Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scanning Message 1 Of 1 Problem...


  • Please log in to reply
20 replies to this topic

#1 the_chattering_sound

the_chattering_sound

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 20 August 2007 - 03:30 PM

Hello all,
I'm having a problem with Symantec popping up these "Scanning message 1 of 1" messages.
Once it covered my entire monitor and I had to kill it with TaskMan.
Normally, I'm just getting one popup fairly randomly throughout the day.
Anyway, I was hoping to get some pro-advise on this, since from what I've read, this is a nasty thing.
Here's the log from HiJackThis and thanks for any help you can give!

.....................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:56 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RDS\RMClient\PMCTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Security Task Manager\taskman.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olemiss.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RDS\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RDS\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RDS\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.olemiss.edu/helpdesk/ENUClientPro.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl4.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4545B345-50F4-4327-A490-0BD817857333}: NameServer = 130.74.1.75,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{4545B345-50F4-4327-A490-0BD817857333}: NameServer = 130.74.1.75,0.0.0.0
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7162 bytes

BC AdBot (Login to Remove)

 


m

#2 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 21 August 2007 - 08:29 AM

This this also seems to be deleting message rules in outlook - from what I can tell anyway :thumbsup:
We've been able to determine where the emails it's sending are going as well as what they're saying.
Apparently, it's just sending test messages for the moment.

Edited by the_chattering_sound, 21 August 2007 - 08:33 AM.


#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 30 August 2007 - 01:05 AM

Hi and welcome,

Sorry for delay.

If you still need help please post a fresh hijackthis log here.
Sounds like a email worm of some sort. Norton detecting any malware?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#4 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 30 August 2007 - 09:16 AM

Yes, I'm still having problems with this thing. Symantec, which I've updated numerous times since, doesn't pick up anything.
Spybot, picks up nothing - basically most things I've used pick up nothing, but still the emails are still being sent. The little pop ups
appear pretty randomly throughout the day, sometimes back to back, and sometimes one every 5-10 mins or so.
So here's a fresh HiJackThis Log file.

Thanks!
___________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:31 AM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RDS\RMClient\PMCTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.olemiss.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar6.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RDS\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RDS\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RDS\RMClient\PMClient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.olemiss.edu/helpdesk/ENUClientPro.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} (UMediaPlayer Class) - http://www.umediaserver.net/bin/UMediaControl4.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4545B345-50F4-4327-A490-0BD817857333}: NameServer = 130.74.1.75,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{4545B345-50F4-4327-A490-0BD817857333}: NameServer = 130.74.1.75,0.0.0.0
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7591 bytes

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 30 August 2007 - 10:13 AM

Hi,

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 30 August 2007 - 10:16 AM

Ok, here's the log file, or atleast what it popped up when it finished:

********************************* ROOTCHK-(22-08-07)-LOG, by ejvindh
Thu 08/30/2007 10:13:52.93

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 10:13:53
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden files: 0

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 31 August 2007 - 03:00 AM

hmmmmmm

Download Trend Micro's system Information Collector from here:

http://www.trendmicro.com/download/sic.asp

Save it to the desktop and unzip it.
Open Sic33_global folder and double click SICWin.exe
Read through the EULA page and click "I accept"
Click "Analyze"
Wait till it is done and click OK to see log. (no need to send them the log)
Save log someplace handy.
The log is quite large so don't try posting it here unless you can attach it to your post.

Please upload that log here:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Include URL to this thread there so I know who's log it is.

Next:

Click start> run> type msconfig and hit enter.
Click the Boot.ini tab
Checkmark /bootlog
Hit Apply & close.
Go ahead and reboot when asked.

At restart you will get a warning about making changes to the way windows starts.
Just check the box that says "don't tell me this again" and OK.

locate this file and delete it:

C:\windows\ntbtlog.txt

Reboot

Post this file here (windows will create fresh one):

C:\Windows\ntbtlog.txt

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 31 August 2007 - 08:40 AM

Ok, I've uploaded the Trend Micro log to where you indicated.

