Need Help: HJT Log

I've been getting popups with "Security Center has detected spyware on your PC sending private information and documents to remote computer. One of processes (Win32res.exe) has just sent this information..." Also had my homepage replaced by a microsoft security update page.

So far I've run: Ad-Aware, spybot, cw-shredder, Microsoft anti-spyware, microsoft malicious software removal, and fixvundoo.exe. Apart from a bunch of tracking cookies, cw-shredder did find and remove an entry, and fixvundoo as well, and then I was able to get my homepage back. But this doesn't appear to have solved everything, I just saw the popup again telling me "Security Center...." My current hjt logs are:

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Welcome to MajorGeeks.com!

Please follow forum guidelines before posting HijackThis logs.

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

After you read the above thread on HJT, please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

OK, thanks & sorry for the inline post. I've run ewido and hjt again and included the logs.

 

Please make sure the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\awvts.dll​

• Press Enter to continue with the fix.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\stvwa.*​

• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll​

• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Once your machine reboots please attach a fresh HJT log from normal mode.

 

OK, I went through & ran killvundo.bat here's a fresh hjt log.

Thanks!

 

You didn't attach anything?

 

Not sure where it went, here's a fresh logfile.

Thanks, G

 

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

After you complete the above, attach the log from the Panda Scan listed in the READ ME with a fresh HJT log.

 

The Panda Scan was completely clean, here's a fresh hjt log.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=pavili on&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavi lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavi lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavi lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q105&bd=pavili on&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\awvts.dll (file missing)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you complete the above, please reboot and follow the below...

I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete this entire fix, reboot and let me know how things are running.

 

Exellent, thanks! Did everything you recommended and it seems to have gone smoothly, all the points you mention are gone from my hjt log. At this point I'm not seeing any signs of infection, except that when I run Spy Sweeper it still says that it detects virtumonde & cws.

But, I haven't seen any other indications of the original problem...

Thanks again for all your help,

G

 

Do you have the trial version of SS? Can you fix the found infections with SS? If you cant clean the ifections from SS, attach the log.

 

No, I don't have an SS subscription, so it won't fix or export a report...

But it is pointing to about 10 registry entries like:

HKCR\atldistrib.atldistrib.1\ (3 subtraces)

for virtumonde. I can see that the entries it is flagging do exist in the registry.

for cws it is pointing to:

HKEY_USERS\S-1-5-21-317487321-1334508255-1553254559-501\Software\Microsoft\Windows\CurrentVersion\Run

CWSHredder isn't reporting any infection, so I'm not sure what to do about this. I haven't downloaded the virtumonde fix tool yet, but the entries I found on the Symantec site for virtumonde didn't exist in my registry.

 

Attach the log from SS, it will not allow you to fix it but it will give you a log.

 

It looks to me like they've updated spysweeper and that it no longer allows this, if I look at your screen shot on the SpySweeper page, the current version of SS no longer has the Next button. When it is completed running the only option that seems active is to subscribe, "To view sweep results, you must be an active Spy Sweeper subscriber. Click Subscribe to upgrade your protection."

 

Click on "Results" and Session log, copy this to notepad and save it.

 

ok, maybe I'm just being dense about this, but I still don't see a log button in SS. I've attached a copy of what SS did have in the results screen (ss.jpg) and what it listed under removal (ss2.jpg), feel free to remove these attachments if they aren't of any use, but I'm hoping they'll let you figure out if SS has removed the log fn or if I'm just missing it.

FYI I did run the virtumonde removal tool from Symantec & it found no infection.

 

Please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter quicktime task and post back with the results in this thread (call it regsrch.txt).

 

Here's the result of the regsrch script. I noticed that it didn't pull out all of the matching entries that SS flagged (ie HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 doesn't show up in its list but is definitely in my registry).

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and see if still detects it.

 

That reduced the # of entries that SS is finding, it is now down to 8 from I think 14. Did you mean to leave the (-) off of some of the entries in the quoted text? I noticed that 4 of the entries didn't have it, they are still being identified by SS (& foudn by regsrch). There are also still 3 HKCR traces that SS is finding that regsrch missed.

 

No, it's like it should be....

Run Regsrch again and enter ATLDistrib and post back with the results in this thread (call it regsrch1.txt).

 

OK, here you go...

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know then if it's still being detected.

 

Worked like a charm, regsearch isn't finding it anymore, and SS isn't reporting the virtumonde infection any more. Many thanks!

The only thing that SS is still flagging as high risk is one reg entry for cws, any recommendation as to whether to worry about that (I'm not seeing any signs of cws & shredder isn't either).

 

It's probably nothing, can you tell what SS is detecting?

 

It is flagging:

HKU\WRSS_Profile_S-1-5-21-317487321-1334508255-1553254559-501\software\microsoft\windows\currentversion\run\|| quicktime task

When I had the inital problem I ran cwshredder & it did find something in one account & cleaned it.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Download the attach GetRunKey117.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here are an attachment.

 

The regedit didn't work, I can't actually find the entry that SS is flagging in the registry, there is a similar one ending in 1010 instead of 501 (HKEY_USERS\S-1-5-21-317487321-1334508255-1553254559-1010\...). I did run getrunkey, here is the output log.

 

Run RegSrch.zip again.

Enter quicktime task and post back with the results in this thread (call it regsrch.txt).

 

Thanks, here it is.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, see if it's still being detected.

 

The Good: This did remove all instances that regsrch was finding.

The Bad: SS still reported the same reg entry that I can't find, and at some point a few minutes later after rebooting I re-ran regsrch and it found a new quicktime task entry (see log attached). I removed it the same way as the others, just changing 1010 to 1011 in your fix.reg to match the new entry, and regsrch isn't currently finding any (I tried restarting, logging into different accounts but nothing new seems to be popping up) but SS still does...

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_USERS\S-1-5-21-317487321-1334508255-1553254559-1011\Software\Microsoft\Windows\ShellNoRoam\MUICache

Right click on C:\\Program Files\\QuickTime\\qttask.exe and select Permissions. Click on EVERYONE and check the box "Full Control", Click OK to exit.

Then right click on "C:\\Program Files\\QuickTime\\qttask.exe" and select delete. After you complete this, reboot and see if SS still detects it.

 

When I went into the registry, "C:\\Program Files\\QuickTime\\qttask.exe " didn't exist. I assume this is because I modified your regedit previously to remove...??? Anyways, I was able to delete the qttast.exe, but still SS is reporting the cws entry.

 

Personally, I dont think this is a threat. I'm not sure exactly what SS is detecting but I wouldn't worry about this one entry to be honest.

The only way SS is going to remove what it finds it to buy it, since they have changed things I'm not sure if this is a way to force people to buy there product or if it's a legit entry.

 

OK, thanks again for all of your help!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!