Computer Security & Viruses/atlsystem837846.exe detected by SONAR

Advertisement

Expert: - 10/27/2008


Question
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:03 AM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)
Boot mode: Normal

Brian,

My Nortan Internet Security 2009 keeps detecting this everytime I reboot my computer and unfortunately keeps also telling me I have to reboot to completely remove the security risk so I have been involved in an endless cycle trying to avoid my World of Warcraft login information from being stolen again. The file infostealer.wowcraft was originally discovered in a scan just today after I installed the Norton 2009 software. That got removed but I cannot seem to get rid of the endless cycle. Please advise me on how to get out of this cycle and how I can avoid having this problem in the future as I have no idea how this came to be on my computer in the first place.

Thank you,
Jason

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32ctfmon.exe
C:UsersJasonLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe
C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesNorton Internet SecurityEngine.0.0.125ccSvcHst.exe
C:WINDOWSsystem32
vsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSsystem32PnkBstrA.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesNorton Internet SecurityEngine.0.0.125ccSvcHst.exe
C:WINDOWSsystem32Rundll32.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60280
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.crawler.com/?tbid=60280
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60280
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60280
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60280
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:Program FilesNorton Internet SecurityEngine.0.0.125coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:Program FilesNorton Internet SecurityEngine.0.0.125IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_02inssv.dll
O2 - BHO: MSUSER Class - {8D4D2F69-DF30-4471-988C-CC58545E86C8} - C:WINDOWSsystem32SystemHper.dll
O4 - HKLM..Run: [SkyTel] SkyTel.EXE
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [RestartNeroSetup] "C:Program FilesCommon FilesAheadNero WebSetupX.exe" MODE="update"  STARTMODE="2"  USERSEL="3"  FAMILYNAME="Nero 7"  RUNSETUPXU="1"  UPGRADE="1" STUB="1"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Google Update] "C:UsersJasonLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKUSS-1-5-19..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [VisualTaskTips] C:WINDOWSSystem32 isualtasktips.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [TopDesk] C:WINDOWSSystem32   opdesk.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUSS-1-5-18..RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengermsnmsgr.exe" /background (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:WINDOWSsystem32GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02inssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02inssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver   Intel 32IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:Program FilesNorton Internet SecurityEngine.0.0.125ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32
vsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:WINDOWSsystem32PnkBstrA.exe

--
End of file - 7113 bytes


Answer
Hi Jason

I'm going to ask that you repost this logs, as it is missing the proper format.  Your log should look like this:

Running processes:
C:\WINDOWS\System32\smss.exe

and not like this:

Running processes:
C:WINDOWSSystem32smss.exe

When the log open in notepad, click on Format, and check off Word Wrap, then copy the log here.  You may also send it to me as an attachment at numbersix6@yahoo.com.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.