« previous next »
Pages: 1 [2]   Go Down

Author Topic: Win32:Patched-CK [trj] HELP HELP PLEASE  (Read 12222 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #15 on: March 14, 2009, 09:18:17 PM »
We have a start point, the first HJT log as it appears raw, e.g. no scans of anything as it is a train wreck.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

camembert2000

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #16 on: March 15, 2009, 05:39:17 AM »
Okay, here's an updated hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:42 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O20 - AppInit_DLLs:  fjnxhy.dll ,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPgfec - cbXPgfec.dll (file missing)
O20 - Winlogon Notify: hgGaaXPf - hgGaaXPf.dll (file missing)
O20 - Winlogon Notify: khfEVOfD - khfEVOfD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe

--
End of file - 3956 bytes
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #17 on: March 15, 2009, 03:45:04 PM »
Running it from safe mode doesn't show processes that would be running in normal mode so is less useful for analysis.

Even in safe mode these are still running and should be fixed in HJT, the files found (search using windows explorer) and a) uploaded to virustotal and b) sent to avast for analysis (see below)

O4 - HKUS\S-1-5-18\..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User 'Default user')

O20 - AppInit_DLLs:  fjnxhy.dll ,

These are still listed but the files are gone and should also be fixed in HJT.
O20 - Winlogon Notify: cbXPgfec - cbXPgfec.dll (file missing)
O20 - Winlogon Notify: hgGaaXPf - hgGaaXPf.dll (file missing)
O20 - Winlogon Notify: khfEVOfD - khfEVOfD.dll (file missing)

####
Suspect files: Upload the file/s to VirusTotal (VT) mentioned above, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
####

Once you have done that reboot and run HJT in safe mode and post the contents of the log.

What is your Firewall ?
As you don't appear to have an active one - It should be capable of blocking unauthorised outbound Internet Connections.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #18 on: March 16, 2009, 08:10:22 PM »
***

camembert2000,

Please run HJT from a normal startup. Too many things are not running in safe mode.

When you posted the first (but incomplete) HJT log, it was from normal mode. Why safe mode this time?


***

David,

With respect to you, the first HJT log was incomplete and from an old version of HJT. So, imho, it was not a good start point. We need a good start point with the most up to date version of HJT run from normal start up.
We have neither yet.


***
« Last Edit: March 16, 2009, 08:15:05 PM by CharleyO »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #19 on: March 16, 2009, 08:31:31 PM »
We don't know if it was an old version or not as there were no headers to confirm that.

I mentioned we need to see a log from normal mode but it seemed pointless to wait until camembert2000 did that to deal with some serious issues. Over 24 hours later and still no response, so I don't feel waiting that long is helping. If my system is in that state (it wouldn't be though), I wouldn't sleep until I had it resolved. I know people have different priorities, work/school, etc. but with a seriously compromised system that has to be a high priority (it seems those trying to help have a higher priority than camembert2000).
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #20 on: March 16, 2009, 11:14:30 PM »
***

