Expert: Brian Benosky - 5/16/2010

Question
QUESTION: I was recently looking through some torrent websites, when a "virus removal" window popped up. As I have been thru this similar situation before and learned the hard way not to click on anything. This similar situation i spoke of above was my fault, but this time around I simply opened vertor, piratebay, & kickasstorrents (in that order) and presto! The "removal" program appeared. I would have questioned wether or not I clicked wrong or some other dumb mistake made on my part, but someone else was in front of my computer with me and saw it happen as I did. How is that possible???

Anyways....

It is not letting me do anything on the desktop. I can open windows explorer and similar back ends but anything that opens from those to the desktop has no chance.

I have already followed your previous instruction and have both malware and hijack this log files ready to post here. In addition to that I have also ID'd several files/file locations that harbor this vicious virus. Three to be exact:

1.) an executable file called fbyudtatssd.exe

2.) above file located in file folder: C:\users\fi3ld\appdata\local\neghbafth\

3.) and the really wierd one: kaka://c:\users\fi3ld\appdata\local\neghbafth\fbyudtatssd.exe/htmlMain.htm


Where should I load the log files as I do not see an area to do it here.

Thanks for your help, Brian!

ANSWER: Hi Joseph

You can just copy and past the logs in a reply to me, or you can send them to me directly at numbersix6@yahoo.com.  I'll look them over and see what else needs to be done.  

Brian

---------- FOLLOW-UP ----------

QUESTION: Here are the log files, although since i never clicked on anything i dont think it had a chance to do anything besides hyjack my desk top....I ended up permenately deleting those files i mentioned above and havent had any more problems....but please look at these in case I missed something

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:37 AM, on 5/13/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode with network support

