky itself. Is there any chance of removing this trojan without formatting?
I've "fixed" a few items already. The ones below I'm not too sure about what to do with. Quote:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:26 PM, on 12/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Kenjai\Application Data\xssend2\svcnost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Kenjai\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\prog ram files\microsoft\watermark.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [{4BF8A933-24A6-82F5-0DE2-5C86FA452DC5}] "C:\Documents and Settings\Kenjai\Application Data\Payp\ciwiy.exe"
O4 - HKCU\..\Run: [mssend] "C:\Documents and Settings\Kenjai\Application Data\xssend2\svcnost.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avp - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 5878 bytes
| | ![[RSX-S] is offline](https://www.revscene.net/forums/images/statusicon/user_offline.gif)
|  | |
12-14-2010, 07:02 AM
|
#2 | | I *heart* Revscene.net very Muchie
Join Date: Sep 2007 Location: Vancouver
Posts: 3,918
Thanked 1,825 Times in 523 Posts
Failed 276 Times in 88 Posts
|
scan it in safe mode
| |
| | |
12-14-2010, 10:59 AM
|
#3 | | The RS Freebie guru
Join Date: Jul 2001 Location: East Vancouver
Posts: 22,032
Thanked 2,491 Times in 860 Posts
Failed 137 Times in 67 Posts
|
Boot up in safe mode and remove these with Hijackthis:
F2 - REG:system.ini: UserInit=c  windows\system32\userinit.exe,,c prog ram files\microsoft\watermark.exe
O4 - HKCU\..\Run: [{4BF8A933-24A6-82F5-0DE2-5C86FA452DC5}] "C Documents and Settings\Kenjai\Application Data\Payp\ciwiy.exe"
O4 - HKCU\..\Run: [mssend] "C Documents and Settings\Kenjai\Application Data\xssend2\svcnost.exe"
O23 - Service: PnkBstrA - Unknown owner - C WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C WINDOWS\system32\PnkBstrB.exe
Delete the files as well.
But you might be pretty much screwed.
If this is the similar strain of virus that I dealt with a couple months ago that dropped the watermark.exe file, it infects all or most the .exe, .dll and .html files on your system... so even if you get rid of the stuff above, once you run one of the infected files, they'll all come back.
It's a nasty mofo.
If you have any .html or .htm files no your system, open one up with notepad and see if there's some strange code in there.
If there is... I would personally recommend to reinstall the system. Seriously.
| |
| | |
12-14-2010, 11:11 AM
|
#4 | | YOU CANT CUT BACK ON FUNDING! YOU WILL REGRET THIS
Join Date: Feb 2009 Location: FL400
Posts: 5,873
Thanked 3,117 Times in 1,044 Posts
Failed 555 Times in 158 Posts
|
^ damn that's one bitch of a virus
__________________
Where the hell am I
| |
| | |
12-15-2010, 06:34 PM
|
#5 | | OMGWTFBBQ is a common word I say everyday
Join Date: Jun 2002 Location: Richmond
Posts: 5,229
Thanked 48 Times in 18 Posts
Failed 24 Times in 6 Posts
|
Okay, I'll try the safe mode thing first, if it doesn't work then I'll format it.
If I resort to that, is it safe to copy over some personal files like pics and videos? Obviously I'll avoid .exe and .dll files.
| |
| | |
12-16-2010, 10:36 AM
|
#6 | | The RS Freebie guru
Join Date: Jul 2001 Location: East Vancouver
Posts: 22,032
Thanked 2,491 Times in 860 Posts
Failed 137 Times in 67 Posts
| Quote:
Originally Posted by [RSX-S]  Okay, I'll try the safe mode thing first, if it doesn't work then I'll format it.
If I resort to that, is it safe to copy over some personal files like pics and videos? Obviously I'll avoid .exe and .dll files. | No. The picture and video files themselves should be fine, but if this is a variant of the same virus strain as what I had (which is W32.Ramnit - you can look that up), another thing it can do is infect portable drives which then infects any other machine it connects to.
Seriously, this thing is one bad mother.