You are right, there was no header. I even noted that in another post.    :-[


***
Logged

camembert2000

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #21 on: March 17, 2009, 07:45:33 PM »
Here's another HJT log. I thought I included the header ??? This has always been v2.0.2, which is the updated version.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:18 AM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [kvz2b13di4s8zox7tc25yawdbsz6sf6xlidyg2jmb8xx] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\s5zq9foxvf0.exe
O4 - HKCU\..\Run: [fp1q4sfugjsn7ggeon6vkv3v7ovravceufaljz15] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\irtg4dg3.exe
O4 - HKCU\..\Run: [mtfogihriine7karwa5nkjzxpvb819h7cbor655my] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\nzx90smxo5m.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [j93dpmjmog64iwq9fpta4n0pemtnm3k06o6xvf1hbdtr] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\niv7qxcg.exe
O4 - HKCU\..\Run: [xxdwzbx7p4e8zjshwfh27kevafa9o2k1gmd7agkq3q8wz8s] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qlruca.exe
O4 - HKCU\..\Run: [labfgx7fr89tzjbvea9idwun4fac06wmtrg] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\vgjxzy82b4e.exe
O4 - HKCU\..\Run: [mowyjgygae8hygxm8aozismc0jxbfc] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\uxm3hw.exe
O4 - HKCU\..\Run: [k6ktt0bad3vfeqiey0947v0fsmdy5gpcm9je73m9oz8b] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\i2vrm1fa9w79s.exe
O4 - HKCU\..\Run: [zqbz9vh2pdfpgvg3punkl6dmcc7bwxt7n2pw0jpbf] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\jh16khd4y.exe
O4 - HKCU\..\Run: [iirwfa2j1lc2zwl7n6jfxlwqgh0zdfj8l9z3ncpf7tbph6j278] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\yg3aktho.exe
O4 - HKCU\..\Run: [b5imjnq3r7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fi3ydh.exe
O4 - HKCU\..\Run: [bmatkdjzhbybj6q3judc3me1dghd4im1op] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\l1h2n3f.exe
O4 - HKCU\..\Run: [ta443esc3njp92hfzjp26en34x4j8fg2z3diga5gmcjgivzl5i] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\etclkpv.exe
O4 - HKCU\..\Run: [jfrzxzqt1713j58] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qpaor9h8h.exe
O4 - HKCU\..\Run: [g0uhbng3jk] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bdtrn0of3.exe
O4 - HKCU\..\Run: [px3rig7ip76k44] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\j3ma4e.exe
O4 - HKCU\..\Run: [r967vc3v17x3mfcrf0] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fgw4p3k0l2g.exe
O4 - HKCU\..\Run: [gp778add2c3r] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mvmjo4l.exe
O4 - HKCU\..\Run: [qvfauwzzrz0rr73nbitxvrk6j] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\z3oz7odm0og7.exe
O4 - HKCU\..\Run: [mdyn6mwtnawhk7not2vw7gbk06366b3wdbydwu1zq88h4wlbj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xmhpszf068.exe
O4 - HKCU\..\Run: [s2cqbro1e8qyeni2p885i8coe23kxzj3ejki1xc29rsar] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oe6mohdxqrju.exe
O4 - HKCU\..\Run: [mllowwboxmand] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xn3wour8w0.exe
O4 - HKCU\..\Run: [ydsook0xqgpd3ze40fcsewj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\pfv4ceg.exe
O4 - HKCU\..\Run: [f69ygohaijn5h8s4rirpfsd3g2] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\ud7yp1n3b9.exe
O4 - HKCU\..\Run: [fll0z7mjr8q14q06ofakka8wu9whntbds8ty] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\frehft.exe
O4 - HKCU\..\Run: [w1kbj78wevdxgitj6sh52ungeo] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mr7qd0jwr84r.exe
O4 - HKCU\..\Run: [hkiazb7oanic93a51hne0q6e7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oaxvbzz.exe
O4 - HKCU\..\Run: [ifuiemoeq4jfi3] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\g1yei7otqj.exe
O4 - HKCU\..\Run: [ql9inexcggywny873ogevkg4xyst4vxohn0zanje] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bilqn1d4rlx.exe
O4 - HKCU\..\Run: [ki15r62nyzay6uv8n5q8adx1q] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\shoyle3fpia.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe

--
End of file - 6981 bytes
« Last Edit: March 17, 2009, 07:47:29 PM by camembert2000 »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #22 on: March 17, 2009, 11:34:27 PM »
You still don't have an active firewall and that helps prevent further infection and your latest HJT log is worse as there are even more malicious files running from Temp folders, nothing should be set to run from a temporary folder and that is a clue to it being malicious.


O4 - HKCU\..\Run: [kvz2b13di4s8zox7tc25yawdbsz6sf6xlidyg2jmb8xx] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\s5zq9foxvf0.exe
O4 - HKCU\..\Run: [fp1q4sfugjsn7ggeon6vkv3v7ovravceufaljz15] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\irtg4dg3.exe
O4 - HKCU\..\Run: [mtfogihriine7karwa5nkjzxpvb819h7cbor655my] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\nzx90smxo5m.exe