Here's the ntbtlog (attached)...

Thank YOU.

Attached Files



#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 31 August 2007 - 06:00 PM

Hi,

Thanks for the logs.
It will be a while while I look at the SIC log you uploaded. those are looooooooooong.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\Windows\System32\Drivers\Changer.SYS
Click Send.
Please post the results of this scan to this thread.

Repeat with this one:

C:\Windows\System32\Drivers\Cdaudio.SYS

Also please locate those files and let me know date they were created/modified. (right click file> properties)
Normally legit files but there has been a few incidents where they were not and were the cause of spam emails being sent.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 31 August 2007 - 06:14 PM

Looking at log.....

I may pop in a couple times so keep checking here.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FCI
ImagePath = C:\WINDOWS\system32\svchost.exe:ext.exe

Start Hijackthis
Click "open misc tools section"
Click "open ADS Spy"
UNcheck "quick scan"
click "Scan"
Wait till scan is done.
Once finished, if any results click "save log"

Copy/paste the results here.
Don't let HJT remove anything yet. If it shows ADS streams I wanna try & capture a copy of it for AV vendors.
I would have thought Catchme would have seen it.

Let's do this too:

Copy the following text to a new notepad file.
Save it as peek.bat
As file types: All files
Save it to the desktop.

regedit /e reglog.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FCI
notepad reglog.txt

Once saved, double click it.
A "dos" window will pop up then a notepad file will pop up.
Post contents of log here.
closing the notepad window will also close the "dos" window.


Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 31 August 2007 - 07:25 PM

Hi,

Done reading log.
Forget the above "peek.bat"

Im gonna make a new one.
If you made it already.. might as well delete it cus I need more info.

Open notepad
Click the "format" menu and make sure "wordwrap" is OFF (unchecked)

Copy and paste the below text in code box to it.

@echo off
cd %systemdrive%\ 
If not exist blendersww MkDir blendersww
regedit /e blendersww\1.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FCI
regedit /e blendersww\2.txt HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ICF 
regedit /e blendersww\3.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Copy blendersww\*.txt = %systemdrive%\reglog.txt 
rmdir /s /q blendersww 
Notepad %systemdrive%\reglog.txt

Save it as file name peek.bat
As file types: all files(*)
Save it to the desktop.

Once saved, double click it and let it run.
A "dos" window will pop up with log of registry items I asked the batch file to get me.

Attach contents here. (c:\reglog.txt)

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 03 September 2007 - 05:32 PM

This is from the first reply you gave after my last, sorry i'm a little behind:

Here's the result from the first I sent:
0 bytes size received / Se ha recibido un archivo vacio
Eh, I've done a search for the file on the C: drive and it didn't find the Changer.SYS file.


For the second file here are the results; the result is the "-" at the end of the row (you probably know that already)
The last modified date for this file was 8/4/2004.
Here's the results:
------------------------------------------------------
File Cdaudio.SYS received on 09.04.2007 00:12:11 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.1.0 2007.09.03 -
AntiVir 7.4.1.66 2007.09.03 -
Authentium 4.93.8 2007.09.02 -
Avast 4.7.1029.0 2007.09.03 -
AVG 7.5.0.485 2007.09.03 -
BitDefender 7.2 2007.09.03 -
CAT-QuickHeal 9.00 2007.09.03 -
ClamAV 0.91.2 2007.09.03 -
DrWeb 4.33 2007.09.03 -
eSafe 7.0.15.0 2007.09.03 -
eTrust-Vet 31.1.5105 2007.09.03 -
Ewido 4.0 2007.09.03 -
FileAdvisor 1 2007.09.04 -
Fortinet 3.11.0.0 2007.09.03 -
F-Prot 4.3.2.48 2007.09.02 -
F-Secure 6.70.13030.0 2007.09.03 -
Ikarus T3.1.1.12 2007.09.03 -
Kaspersky 4.0.2.24 2007.09.04 -
McAfee 5111 2007.09.03 -
Microsoft 1.2803 2007.09.04 -
NOD32v2 2501 2007.09.03 -
Norman 5.80.02 2007.09.03 -
Panda 9.0.0.4 2007.09.03 -
Prevx1 V2 2007.09.04 -
Rising 19.39.02.00 2007.09.03 -
Sophos 4.21.0 2007.09.03 -
Sunbelt 2.2.907.0 2007.08.31 -
Symantec 10 2007.09.03 -
TheHacker 6.1.9.176 2007.09.04 -
VBA32 3.12.2.3 2007.09.03 -
VirusBuster 4.3.26:9 2007.09.03 -
Additional information
File size: 18688 bytes
MD5: c1b486a7658353d33a10cc15211a873b
SHA1: 76094c8e69f435e218a751ec6bde89f3d861f477
----------------------------------------------------------------

