Tech Support Forum banner
Not open for further replies.
1 - 2 of 2 Posts

· Registered
1 Posts
Discussion Starter · #1 ·
first of all, thank you so much for attempting to help me out with this! you guys are awesome for even going up against such a massive group of computer dummies!

well, i have tried a lot of things to get rid of this malware. skip to the bottom for the hijackthis log, or read on for a little background...

i used my flash drive at school and when i used it at home, i noticed that the usual grey hard disk icon next to it was now a folder icon. then i noticed several shortcuts (my pictures, my videos, my music, my documents...) that were in the root folder of the flash drive, as well as some foreign and strangely named files (one was .exe) yes, i double clicked one of the shortcuts : (
those shortcuts and files reappeared after deleting them. the next morning, i woke up my monitor to find that i had been infected with a few things. there were "antivirus 2009" programs installed and other crap. malware bytes would not initiate. reinstall did not help. i booted from backup and then connected original system drive to be scanned. malwarebytes found 60 some objects and removed them.
upon booting from original system drive again, i found that the problem was not eradicated. it reproduced. i installed and used ccleaner, then avast. avast scheduled a scan for next boot. it ran right before windows desktop was loaded. i deleted several files throughout the scan.
at this point, many symptoms were gone. i thought i had it. malwarebytes was back in working order (after reinstall). i scanned the entire system with malware bytes and avast, and used ccleaner repeatedly. the one file that seemed to be responsible was:


i still had folder icon next to the flash drive, as well as the D drive (just an extra storage drive). after googling this, i "showed protected os files and folders" and deleted autorun.inf from the D and the flash. folder icons now gone. oh, btw, after successfully removing diefioj.exe but before deleting autorun.inf, double-clicking on D: from My Computer resulted in a dialog box: "can not find diefioj.exe. please make sure path and filename are correct." or something to that effect...
in order to access the D drive, i had to type it into the address bar.

one other little problem i noticed was that firefly.exe process (for my pc remote control) hogged 99% of cpu and made everything sluggish. so i removed it from startup using msconfig. im sure a reinstall will make it fine, but it never used to do that, and seemed to be caused by the trojan/worm

ok, so, all problems gone now (i think) EXCEPT:
if i search in google, and click one of the resulting links, i get redirected to dodgy sites such as illegitimate search engines, career finders, ***** enlargement, etc.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:58 AM, on 11/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Jared\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Jared\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Total Memories] "C:\Program Files\Total Memories\Synchronize Servers.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jared\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O20 - AppInit_DLLs: icfccl.dll c:\windows\system32\yimasene.dll,zubudodi.dll
O21 - SSODL: hovuzarof - {3d4aeaee-b9b9-4852-b97d-31646ad4be6d} - (no file)
O22 - SharedTaskScheduler: jugezatag - {3d4aeaee-b9b9-4852-b97d-31646ad4be6d} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\AstSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9af5d64279aca) (gupdate1c9af5d64279aca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe

End of file - 5414 bytes

· TSF-Emeritus
15,457 Posts
Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Having problems with spyware and pop-ups? First Steps
link at the top of each page.

Please follow our pre-posting process outlined here:

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
1 - 2 of 2 Posts
Not open for further replies.