 Trojan-spy.win32@mx Message And Ad Popups, Resolving IE and removing popup Trojan |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Sep 21 2006, 10:09 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 3 Joined: 21-September 06 Member No.: 86,458  |
Advertisements constantly pop up once I try to launch IE and once in a while, a popup would occur if doing nothing. I have read other threads on this forum about this issue, but I was not sure of the solution. I have run Adaware SE Personal, SpyBot and Norton, all updated and such. Any help would be greatly appreciated. Here is my hijack log: Logfile of HijackThis v1.99.1 Scan saved at 4:52:20 PM, on 9/21/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Adaptec\SMBE\afaagent.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Expertcity\GoToMyPC\g2svc.exe C:\Program Files\Adaptec\SMBE\iomgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Expertcity\GoToMyPC\g2comm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Expertcity\GoToMyPC\g2pre.exe C:\Program Files\Expertcity\GoToMyPC\g2tray.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\UPHClean\uphclean.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Adaptec\SMBE\arcpd.exe C:\Program Files\Adaptec\SMBE\notify.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\ishost.exe C:\WINNT\system32\issearch.exe C:\WINNT\system32\isnotify.exe C:\WINNT\system32\ismini.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\oofq\oofqm.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\PROGRA~1\COMMON~1\oofq\oofqa.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\WINNT\System32\locator.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Symantec Shared\NMain.exe C:\WINNT\System32\mnmsrvc.exe C:\WINNT\system32\wisptis.exe C:\Utils\HijackThis.exe C:\WINNT\system32\NOTEPAD.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [oofq] C:\PROGRA~1\COMMON~1\oofq\oofqm.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINNT\System32\shdocvw.dll (HKCU) O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\lv8q09l5e.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINNT\system32\urroxtl.dll O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
 |
 
|
|
Sep 22 2006, 10:04 AM
Post
#2
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today. It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. ° Download AboutBuster. Unzip AboutBuster. Read here how to unzip/extract properly: http://metallica.geekstogo.com/xpcompressedexplanation.html Don't run it yet. Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support. * Start Aboutbuster and let it scan. The log will be saved in the aboutbuster-folder If you get any error using aboutbuster, it's important you let me know afterwards in your next reply. So skip this step in case of error and proceed with the next step of this fix. Reboot back to safe mode now. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1, and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Please download Combofix to your desktop. Doubleclick combo.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. Also post the Smitfraudfix log. David |
|
|
|
|
Sep 22 2006, 02:38 PM
Post
#3
|
|
|
New Member Group: Members Posts: 3 Joined: 21-September 06 Member No.: 86,458 |
David,
This is the first time I posted anything on this forum. I appreciate your effort. The instructions you supplied me seemed to have worked. Before I continue on, let me explain what I did prior to following your suggestions. My boss was able to find a work around for the IE behaviors. Disabling the "Enable Third-Party Browser Extensions" in the Advanced tab of Internet Options got rid of the virus utility ads. However, uncertain of any side affects this would cause, I decided to follow your instructions. AboutBuster Nothing found, so I won't post any logs. SmitfraudFix Files were detected. The full log is at the bottom. Combofix Fixed the infected files found via SmitfraudFix. Again, full log below. Both icons in the task tray were gone before running AboutBuster, SmitfraudFix, and Combofix, however, the Trojan-Win32@mx popup happened once in a while and when starting Adobe Acrobat, pop ups started to happen. Again, this is before running the programs above. During this whole time the "Enable Third Party Browser Extensions" was disabled, but after running the fixes you suggested and a reboot, the popups went away. The real test was when I re-enabled the "Enable Third Party Browser Extensions" and restarted. Upon a reboot, everything looked good. If you don't mind, could you please take a look at the Hijackthis.log anyway to be sure there are no more traces. Hope you don't mind my dividers. Thought they would help. Thanks again, David. (Hijackthis Log Posted Below) ====================HIJACKTHIS START===================================== Logfile of HijackThis v1.99.1 Scan saved at 8:47:17 AM, on 9/22/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Adaptec\SMBE\afaagent.