Kindly be advised we cannot cancel subscriptions or issue refunds on the forum.
You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/

Thank you for your understanding.

Need Help On Some Strange Virus/malware

Options
oddwaffle
oddwaffle
in Logs analysis

I believe i have been infected by something called Antivirus 2009 or possibly something else but the Antivirus thing popped up once before I removed it from Add/Remove Programs. I attempted to remove/delete it but it keep sticking around and prevent me from access to several sites. Yahoo and Google and general websites are ok while sites like Zonealarm and Bitdefender cause a 'connection reset' error. Sometimes I even get redirected to some random search engines.


I can not run windows xp in safe mode. It gets stuck at Mug.sys and gives me a flash of the blue screen of death and instantly restart.


Here is the HijackThis log


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 4:46:42 PM, on 24/11/2008


Platform: Windows XP SP3 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16705)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe


C:\WINDOWS\system32\nvsvc32.exe


C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe


C:\Program Files\QuickTime\qttask.exe


C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


C:\Program Files\Unlocker\UnlockerAssistant.exe


C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


C:\WINDOWS\System32\svchost.exe


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


O2 - BHO: (no name) - {42948504-adb3-4598-94f0-be05502a7191} - C:\WINDOWS\system32\yelosuso.dll


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H


O4 - HKLM\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s


O4 - HKLM\..\Run: [CPM410bdf4e] Rundll32.exe "c:\windows\system32\zekizuma.dll",a


O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"


O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"


O4 - HKUS\S-1-5-19\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s (User 'NETWORK SERVICE')


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


O20 - AppInit_DLLs: c:\windows\system32\zekizuma.dll,C:\WINDOWS\system32\wapoyali.dll


O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zekizuma.dll


O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zekizuma.dll


O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe


O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE


O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


--


End of file - 5095 bytes

Comments

  • Theoracle117
    Theoracle117
    edited November 2008
    Options

    Please pack the file(s) in an archive, protected with the password infected.


    C:\WINDOWS\system32\explorer32.exe


    Attach the archive in your next post here.(if it's too big, upload it on www.rapidshare.com or other server and leave here the download link).


    Scan again with hijackths and check the little checkbox next to


    O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"


    and press fix. There are some other things on your hijackthis log that i am not sure of.

  • oddwaffle
    oddwaffle
    Options

    Here's the file and the new log. Password is "infected" as indicated.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 4:47:52 PM, on 25/11/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16705)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe


    C:\Program Files\QuickTime\qttask.exe


    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


    C:\Program Files\Unlocker\UnlockerAssistant.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {42948504-adb3-4598-94f0-be05502a7191} - C:\WINDOWS\system32\yelosuso.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


    O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H


    O4 - HKLM\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s


    O4 - HKLM\..\Run: [4238ecd2] rundll32.exe "C:\WINDOWS\system32\jisagoyi.dll",b


    O4 - HKLM\..\Run: [CPM410bdf4e] Rundll32.exe "c:\windows\system32\roboketu.dll",a


    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"


    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-19\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [noniresuja] Rundll32.exe "C:\WINDOWS\system32\hesonaga.dll",s (User 'NETWORK SERVICE')


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O20 - AppInit_DLLs: C:\WINDOWS\system32\wapoyali.dll c:\windows\system32\roboketu.dll


    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\roboketu.dll


    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\roboketu.dll


    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe


    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe


    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE


    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    --


    End of file - 5047 bytes


    /applications/core/interface/file/attachment.php?id=4097" data-fileid="4097" rel="">explorer32.rar

  • tsec
    tsec
    Options

    FYI:


    http://answers.yahoo.com/question/index?qi...09161707AAMSNLk

  • oddwaffle
    oddwaffle
    Options

    i can not download and update the programs, it appears that certain programs are prevented from accessing the internet.

  • rootkit
    rootkit ✭✭✭
    Options

    Download Malwarebytes' Anti-malware from here:


    http://www.malwarebytes.org/mbam.php


    Once the download is complete, run the install program, and accept all of the default options. Make sure that the options to Update and Launch the software is checked when you click Finish.


    Now, let's make sure that it has all of the latest anti-spyware definitions: click on the Update tab and click the Check for Updates button.


    malwarebytes1.png


    After the updates have been loaded, click on the Scanner tab and choose the Perform Complete Scan option, then click the Scan button.


    a5163075fd548685aa01c10a88346d17.png


    When the scan is complete, it will show you all of the potentially harmful files on your computer - click the button to remove them automatically.


    Paste the scan log here. :)

  • oddwaffle
    oddwaffle
    Options

    I can not seem to run the update file. It just stays there and not turn on the setup. Accessing to the website using the infected computer is impossible as i keep getting connection reset error.

All Time Leaders

Categories

Defenders of the month