• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Just got bombed... Need some help

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
EmAn

EmAn

Member
Joined
Feb 20, 2007
Location
Germany for now.
I am not really sure how this got in but it started with avast going nuts with a lot of trojans. Some of this stuff popping up I have seen before... (fake security center stuff) and lots of noises as well as heavy HDD use for no reason and drives going crazy

here is a hijackthis report if you guys can help me

HijackThis said:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:24 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\EmAn\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\444.471
C:\WINDOWS\system32\iftuyszv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\XP Antivirus\xpa.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: targetedbanner browser optimizer - {101bc6cc-873b-e146-bdf2-372df240d5f4} - C:\WINDOWS\system32\{79e02b5c-089b-8b88-97a3-cc963af0300c}.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{6d40e7b2-0d53-7952-03f9-694ffb4afbba}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{79e02b5c-089b-8b88-97a3-cc963af0300c}.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NudgeMania] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKCU\..\Run: [45683954533628023779878024448944] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: xapifkpa - {f3e54a8b-0364-4b10-be4e-c9feb61c2013} - C:\Documents and Settings\All Users\Application Data\xapifkpa.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8189 bytes
Click to expand...

also The task manager is locked out.

This has hit me out of the blue and I have no Idea how it got in.
 
Disconnect that computer from the internet IMMEDIATELY. Borrow a laptop... pull your old computer out of a closet... do whatever the hell you have to do but DO NOT ALLOW THAT COMPUTER ON THE INTERNET.

Then... on that OTHER computer... download and install anything smarter than avast (or less popular) get a trial version of Zone Alarm, or Trendmicro, or something swedish you never heard of.

Save it on the OTHER computer... then copy to a thumb drive. Copy it over to the computer THAT SHOULD BE OFF THE NET... install the antivirus, THROW THE USB KEY IN THE GARBAGE... pray that it at least gets rid of the backdoors and half the trojans. THEN connect it to the net. Download the updates, run the antivirus again. Download a few more antivirus programs.

Repeat.

Just did this last week for my uncle's computer.
 
Just glancing the log over quickly the stuff that stands out:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [{6d40e7b2-0d53-7952-03f9-694ffb4afbba}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{79e02b5c-089b-8b88-97a3-cc963af0300c}.dll" DllStart

O4 - HKCU\..\Run: [45683954533628023779878024448944] C:\Program Files\XP Antivirus\xpa.exe

O21 - SSODL: xapifkpa - {f3e54a8b-0364-4b10-be4e-c9feb61c2013} - C:\Documents and Settings\All Users\Application Data\xapifkpa.dll

O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)

The only one I'm not positive on is the xapifkpa.dll, I've never heard of it before and as I search I'm not finding much about it.

I would do a boot time scan with Avast on the most thorough settings, a boot time scan with Spybot: Search and Destroy, A full scan with Adaware and run CCleaner.

I'll keep picking over your list.
 
Darur said:
Just glancing the log over quickly the stuff that stands out:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [{6d40e7b2-0d53-7952-03f9-694ffb4afbba}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{79e02b5c-089b-8b88-97a3-cc963af0300c}.dll" DllStart

O4 - HKCU\..\Run: [45683954533628023779878024448944] C:\Program Files\XP Antivirus\xpa.exe

O21 - SSODL: xapifkpa - {f3e54a8b-0364-4b10-be4e-c9feb61c2013} - C:\Documents and Settings\All Users\Application Data\xapifkpa.dll

O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)

The only one I'm not positive on is the xapifkpa.dll, I've never heard of it before and as I search I'm not finding much about it.

I would do a boot time scan with Avast on the most thorough settings, a boot time scan with Spybot: Search and Destroy, A full scan with Adaware and run CCleaner.

I'll keep picking over your list.
Click to expand...

Don't bother. He probably has at least FORTY trojans on his computer... and they aren't going to show up on that list.

He COULD go hunting for them all individually... but the humane thing to do would be to let a program find them.
 
How about putting that hard drive in an external case, plug that in another computer that has AUTOPLAY disabled, and run everything to clean it? Go onl;ine and use Trend Micro and Panda online scanner as well.

I read something: if you have some sensitive information such as financial (vising Paypal for example), it's probably better to reformat the hard drive and do clean install of everything.
 
how about stop downloading crap.

just reformat your computer. You are going to spend hours trying to clean it, and it will probably never work anyways.
 
I think I am just going to be reformatting. Now I need to go find me a CD. I would say that avast went off about 30-40 times.... Not very pleasant when other people are trying to sleep
 
EmAn said:
I think I am just going to be reformatting. Now I need to go find me a CD. I would say that avast went off about 30-40 times.... Not very pleasant when other people are trying to sleep
Click to expand...

There's a new invention: VOLUME SWITCH!

I think they came up with it in Japan or something...

Reformatting is the cheap way out (and may not even solve your problem if you do it wrong.)

There was no point in even making this thread if you were just going to reformat.
 
mage_x said:
What exactly would be the wrong way to format the drive?
Click to expand...

