#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    2
    Rep Power
    0

    Can't get rid of some malware


    Hey there, recently contracted what i think is a trojan that i can't seem to get rid of and i'm trying to avoid a full system wipe, so i decided to reach out for some help. The one i contracted starts a program called "HSY.exe" which brings up a fake windows security center nearly every time i try to open a program, as well as disabling my actual windows security center. Neither AVG nor Avast have managed to find and squash the thing, and I don't know how to edit the registry, any help forthcoming would be deeply appreciated.

    ~Macdunne~
  2. #2
  3. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,663
    Rep Power
    1945
    Please read the stickies, especially read and follow the guidelines in If you have infection issues start here first...
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    2
    Rep Power
    0
    Originally Posted by MrFujin
    Please read the stickies, especially read and follow the guidelines in If you have infection issues start here first...
    Ah, thanks for the heads up, i somehow missed that one, ok here are the logs i've gathered, one from Malware bytes and one from hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:10:06 PM, on 4/10/2011
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16722)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - O17 - HKLM\System\CCS\Services\Tcpip\..\{4E823606-A06B-4FF9-8DE7-53A9B4C5387D}: NameServer = 8.8.8.8,8.8.4.4
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5C42F57-894A-41B6-B5A8-37C1A970AE22}: NameServer = 192.168.1.1
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - e:\games\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 7140 bytes

    Malwarebytes' Anti-Malware 1.50.1.1100
    Database version: 6324

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    4/10/2011 10:54:51 AM
    mbam-log-2011-04-10 (10-54-51).txt

    Scan type: Quick scan
    Objects scanned: 160729
    Time elapsed: 4 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Raethen\AppData\Local\hsy.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Raethen\AppData\Local\hsy.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Raethen\AppData\Local\hsy.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Raethen\AppData\Local\Temp\0.917658326996528.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Raethen\local settings\application data\hsy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Raethen\local settings\application data\txk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2011
    Posts
    1
    Rep Power
    0

    Can't get rid of some malware


    Protecting your computer is not an option. Malware arrives from various websites, software programs, downloads and emails. Pop-ups, a hijacked web browser, poor computer performance and crashes are some of the signs of malware. Read on to learn how to get rid of malware.

    Instructions:

    1. Back up your data.
    2. Run your virus scanner to get rid of malware. If you have an anti-virus suite already installed that's great.
    - Use AVG.
    3. Download a spyware detection program.
    4. Check out Windows Defender for free. The Microsoft website offers real-time protection against all types of malware. Download and scan for removal of spyware.
    5. Get Malicious Software Removal Tool free from the Microsoft website. This tool works with Windows 2000 and XP. It scans, discovers and removes many types of malware then runs in the background for future detection.

    Read more at portugues.200sharewarelinks.com
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2011
    Posts
    2
    Rep Power
    0
    Defender? Thats a bit dated. Microsoft Security Essentials is the current product (still free). Its not to bad.
    I still rely on good old Malwarebytes to clean an infected machine.


    Originally Posted by m2mwhite
    Protecting your computer is not an option. Malware arrives from various websites, software programs, downloads and emails. Pop-ups, a hijacked web browser, poor computer performance and crashes are some of the signs of malware. Read on to learn how to get rid of malware.

    Instructions:

    1. Back up your data.
    2. Run your virus scanner to get rid of malware. If you have an anti-virus suite already installed that's great.
    - Use AVG.
    3. Download a spyware detection program.
    4. Check out Windows Defender for free. The Microsoft website offers real-time protection against all types of malware. Download and scan for removal of spyware.
    5. Get Malicious Software Removal Tool free from the Microsoft website. This tool works with Windows 2000 and XP. It scans, discovers and removes many types of malware then runs in the background for future detection.

    Read more at portugues.200sharewarelinks.com
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2011
    Location
    Brisbane Australia
    Posts
    14
    Rep Power
    0
    Yes I had a similar one it disables everything so you cannot shut it down.

    Reboot and as soon as windows starts up as soon as desktop appears hit CTRL+ALT+DEL (before everything is loaded).

    This will give you task manager a chance to start up as it seems to take priority over installed programs.

    Which is what the .exe would be running as.

    Then kill it and delete the .exe

    I have XP.

IMN logo majestic logo threadwatch logo seochat tools logo