Bubba Bob

Trojans And Virus Help Needed[RESOLVED]

Recommended Posts

Ok, a coworker was kind enough to lend me a dirty thumbdrive. Suddenly I have "Virus BLuster" as well as several nasty processes running.

Also, im getting R rated pop ups and fake virus warnings. My IE home page has also been hijacked.

Help is appreciated. THanks

Logfile of HijackThis v1.99.1

Scan saved at 7:45:48 PM, on 11/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\ishost.exe

D:\WINDOWS\system32\isnotify.exe

D:\WINDOWS\system32\issearch.exe

D:\WINDOWS\system32\ismini.exe

G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

D:\Program Files\ipwins\ipwins.exe

D:\Program Files\Common Files\{4CC10404-0A21-1033-0628-040403240001}\Update.exe

G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe

D:\Program Files\Skype\Phone\Skype.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

D:\WINDOWS\System32\CTSvcCDA.EXE

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\MsPMSPSv.exe

G:\Program Files\Opera\Opera.exe

D:\DOCUME~1\Admin\LOCALS~1\Temp\b104.exe

D:\HJT\HijackThis.exe

O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ipWins] D:\Program Files\ipwins\ipwins.exe

O4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB

O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

Share this post


Link to post
Share on other sites

hi bubba,

Give me a sec to research the log and we will get you all cleaned up

Share this post


Link to post
Share on other sites

Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O4 - HKLM\..\Run: [ipWins] D:\Program Files\ipwins\ipwins.exe

After this, Reboot into safe mode (This can be done by tapping F8 while your machine restarts) and Delete the following files:

D:\WINDOWS\system32\ishost.exe

D:\WINDOWS\system32\isnotify.exe

D:\WINDOWS\system32\issearch.exe

D:\WINDOWS\system32\ismini.exe

D:\Program Files\ipwins\ipwins.exe

D:\Program Files\Common Files\{4CC10404-0A21-1033-0628-040403240001}\Update.exe

Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start deleting deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 8:34:06 PM, on 11/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Sygate\SPF\smc.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe

D:\Program Files\Skype\Phone\Skype.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

D:\WINDOWS\System32\CTSvcCDA.EXE

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\MsPMSPSv.exe

G:\Program Files\Opera\Opera.exe

D:\WINDOWS\system32\wuauclt.exe

D:\HJT\HijackThis.exe

O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB

O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

Share this post


Link to post
Share on other sites

sorry BubbaBob,

I missed one on my previous review,

run Hijack This again and check this entry and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - D:\WINDOWS\system32\ixt2.dll

After this, Reboot into safe mode and Delete the following file:

D:\WINDOWS\system32\ixt2.dll

Share this post


Link to post
Share on other sites

Heh, I knew something wasn't quite right.... Clean? :)

Logfile of HijackThis v1.99.1

Scan saved at 8:47:28 PM, on 11/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Sygate\SPF\smc.exe

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

D:\WINDOWS\System32\CTSvcCDA.EXE

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\MsPMSPSv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

G:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

D:\WINDOWS\system32\lexpps.exe

G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe

D:\Program Files\Skype\Phone\Skype.exe

G:\Program Files\Opera\Opera.exe

D:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM\..\Run: [CTSysVol] g:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [updReg] D:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [Creative MediaSource Go] G:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB

O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

Share this post


Link to post
Share on other sites

Are you still getting the pop ups that you mentioned earlier?

If not, then your system is clean :)

What you had was a version of PurityScan adware installed

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.