O4 - HKCU\..\Run: [j93dpmjmog64iwq9fpta4n0pemtnm3k06o6xvf1hbdtr] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\niv7qxcg.exe
O4 - HKCU\..\Run: [xxdwzbx7p4e8zjshwfh27kevafa9o2k1gmd7agkq3q8wz8s] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qlruca.exe
O4 - HKCU\..\Run: [labfgx7fr89tzjbvea9idwun4fac06wmtrg] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\vgjxzy82b4e.exe
O4 - HKCU\..\Run: [mowyjgygae8hygxm8aozismc0jxbfc] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\uxm3hw.exe
O4 - HKCU\..\Run: [k6ktt0bad3vfeqiey0947v0fsmdy5gpcm9je73m9oz8b] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\i2vrm1fa9w79s.exe
O4 - HKCU\..\Run: [zqbz9vh2pdfpgvg3punkl6dmcc7bwxt7n2pw0jpbf] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\jh16khd4y.exe
O4 - HKCU\..\Run: [iirwfa2j1lc2zwl7n6jfxlwqgh0zdfj8l9z3ncpf7tbph6j278] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\yg3aktho.exe
O4 - HKCU\..\Run: [b5imjnq3r7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fi3ydh.exe
O4 - HKCU\..\Run: [bmatkdjzhbybj6q3judc3me1dghd4im1op] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\l1h2n3f.exe
O4 - HKCU\..\Run: [ta443esc3njp92hfzjp26en34x4j8fg2z3diga5gmcjgivzl5i] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\etclkpv.exe
O4 - HKCU\..\Run: [jfrzxzqt1713j58] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qpaor9h8h.exe
O4 - HKCU\..\Run: [g0uhbng3jk] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bdtrn0of3.exe
O4 - HKCU\..\Run: [px3rig7ip76k44] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\j3ma4e.exe
O4 - HKCU\..\Run: [r967vc3v17x3mfcrf0] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fgw4p3k0l2g.exe
O4 - HKCU\..\Run: [gp778add2c3r] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mvmjo4l.exe
O4 - HKCU\..\Run: [qvfauwzzrz0rr73nbitxvrk6j] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\z3oz7odm0og7.exe
O4 - HKCU\..\Run: [mdyn6mwtnawhk7not2vw7gbk06366b3wdbydwu1zq88h4wlbj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xmhpszf068.exe
O4 - HKCU\..\Run: [s2cqbro1e8qyeni2p885i8coe23kxzj3ejki1xc29rsar] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oe6mohdxqrju.exe
O4 - HKCU\..\Run: [mllowwboxmand] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xn3wour8w0.exe
O4 - HKCU\..\Run: [ydsook0xqgpd3ze40fcsewj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\pfv4ceg.exe
O4 - HKCU\..\Run: [f69ygohaijn5h8s4rirpfsd3g2] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\ud7yp1n3b9.exe
O4 - HKCU\..\Run: [fll0z7mjr8q14q06ofakka8wu9whntbds8ty] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\frehft.exe
O4 - HKCU\..\Run: [w1kbj78wevdxgitj6sh52ungeo] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mr7qd0jwr84r.exe
O4 - HKCU\..\Run: [hkiazb7oanic93a51hne0q6e7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oaxvbzz.exe
O4 - HKCU\..\Run: [ifuiemoeq4jfi3] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\g1yei7otqj.exe
O4 - HKCU\..\Run: [ql9inexcggywny873ogevkg4xyst4vxohn0zanje] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bilqn1d4rlx.exe
O4 - HKCU\..\Run: [ki15r62nyzay6uv8n5q8adx1q] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\shoyle3fpia.exe

O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
- Whilst this is a legit file name it isn't in a legit location so is always highly suspect.

You should fix all of the above.

Empty your Temp internet files and all temp folders - CCleaner - Temp File Cleaner, etc..

You really need to get sorted on a firewall or you will be fighting a losing battle as quickly as you remove something it will be replaced.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.


See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

You also need to run both SAS and MBAM from safe mode and report the findings, they both create logs you can use.

You also need to run the DrWeb CureIt tool.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

camembert2000

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #23 on: March 22, 2009, 08:28:07 PM »
No threats were detected in safe mode when I ran SAS, mbam, and the Dr.Web Cureit tool. Here;s another hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:23 PM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe

--
End of file - 5267 bytes
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #24 on: March 22, 2009, 08:43:26 PM »
That looks much better.

Fix:
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)

Confirm that the file is actually gone.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

camembert2000

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #25 on: March 23, 2009, 11:38:37 PM »
I checked the fix checked button but the file is still there.  ???
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #26 on: March 24, 2009, 01:30:45 AM »
Do you mena the file or the HJT entry ?

If you do mean the file, yes it is likely it will still be there as all HJT does is remove the registry entry (not the file also), that is why I suggested checking.

We need to remove the file but before doing so.
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
« Last Edit: March 24, 2009, 01:32:16 AM by DavidR »
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

camembert2000

  • Guest
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #27 on: March 24, 2009, 06:08:56 AM »
I checked the file at VirusTotal - Multi engine on-line virus scanner, but it said "0 bytes size received."
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89295
  • No support PMs thanks
Re: Win32:Patched-CK [trj] HELP HELP PLEASE
« Reply #28 on: March 24, 2009, 03:34:19 PM »
The zero byte size (nothing uploaded so nothing detected) is commonly because you either tried to send it from the chest or avast alerted when you tried to upload it ?

Did you do as suggested create the suspect folder and exclude it from scans (enabling the upload to VT without interference from avast) ?
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security
Pages: 1 [2]   Go Up
« previous next »