Main system picked up a bad one last night Malware does not find it but I know it is there. So what say the masses. I have my thoughts but want the software guys to look.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:27:23 PM, on 7/8/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

bZRh6sZZyz0

Ask Byte Strike!! He's the MAN!! [Beer]

Ask Byte Strike!! He's the MAN!! [Beer]

Waiting for his reply. I have taken care of some of it and all seems to be well but I am not a software guy. Just want to be sure I have killed it. :)

Just had a pop-up so I guess not.

Just had a pop-up so I guess not.




At your age you should be happy to have a pop up[Muaha]

[LOL]

Waiting for his reply. I have taken care of some of it and all seems to be well but I am not a software guy. Just want to be sure I have killed it. :)

Just had a pop-up so I guess not.
[Beer]5.56x45 should do it!! Good luck! Malwarebytes.com should have caught it but I guess not?? Good luck. Byte'll get back to ya![Tooth]

best advice for any Malicious software is the same policy I suggest for any warfare.

kill it all.


Insert the windows disk, boot for disk, delete the partition, reformat it, reinstall.

and fer chrissake dont give me anything about "But I didn't do any backups."
your loss.

and yes I am serious.

best advice for any Malicious software is the same policy I suggest for any warfare.

kill it all.


Insert the windows disk, boot for disk, delete the partition, reformat it, reinstall.

and fer chrissake dont give me anything about "But I didn't do any backups."
your loss.

and yes I am serious.

I have it all backed up from about 3 weeks ago. I may kill it and grill it. [Coffee]

Nuke and pave... only way to be sure man.

Boot to safe mode and run malwarebytes full scan. See if it finds anything else. But to be sure... format^^. as byte said.

Probably a "rootkit". Try "Combo Fix".
[Beer]

try this... try that.. do this and manually rebuild the entire registry...


I had a customer INSIST we rebuild his installation.
as I remember it was something like 80+ hours.
80 hours at $28.87 an hour.

I had him sign a work order insisting we do that, thankfully. It wound up in court.

Nuke and pave... 3 hours with drivers = $80+OS if required.

being a dumbass.... priceless
[ROFL1]

Linux.

PCLinuxOS specifically.

Linux.

PCLinuxOS specifically.

Well, would be nice but not happening. I am at the point where it may be time to kill it.

Looks like a foreign bug to me because I don't understand any of that stuff!

Looks like a foreign bug to me because I don't understand any of that stuff!

In some ways it has been fun to play and learn. Had the task manager running and watched. I know what it is and where it is but I do not know where it is replicating itself. I can stop it as it try's to do what it does.

In some ways I do not understand the creator of this. It has been found and it can be stopped but all it is now is a pain in the a$$. It does get pissed off when it starts running and you kill the process. :)

There are web forums like this one whose whole purpose is to help people with their computer problems. You just register to the site, post your problems, they tell you what to do, step by step from there. I've used them before to clear up a nasty bug. I can't remember the name of the site though, something like noob.com or something along those lines.

If you suspect your computer is infected, remember that some of those nasties will self replicate not only inside of that computer, but will span your network if allowed.

CERT Rule #1 Remove the infected computer from the network