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Expertcity\GoToMyPC\g2svc.exe C:\Program Files\Adaptec\SMBE\iomgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\mnmsrvc.exe C:\Program Files\Expertcity\GoToMyPC\g2comm.exe C:\Program Files\Expertcity\GoToMyPC\g2pre.exe C:\Program Files\Expertcity\GoToMyPC\g2tray.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\UPHClean\uphclean.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Adaptec\SMBE\arcpd.exe C:\Program Files\Adaptec\SMBE\notify.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\cscript.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\oofq\oofqm.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe C:\PROGRA~1\COMMON~1\oofq\oofqa.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\System32\locator.exe C:\Novell\GroupWise\Grpwise.exe C:\Utils\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.98.19.201/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing) O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [oofq] C:\PROGRA~1\COMMON~1\oofq\oofqm.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINNT\System32\shdocvw.dll (HKCU) O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{2B6D74F9-FCC2-48A4-89EB-622E3F2D7511}: NameServer = 64.65.64.65,64.65.64.1 O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINNT\system32\urroxtl.dll (file missing) O23 - Service: Adaptec RAID Remote Services Agent (AAC_AGENT) - Adaptec, Inc. - C:\Program Files\Adaptec\SMBE\afaagent.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Adaptec Web Server (ARCPD) - Unknown owner - C:\Program Files\Adaptec\SMBE\arcpd.exe O23 - Service: Adaptec Storage Manager Notifier (ASMBENotify) - Unknown owner - C:\Program Files\Adaptec\SMBE\notify.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Adaptec I/O Manager Server (IOManager) - Unknown owner - C:\Program Files\Adaptec\SMBE\iomgr.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe =====================HIJACKTHIS DONE==================================== ===================SmitFraudFix Start======================================= SmitFraudFix v2.98 Scan done at 8:33:49.67, Fri 09/22/2006 Run from C:\Utils\SmitfraudFix\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 C:\WINNT\system32\ismini.exe FOUND ! C:\WINNT\system32\isnotify.exe FOUND ! C:\WINNT\system32\issearch.exe FOUND ! C:\WINNT\system32\ixt?.dll FOUND ! C:\WINNT\system32\ixt??.dll FOUND ! C:\WINNT\system32\ot.ico FOUND ! C:\WINNT\system32\ts.ico FOUND ! C:\WINNT\system32\components\flx?.dll FOUND ! C:\WINNT\system32\components\flx??.dll FOUND ! C:\WINNT\system32\components\flx???.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\Safety Bar\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\WINNT\\system32\\sqlo.dll" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ========================SmitFraudFix END================================ ========================ComboFix START================================ Administrator - Fri 09/22/2006 8:35:36.26 Service Pack 4 ComboFix 06.09.23 - Running from: "C:\Utils" Command switches used :: ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}] @="" [HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{C937E5E7-B3E0-4EAA-840F-81B675B2B6BD}\InprocServer32] "ThreadingModel"="Apartment" @="C:\\WINNT\\system32\\guard.tmp" [HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}] @="" [HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{0EFB25D4-A4AF-4897-8DC6-F7AC7D951A6A}\InprocServer32] "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}] @="" [HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{1294975B-69B5-4093-9E76-70BFE168BEB5}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Granting sedebugprivilege to Administrators ... successful (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\system32\ismini.exe C:\WINNT\system32\isnotify.exe C:\WINNT\system32\issearch.exe C:\WINNT\system32\tsuninst.exe C:\WINNT\system32\ixt0.dll C:\Documents and Settings\Default User\Application Data\NetMon C:\Program Files\Inetget2 C:\Program Files\Safety Bar C:\WINNT\system32\components ((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 )))))))))))))))))))))))))))))))))) 2006-09-21 12:01 173,536 --a------ C:\WINNT\system32\wuweb.dll 2006-09-20 14:45 94,208 --a------ C:\WINNT\system32\uhvjsul.