 |  |  |  |  |  |  |  |
win32 cutwail removal
Thread Solved |
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation: 
Solved Threads: 68
Hi all, I hope you are well. I am trying to remove the Trojan "win32 cutwail.j" from a friends computer, the first step I have taken was to scan with Spybot S & D which removed some malware. I believe that the payload is still prevalent in the system though. Here is a HJT log :
I would be very grateful if anyone might advise me on what to do next. Many thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:11, on 12/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Phil\Desktop\windows-kb890830-v2.13.exe
c:\c79ed52ccac1b6de22095e4b332dbb53\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ecollege.ie/site/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-736535237-3451093729-2193730098-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 9716 bytesI would be very grateful if anyone might advise me on what to do next. Many thanks.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,081
Reputation: 
Solved Threads: 175
I note several things immediately in the HJT log.
#1. SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
#2. Now this "may" be taken care of by the above restart, but MBA-M was set to run at Start Up, meaning the program evidently has been run but required a restart to fully remove whatever was found. This would have been noted in the log, which you did not post by the way. It would have said Quarantine or Delete on restart or something similar. Meaning it couldn't clean without restarting the computer.
The reason for this would be that the infected file was probably in use AND set to start after the computer boots up. When MBA-M must complete a removal with a restart what will happen when the computer is restarted is MBA-M will Remove the infected files BEFORE they can begin to run. So this should be a rule to follow with EVERY MBA-M scan, unless the scan is clean, just always reboot the computer after the scan, even if the log doesn't say to do it. This will get you in the habit of doing so and therefore you can be assured the program cleaned what needed to be cleaned.
Please do the above and post back with that MBA-M log and a new HJT log done AFTER the reboot.
#1. SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
#2. Now this "may" be taken care of by the above restart, but MBA-M was set to run at Start Up, meaning the program evidently has been run but required a restart to fully remove whatever was found. This would have been noted in the log, which you did not post by the way. It would have said Quarantine or Delete on restart or something similar. Meaning it couldn't clean without restarting the computer.
The reason for this would be that the infected file was probably in use AND set to start after the computer boots up. When MBA-M must complete a removal with a restart what will happen when the computer is restarted is MBA-M will Remove the infected files BEFORE they can begin to run. So this should be a rule to follow with EVERY MBA-M scan, unless the scan is clean, just always reboot the computer after the scan, even if the log doesn't say to do it. This will get you in the habit of doing so and therefore you can be assured the program cleaned what needed to be cleaned.
Please do the above and post back with that MBA-M log and a new HJT log done AFTER the reboot.
Last edited by jholland1964; Aug 12th, 2009 at 12:09 pm.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
Hi there jholland1964, thank you very much for the reply. I did not realise that Teatimer would interfere with any scans, that is useful information! I shall restart, rescan and repost (the 3 "R's"!). P.S. I apologise for omitting the MBA-M log and will post a new log after the 3 "R's" ! Thanks again.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,081
Reputation:
Solved Threads: 175
Good deal. To clarify the TeaTimer...what it can do is interfere with actual fixes done, especially if there is a registry key involved.
What it is "supposed to do" is give you a notification of registry changes which are going to be made and give you the option of saying no or yes. But with the number of infections found when TeaTimer is definitely running in the background all the time if obviously falls short on this. Of course some people may have received a warning before some sort of infection makes a registry change or addition but I sincerely doubt that ALL people would say ok.
Plus when fixes are being attempted using other programs TeaTimer has been known to block these legitimate changes needed and NOT do any notification.
The Spybot scanner is excellent and will remove many infections and a lot of malware but the TeaTimer portion leaves a lot to be desired.
I will wait for your scan logs.
Judy
What it is "supposed to do" is give you a notification of registry changes which are going to be made and give you the option of saying no or yes. But with the number of infections found when TeaTimer is definitely running in the background all the time if obviously falls short on this. Of course some people may have received a warning before some sort of infection makes a registry change or addition but I sincerely doubt that ALL people would say ok.