Gather round ye urchins! I am the ghost of computing past (and Present: He got laid off so I'm pulling a double shift.)

Let's say you have a hard drive and a Partition C that takes up about 99.6% of the available space... It doesn't take that sophisticated a virus to create a tiny patition somewhere in the remaining .4% of available space (with drives in the hundreds of gigs these days... that could be a lot of space.)

You "Format c:"... you aren't getting rid of that virus. He said his hard drive was going crazy... he didn't say his "C drive" was going crazy. There is a chance there is a virus resident elsewhere... other than his boot drive.

Next week's chapter will be on the boot sector: Boot managers, boot viruses, Bootsy Collins, and little kittens... with boots.
 
rainless said:
Gather round ye urchins! I am the ghost of computing past (and Present: He got laid off so I'm pulling a double shift.)

Let's say you have a hard drive and a Partition C that takes up about 99.6% of the available space... It doesn't take that sophisticated a virus to create a tiny patition somewhere in the remaining .4% of available space (with drives in the hundreds of gigs these days... that could be a lot of space.)

You "Format c:"... you aren't getting rid of that virus. He said his hard drive was going crazy... he didn't say his "C drive" was going crazy. There is a chance there is a virus resident elsewhere... other than his boot drive.

Next week's chapter will be on the boot sector: Boot managers, boot viruses, Bootsy Collins, and little kittens... with boots.
Click to expand...

I meant the C: drive. There is only two partitions on this. One for xp and the other for just storage... I am going to kill both of them. I have seen these trojans on peoples machines that I have fixed in the past and a format was just the easiest option for the customer as they needed their machine back.

I still am looking around for a XP pro cd with no service packs... While I am doing that I am also gonna grab a linux disc and dual boot this laptop.

Thanks for all the replies so far right now all that is being detected is Spyware, Adware, Backdoor openers, Trojans, Dialers, and Password stealers... Im not worried as as soon as all this stuff came up I immediately disabled the wifi on the laptop. I hope all goes well now...
 
EmAn said:
I meant the C: drive. There is only two partitions on this. One for xp and the other for just storage... I am going to kill both of them. I have seen these trojans on peoples machines that I have fixed in the past and a format was just the easiest option for the customer as they needed their machine back.

I still am looking around for a XP pro cd with no service packs... While I am doing that I am also gonna grab a linux disc and dual boot this laptop.

Thanks for all the replies so far right now all that is being detected is Spyware, Adware, Backdoor openers, Trojans, Dialers, and Password stealers... Im not worried as as soon as all this stuff came up I immediately disabled the wifi on the laptop. I hope all goes well now...
Click to expand...

Wonderful. :beer:

Your average computer user (at least who the average computer user is now that EVERYBODY has a computer) has nothing more important than a few MP3s on their computer. They could care less. But nobody that knows how to login to this site is "average."

I was a Senior Systems Analyst for years... and I steadfastly refused to just ghost people's computers unless there was ABSOLUTELY no reason not to. Reason being two fold: If you're a mechanic, it's more rewarding to fix your car than it is to just start driving your wife's car instead, and two: Because you always forget something. Even if it's just a phone number... or a movie... or a program you got for free than you won't be able to use again after you reformat. (Unless you ghosted I guess... No wonder I got out of the business... ;)
 
rainless said:
Wonderful. :beer:

Your average computer user (at least who the average computer user is now that EVERYBODY has a computer) has nothing more important than a few MP3s on their computer. They could care less. But nobody that knows how to login to this site is "average."

I was a Senior Systems Analyst for years... and I steadfastly refused to just ghost people's computers unless there was ABSOLUTELY no reason not to. Reason being two fold: If you're a mechanic, it's more rewarding to fix your car than it is to just start driving your wife's car instead, and two: Because you always forget something. Even if it's just a phone number... or a movie... or a program you got for free than you won't be able to use again after you reformat. (Unless you ghosted I guess... No wonder I got out of the business... ;)
Click to expand...

I think I need to get me a copy of ghost or something similar just in case something like this happens again...
 
When reformatting, make sure you find and delete every existing partitions. I used to use Fdisk for this but that was long before 120+GB hard drives were the norm and I haven't tried since I found my copy wouldn't work with 160GB I had.
 
If you do a fresh install of WinXP or W2K (I don't know about Vista), it will come to a screen where you can delete all existing partitions and start over. This is the best way to do a clean install.
 
You must log in or register to reply here.

Similar threads

J
Putting Windows10 on a diet.... Tablet PC
Replies
3
Views
460
Alaric
Alaric
W
Help. I am a total noob...
Replies
5
Views
5K
warboss2003
W
J
Excited To Be HERE! My Build! Help! (She's Running Great, I just Want More!)
2
Replies
21
Views
2K
trents
trents
SwartHack
GPUPI APPCRASH Exception Code:c000001d!!??
Replies
8
Views
10K
RJARRRPCGP
R
S
Need help for my first build
Replies
9
Views
519
wingman99
W
Back