Maybe you can burn the picture and videos to a DVD? I think that would be safer than a USB drive.
| |
| | |
12-16-2010, 10:43 PM
|
#7 | | OMGWTFBBQ is a common word I say everyday
Join Date: Jun 2002 Location: Richmond
Posts: 5,229
Thanked 48 Times in 18 Posts
Failed 24 Times in 6 Posts
|
Most of my pictures are still in raw form. It's going to forever copy to DVD's. I was thinking starting fresh in a new drive, but I'm worried that the anti-virus won't be powerful enough to stop the virus after I connect the infected drive to recover the pictures.
I'm curious as to how I caught this virus. I haven't downloaded much in the past couple of weeks, but I'm not the only one that uses this computer.
Everything was fine until one day Kaspersky started popping up warnings about programs that I normally trust.
| |
| | |
12-17-2010, 10:01 AM
|
#8 | | The RS Freebie guru
Join Date: Jul 2001 Location: East Vancouver
Posts: 22,032
Thanked 2,491 Times in 860 Posts
Failed 137 Times in 67 Posts
|
I caught a version of the Ramnit virus that was like zero-day from some Korean website... when I got it and tried researching it, there was NO information about Ramnit + watermark.exe whatsoever. My Symantec Antivirus was completely useless in stopping it, but then again, from what I read, most antivirus software is.
I used information from an old strain where it dropped a file called desktoplayer.exe instead, and I was fortunate to be able to contain it fast enough so that it didn't affect any critical system .exe and .dll files. I deleted all the infected files, and my laptop has been fine since.
If you search "Ramnit watermark.exe" on Google, the second link on MajorGeeks is what I wrote.
| |
| | |
12-18-2010, 10:06 AM
|
#9 | | My homepage has been set to RS
Join Date: Jan 2005 Location: Burnaby
Posts: 2,107
Thanked 261 Times in 71 Posts
Failed 36 Times in 10 Posts
|
Try this before you format, it's worked wonders for me. I've fixed 3 of my co-workers computers and my gf's laptop. Make sure you run the update before running the scan. http://www.malwarebytes.org/ | |
| | |
12-18-2010, 06:35 PM
|
#10 | | The RS Freebie guru
Join Date: Jul 2001 Location: East Vancouver
Posts: 22,032
Thanked 2,491 Times in 860 Posts
Failed 137 Times in 67 Posts
| Quote:
Originally Posted by Noizz Try this before you format, it's worked wonders for me. I've fixed 3 of my co-workers computers and my gf's laptop. Make sure you run the update before running the scan. http://www.malwarebytes.org/ | MalwareBytes is good, but it won't do shit for this one.
| |
| | |
12-18-2010, 08:40 PM
|
#11 | | I contribute to threads in the offtopic forum
Join Date: Aug 2006 Location: Abbotsford
Posts: 2,825
Thanked 1,538 Times in 495 Posts
Failed 73 Times in 28 Posts
|
This happened to me 2 weeks ago. I tried everything, and eventually did a system restore.
| |
| | |
12-18-2010, 08:53 PM
|
#12 | | I'll be good I promise.
Join Date: Oct 2009 Location: North Korea
Posts: 1,936
Thanked 1,551 Times in 329 Posts
Failed 349 Times in 138 Posts
|
Remove System32. Posted via RS Mobile | |
| | |
12-18-2010, 08:57 PM
|
#13 | | What hasn't Killed me, has made me more tolerant of RS!
Join Date: Apr 2007 Location: coquitlam
Posts: 182
Thanked 67 Times in 12 Posts
Failed 4 Times in 2 Posts
| | |
| | |
12-19-2010, 12:49 AM
|
#14 | | HELP ME PLS!!!
Join Date: Jan 2005 Location: Vancouver
Posts: 5,542
Thanked 652 Times in 346 Posts
Failed 128 Times in 52 Posts
|
Combofix is useless with 64-bit OS..  | |
| | |
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | |
All times are GMT -8. The time now is 02:45 PM.
|
You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!
The banners on the left side and below do not show for registered users!
![[RSX-S]'s Avatar](customavatars/avatar8368_1.gif){kind=avatar}