Plus when fixes are being attempted using other programs TeaTimer has been known to block these legitimate changes needed and NOT do any notification.
The Spybot scanner is excellent and will remove many infections and a lot of malware but the TeaTimer portion leaves a lot to be desired.
I will wait for your scan logs.
Judy
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
Ok, i performed a restart, but now I am getting a BSOD upon starting windows normally or even with safe mode with networking. I am , however , able to get pure safe mode up so I have done so and am now scanning using MBA-M. Looking quite nasty though....BSOD is so fast I cannot read it, and then the laptop shuts down immediately....
Last edited by majestic0110; Aug 12th, 2009 at 2:13 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,081
Reputation:
Solved Threads: 175
Do what you can and then we can figure out where to go from there.
Also post that first MBA-M log when you do. That can be found within the program under Logs tab.
Also post that first MBA-M log when you do. That can be found within the program under Logs tab.
Last edited by jholland1964; Aug 12th, 2009 at 2:24 pm.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
Ok, thanks a lot JHolland1964, nasty piece of kit this one! Who writes these things!
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Jul 2008
Posts: 3,081
Reputation:
Solved Threads: 175
•
•
•
•
Originally Posted by majestic0110 
Ok, thanks a lot JHolland1964, nasty piece of kit this one! Who writes these things!
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
The fools... I really appreciate the help you are offering here. MBA-M is still scanning might take another half hour or so but I will try and post the log if i can get access to windows or even safe mode with netwroking. I am using my pc to post this message, but I am loathe to put a USB stick into the infeted pc to obtain the log for upload for fear of infecting my PC(if you know what I mean).
Last edited by majestic0110; Aug 12th, 2009 at 2:56 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
•
•
Join Date: Oct 2007
Posts: 1,297
Reputation:
Solved Threads: 68
OK, MBA-M has finished, it picked up only 1 trojan - C:\windows\system32\1.tmp (Trojan.agent).
This was quarantined and deleted. I followed the instructions from MBA-M and restarted straight away. Unfortunately, still no access to windows or windows safe mode with networking...Hmmm. BSOD still popping up - is there anyway that I can find out what it says? I tried photographing it with a digital camera (lol) but it disappears too fast! What should I do next ?
This was quarantined and deleted. I followed the instructions from MBA-M and restarted straight away. Unfortunately, still no access to windows or windows safe mode with networking...Hmmm. BSOD still popping up - is there anyway that I can find out what it says? I tried photographing it with a digital camera (lol) but it disappears too fast! What should I do next ?
Last edited by majestic0110; Aug 12th, 2009 at 4:04 pm.
Computers are man's attempt at designing a cat: It does whatever it wants, whenever it wants, and rarely ever at the right time.
 |
Similar Threads
- w32\alemod.e.dll removal - help! (Viruses, Spyware and other Nasties)
- About:blank problem (Viruses, Spyware and other Nasties)
- Cool Web Search hijack (Viruses, Spyware and other Nasties)
- |imp| Need help with cleaning all these crawling trojans and wormies... (Viruses, Spyware and other Nasties)
- Aurora / Norton Renewal Date (Viruses, Spyware and other Nasties)
- My HJT log. Ready for help!! (Viruses, Spyware and other Nasties)
- isrvs..please help (Viruses, Spyware and other Nasties)
- hijacked computer (Viruses, Spyware and other Nasties)
- edmond.exe & ceres.dll and other nasty stuff (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Please have a look at this HijackThis Log
- Next Thread: Browser redirect issue
Views: 4279 | Replies: 36
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet combofix commercials conficker connect crosssitescripting cyber cyberwarfare ddos domains e-mafia education email europe explorer facebook fake gaming gtaiv gumblar halloween herss.exe hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents pdf phishing police president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted usa virus viruses vista volume vulnerability war warning web windows worm yahoo zero-day zeroday