I've attached the log from the HiJAckThis ADS Spy thing.
The reglog.txt is also attached.

Thanks alot!

Attached Files



#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 03 September 2007 - 07:31 PM

Hi and thanks :thumbsup:

From your ADSSpy log:

C:\WINDOWS\system32\svchost.exe : ext.exe (58880 bytes)

Thats likely your mailer. Not the svchost.exe but the ADS attached to it. (so don't try deleting svchost.exe)

Copy the following text to a new notepad file.
Save as file name fix.reg
As file types: All files
Save it to the desktop but don't run it yet.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\msdnc0.exe"=-
"C:\\WINDOWS\\system32\\svchost.exe"=-
"C:\\Documents and Settings\\Beau C. Bourgeois\\Local Settings\\Temp\\winlogon.exe"=-

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Locate Fix.reg and double click it.
Allow the merge.
You should get success messege.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how system is running and if you see any more outgoing mail alerts from norton.

Thanks :flowers:

Edited by Blender, 03 September 2007 - 07:34 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 the_chattering_sound

the_chattering_sound
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 04 September 2007 - 09:01 AM

Alright!
Just got finished doing these things and haven't noticed any little popup yet.
The report.txt and HiJackthis.log file are attached.
Looks like this may have done the trick :thumbsup:

Thank you!

Attached Files



#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:16 PM

Posted 04 September 2007 - 08:10 PM

Hi,

Looks much better. :thumbsup:

SDFix took out the file and the service.
Hijackthis log looks OK.

Few phunny looking temp files on your desktop I'd like to check out though.
Several like this:
~WRL0345.tmp

You may need to make your system "show hidden files"

How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
don't forget to hide files/folders when we are finished cleaning.

Locate these files on the desktop and delete them:

~WRL0345.tmp
~WRL1090.tmp
~WRL1592.tmp
~WRL2426.tmp
~WRL3626.tmp

If you can't delete in normal mode then boot to Safe mode and get them.

Then please update your version of Java.
your version is out of date and is exploitable.
Even with newer versions installed malware can "call up" old versions to carry out exploit.

Download the latest Java from here:

http://java.sun.com/javase/downloads/index.jsp

If you do develop programs then you will want one of the JDK downloads.
Otherwise the 4th one down will do fine.

Java Runtime Environment (JRE) 6u2

Click the download button next to the Java you want to install.
Next page that comes up you need to accept the agreement to download it.
First in list is the offline installation
This is the one to download. Save it to your desktop or your normal download folder.

1. Close any open programs you may have running, especially your web browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start > Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list
5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
7. Reboot your PC once all Java components have been removed
8. Proceed with reinstalling Java using the file you just saved.

Any time you update your java the old version will need to be uninstalled manually since the updater does not uninstall the old.
With old versions still kicking around; malware can call up the old exploitable versions to run.

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post. (attach if large file)

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Post new Hijackthis log when done please with the Kaspersky log.
Let me know if still free of those Norton outgoing email notifications.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users