New Member, Same Problem
I have already read up on some other users that have had the same problems and it seems I have been struck by the same malware... I created my own thread to ensure that my problem gets addressed soon.
Here is my HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:38 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\ehome\ehtray .exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\System32\DLA\DLACTRLW .EXE
C:\WINDOWS\system32\TFNF5.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman .exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
c:\PROGRA~1\mcafee.com\agent\mcagent .exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc .exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\toshiba\ivp\ism\pinger .exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\mrofinu1000140 .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [Kraidman] c:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Epg Service] "C:\Program Files\InterVideo\WinDVDHD\TvtvEpgAcq.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [f87509d0] rundll32.exe "C:\WINDOWS\system32\wgkwgvey.dll",b
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [steam] "c:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX580 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE /FU "C:\WINDOWS\TEMP\E_S4BF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O24 - Desktop Component 1: (no name) - http://www.pandora.com/?cmd=mini
--
End of file - 13146 bytes
If anyone could walk me through, step by step, on how to resolve my issues that would be fantastic.
Thanks in advance,
Greg
Comments
-
Any suspicious files you guys see? Should I try this VundoFix thing out?
0 -
i don't see bitdefender anywhere , you do realise that this is a bitdefender support forum and not malware fixing guide ..... but because i'm a nice guy hated by the english speaking costa ricans (lol)
i will tell what i have found suspicious in your log.
remove the line :O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000140.exe 61A847B5BBF72813329B385776F901F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
Erm , you should also rate my profile (i mean bribe me) so i will not tell the bitdefender guru's on the site you are using McAfee
0 -
Hi,
I am going to walk you through step by step as you wanted.- First answer to your question: Yes I see indications of infection, one of them is already named. Another one is this one:
- O4 - HKLM\..\Run: [f87509d0] rundll32.exe "C:\WINDOWS\system32\wgkwgvey.dll",b
- Second I suggest you don't do anything and don't fix anything by yourself. And try not to use Internet (unless it is needed for disinfection) and avoid frequent reboot until you are clean. Ask if you are not sure and report back your progress.
- You have a long list of startup items. It means unnecessary long startup and a lot of (unneeded) running processes which from time to time can be called at demand without being needed other times. Please do the following:
- Go to this site http://www.castlecops.com/StartupList.html, copy and paste the .exe or .dll at the end of 04 items of HJT and see if they are needed to run at startup (your AV, site advisor, and if you have wireless mouse and keyboard are needed the rest is probably not needed and you can fix them with HJT (Run hijackthis.click "Do a system scan only", check the item close all windows including this one and click on fix checked).
- It seems the infection has manged partially to hide itself from the HJT. You may try this: go to the folder where the HijackThis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Change the HijackThis.exe to something like moon.exe or whatever you like. Double click moon.exe or whatever you name it (name.exe) and make a new log. Note that renaming the shortcut doesn't do the job. Post the content of the log into your next reply.
0 - First answer to your question: Yes I see indications of infection, one of them is already named. Another one is this one:
-
Sorry I have looked over other places for help but it seems that more users here had the same problem I have and I was just looking for help. I wasn't aware you guys required the use of BitDefender in order to receive guidance...
Thanks for the replies thus far, I sincerely appreciate it.
-Greg0