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-21 16:49 -------- d-------- C:\Program Files\Common Files\oofq 2006-09-21 16:12 -------- d-------- C:\Program Files\NetMeeting 2006-09-21 16:05 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-21 15:31 -------- d-------- C:\Program Files\Google 2006-09-21 15:31 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Google 2006-09-21 14:36 -------- d-------- C:\Program Files\Lavasoft 2006-09-21 14:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2006-09-21 11:55 -------- d-a------ C:\Program Files\Common Files 2006-09-20 17:01 -------- d-------- C:\Program Files\Microsoft AntiSpyware 2006-09-20 14:52 -------- d-------- C:\Program Files\Symantec 2006-09-15 22:52 91904 --a------ C:\WINNT\system32\S32EVNT1.DLL 2006-09-15 22:52 124016 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS 2006-09-06 16:14 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM 2006-08-01 07:32 -------- d-------- C:\Program Files\Norton AntiVirus 2006-07-16 21:20 116776 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" "oofq"="C:\\PROGRA~1\\COMMON~1\\oofq\\oofqm.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup" "NWTRAY"="NWTRAY.EXE" "GoToMyPC"="C:\\Program Files\\Expertcity\\GoToMyPC\\g2svc.exe -logon" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c4,01,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension" "{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"="" "{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 "CDRAutoRun"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "CompatibleRUPSecurity"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-] "NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NVMCTRAY.DLL,NvTaskbarInit" "ctfmon.exe"="ctfmon.exe" "Cahh"="C:\\Documents and Settings\\Administrator\\Application Data\\rsth.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-] "Synchronization Manager"="mobsync.exe /logon" "NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "SoundMan"="SOUNDMAN.EXE" "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" "NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\"" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "VVSN"="C:\\Program Files\\VVSN\\VVSN.exe" "ist service uninstall"="C:\\WINNT\\system32\\services\\coolers.exe /u" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20060921-165136-718 O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing) Completion time: Fri 2006-09-22 8:39:52.95 ComboFix.txt =======================ComboFix END===================================== 
|
|
|
|
|
Sep 22 2006, 02:50 PM
Post
#4
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
Hey there, and you are welcome for the help thus far.
I've seen the logs and we still have quite a bit to do, you still have malware on your system. My plan is to remove the larger infections first with the specific tools that we can use, then rescan afterwards for leftover infected files on your computer. Let's continue... It is a good idea to print off these instructions: This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost. Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out! If you have any queries about the process or just general questions, just ask. Now reboot into Safe Mode. This can be done tapping the F8 key as soon as you start your computer You will be brought to a menu where you can choose to boot into safe mode. Make sure you choose the option without networking support. Once in Safe Mode, open the SmitfraudFix folder again. Double-click smitfraudfix.cmd. Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning : running option #2 on a non infected computer will remove your Desktop background. Also post a new Hijackthis log. David |
|
|
|
|
Sep 22 2006, 09:10 PM
Post
#5
|
|
|
New Member Group: Members Posts: 3 Joined: 21-September 06 Member No.: 86,458 |
This reply is late. My apologies. I was surprised to see such a fast response earlier today. Looks like there are other features of the tools that I needed to use. Apparently you saw other clues of malware. Unfortunately, I do not currently have access to the computer. Therefore, I will have to run those programs again on another day.
I am not sure what your protocol is, however, I would like to either keep this topic open, or have it closed and then reopened again, unless you suspect a high threat level. I will let you decide. It is the availibility of the computer in question. Again, thanks for helping out. |
|
|
|
|
Sep 23 2006, 12:20 PM
Post
#6
|
|
|
Forum Addict Group: HJT Team Posts: 10,603 Joined: 28-October 05 From: London Member No.: 38,920 |
I will make a note to keep this thread open a while longer, don't worry.
If I does end up being closed you may PM me, and I will open it for you. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 08:19 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.