Expert: Brian Benosky - 2/13/2009

Question
Good day,

My niece's PC had been affected by what I suspect is a Trojan, that was transferred via USB; it appeared on the Desktop, and when checked on it's properties (right-clicking the 'folder' labelled as "Documents.exe"), it read on the Version tab as follows: comments "Welcome to FU virus", company, "Gobilam_Corp", version "1.0.0", internal name: "FuVirus", Original file name: "FuVirus.exe"; size of the sais .EXE file is 72.0kb or 73,728b on checking

Had run HJT firsthand:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:36 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:Program FilesFaronicsDeep FreezeInstall C-0DF5Serv.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:Program FilesJavajre1.6.0_04injusched.exe
C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:Program FilesAnalog DevicesSoundMAXSmax4.exe
C:WINDOWSsystem32pctspk.exe
C:Program FilesHPhpcoretechhpcmpmgr.exe
C:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe
C:WINDOWSsystem32spooldriversw32x86hpztsb09.exe
C:Program FilesFaronicsDeep FreezeInstall C-0_$DfFrzState2k.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesCommon FilesAheadlibNMBgMonitor.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
D:Program Files - Do not delete!.exe
D:Torrent.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMozilla Firefoxirefox.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_04inssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_04injusched.exe"
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesSoundMAXSMax4PNP.exe
O4 - HKLM..Run: [SoundMAX] "C:Program FilesAnalog DevicesSoundMAXSmax4.exe" /tray
O4 - HKLM..Run: [PCTVOICE] pctspk.exe
O4 - HKLM..Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM..Run: [HP Component Manager] "C:Program FilesHPhpcoretechhpcmpmgr.exe"
O4 - HKLM..Run: [HP Software Update] "C:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x86hpztsb09.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [FU] C:WINDOWSsystem32FUvirus.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesAheadlibNMBgMonitor.exe"
O4 - HKCU..Run: [Messenger (Yahoo!)] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKUSS-1-5-19..RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_04inssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_04inssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O17 - HKLMSystemCCSServicesTcpip..{55C84C77-50F5-4D7D-833A-E10BC8A51156}: NameServer = 210.23.234.33 210.23.235.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O20 - Winlogon Notify: DfLogon - C:WINDOWSSYSTEM32LogonDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: DF5Serv - Faronics Corporation - C:Program FilesFaronicsDeep FreezeInstall C-0DF5Serv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

--
End of file - 6535 bytes




Had also downloaded Malware's Anti-malware, but though it was able to locate and remove the said file, the infected folder remains on the Desktop; I also tried the File Assasin tool in the HJT Tools, but to no avail -- it still remains.

Is my last resort to format the entire PC? I wish to avoid losing data again (I had already a bad experience with a power outage mishap while Defraging, but thankfully the advice in this site helped a lot in recovering most of the lost files)

Answer
Hi Eric

Your log file is not formatted properly, so it is difficult to read.  Your entries look like this:

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe

Instead of:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe

Please resubmit the HJT log, making sure the format is correctly in place.  Also, please include your Malwarebytes log.  Thank you.

Brian