Running processes:
C:Program Files (x86)Trend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WindowsSysWOW64lank.htm
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program Files (x86)Common FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:Program Files (x86)Adobe/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program Files (x86)RealRealPlayer
pbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program Files (x86)AVGAVG8avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program Files (x86)Microsoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program Files (x86)Common FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:PROGRA~2MICROS~1Office14URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program Files (x86)Javajre6injp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:Program Files (x86)Adobe/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~2AVGAVG8avgtray.exe
O4 - HKLM..Run: [LifeCam] "C:Program Files (x86)Microsoft LifeCamLifeExp.exe"
O4 - HKLM..Run: [GoToMyPC] "C:Program Files (x86)CitrixGoToMyPCg2svc.exe" -logon
O4 - HKLM..Run: [TkBellExe] "C:Program Files (x86)Common FilesRealUpdate_OB
ealsched.exe"  -osboot
O4 - HKLM..Run: [googletalk] C:Program Files (x86)GoogleGoogle Talkgoogletalk.exe /autostart
O4 - HKLM..Run: [PWRISOVM.EXE] C:Program Files (x86)PowerISOPWRISOVM.EXE
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program Files (x86)Javajre6injusched.exe"
O4 - HKLM..Run: [AppleSyncNotifier] C:Program Files (x86)Common FilesAppleMobile Device SupportinAppleSyncNotifier.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program Files (x86)QuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program Files (x86)iTunesiTunesHelper.exe"
O4 - HKCU..Run: [History Killer Pro] C:UsersFi3LdAppDataRoamingEmergency SoftHistory Killer ProHistoryKillerPro.exe
O4 - HKCU..Run: [Google Update] "C:UsersFi3LdAppDataLocalGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [RESTART_STICKY_NOTES] C:WindowsSystem32StikyNot.exe
O4 - HKCU..Run: [dmgcutap] C:UsersFi3LdAppDataLocal
eghbafthbyudtatssd.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Network Server.lnk = C:Program Files (x86)WIBUKEYServerWkSvMgr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program Files (x86)AdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~2MICROS~1Office12EXCEL.EXE/3000
O8 - Extra context menu item: S&end to OneNote - res://C:PROGRA~2MICROS~1Office14ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~2MICROS~1Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~2MICROS~1Office12ONBttnIE.dll
O9 - Extra button: Linked &Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: Linked &Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:Program Files (x86)Microsoft OfficeOffice14ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~2MICROS~1Office12REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program Files (x86)Microsoft OfficeOffice12GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program Files (x86)AVGAVG8avgpp.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:Program Files (x86)Common FilesAdobeAdobe Version Cue CS3ServerinVersionCueCS3.exe
O23 - Service: @%SystemRoot%system32Alg.exe,-112 (ALG) - Unknown owner - C:WindowsSystem32alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program Files (x86)Common FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:Program Files (x86)Common FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~2AVGAVG8avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program Files (x86)BonjourmDNSResponder.exe
O23 - Service: @%SystemRoot%system32efssvc.dll,-100 (EFS) - Unknown owner - C:WindowsSystem32lsass.exe (file missing)
O23 - Service: @%systemroot%system32xsresm.dll,-118 (Fax) - Unknown owner - C:Windowssystem32xssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program Files (x86)Common FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService64.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:Program Files (x86)CitrixGoToMyPCg2svc.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodiniPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:WindowsSystem32msdtc.exe (file missing)
O23 - Service: @%SystemRoot%System32
etlogon.dll,-102 (Netlogon) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:Program Files (x86)Common FilesAheadLibNMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:Windowssystem32
vvsvc.exe (file missing)
O23 - Service: Office Software Protection Platform (osppsvc) - Unknown owner - C:Windowssystem32OSPPSVC.EXE (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - C:Program FilesRaxcoPerfectDisk10PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:Program FilesRaxcoPerfectDisk10PDEngine.exe
O23 - Service: @%systemroot%system32psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe (file missing)
O23 - Service: @%SystemRoot%system32samsrv.dll,-1 (SamSs) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%SystemRoot%system32snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:WindowsSystem32snmptrap.exe (file missing)
O23 - Service: @%systemroot%system32spoolsv.exe,-1 (Spooler) - Unknown owner - C:WindowsSystem32spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%system32sppsvc.exe,-101 (sppsvc) - Unknown owner - C:Windowssystem32sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:Program Files (x86)NVIDIA CorporationD Vision
vSCPAPISvr.exe
O23 - Service: @%SystemRoot%System32TuneUpDefragService.exe,-1 (TuneUp.Defrag) - Unknown owner - C:WindowsSystem32TuneUpDefragService.exe (file missing)
O23 - Service: @%SystemRoot%System32TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - Unknown owner - C:WindowsSystem32TUProgSt.exe (file missing)
O23 - Service: @%SystemRoot%system32ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:Windowssystem32UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%system32aultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:Windowssystem32lsass.exe (file missing)
O23 - Service: @%SystemRoot%system32ds.exe,-100 (vds) - Unknown owner - C:WindowsSystem32ds.exe (file missing)
O23 - Service: @%systemroot%system32ssvc.exe,-102 (VSS) - Unknown owner - C:Windowssystem32ssvc.exe (file missing)
O23 - Service: @%SystemRoot%system32WatWatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:Windowssystem32WatWatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%system32wbengine.exe,-104 (wbengine) - Unknown owner - C:Windowssystem32wbengine.exe (file missing)
O23 - Service: @%Systemroot%system32wbemwmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:Windowssystem32wbemWmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%Windows Media Playerwmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:Program Files (x86)Windows Media Playerwmpnetwk.exe (file missing)

--
End of file - 12340 bytes



Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

5/12/2010 6:28:34 PM
mbam-log-2010-05-12 (18-28-34).txt

Scan type: Full Scan (C:|D:|H:|)
Objects scanned: 547637
Time elapsed: 1 hour(s), 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








Thanks again!!!!!!!!!!!!!!!!

Answer
Hi Joseph

The log files came through with the wrong format, which makes them difficult to read.  Yours look like this:

Running processes:
C:Program Files (x86)Trend MicroHijackThisHijackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain

Instead they should look like this:

Running processes:
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main

Please re-post the HJT log for me.  From what I can make out, it looks like the malware is gone, but I would like to be sure.  Thanks.

Brian