Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aftereffects Of Sohanad.t


  • Please log in to reply
1 reply to this topic

#1 Craig S

Craig S

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 20 September 2007 - 11:54 AM

My ZoneAlarm log shows two disinfections of Schonad.t. But my Cntl-Alt-Delete and regedit weren't working, which is a symptom of Schonad.t. I used some instructions on the web to get them working fine and changed about six registry keys and things seem fine, but slow. But descriptions on the web say that schonad.t is a keylogger. How do I know I don't have the keylogger?

I'm working from an internet cafe to insulate my computer from wherever schonad.t wants to phone home to. I'm using a flash card for communication, which is probably how I got the virus.

How do I know it's gone?

Thanks a bunch,

Craig

The Zone Alarm log showed:

AV/treatment,2007/09/08,10:32:52 +3:00 GMT,IM-Worm.Win32.Sohanad.t,E:\World\World.exe,File Repair Failed,Manual
AV/treatment,2007/09/08,10:32:52 +3:00 GMT,IM-Worm.Win32.Sohanad.t,E:\resume\resume.exe,File Repair Failed,Manual

AV/treatment,2007/09/12,22:20:02 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\WINDOWS\SSVICHOSST.exe,File Repair Failed,Auto
AV/treatment,2007/09/12,22:21:42 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\WINDOWS\system32\SSVICHOSST.exe,File Repair Failed,Auto

AV/treatment,2007/09/17,13:03:48 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP43\A0013124.exe,File Repair Failed,Manual
AV/treatment,2007/09/17,13:03:50 +3:00 GMT,IM-Worm.Win32.Sohanad.t,C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP43\A0013126.exe,File Repair Failed,Manual


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:07 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\Lenovo\PM Driver\PMSveH.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\genutls\emacs\emacs-21.3\bin\emacs.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\svchost.exe
C:\genutls\ZoneAlarm\zlclient.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\UnxUtils\pageant.exe
C:\finutls\quicken2002\QWDLLS.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
c:\genutls\emacs\emacs-21.3\bin\cmdproxy.exe
C:\comutls\yahoo\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cmd.exe
C:\Removable disk\genutls\OpenOffice.org 2.0\program\soffice.exe
C:\Removable disk\genutls\OpenOffice.org 2.0\program\soffice.BIN
C:\genutls\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\taskmgr.exe
C:\genutls\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://world.std.com/~craig/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/welcome/3000notebook
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPWAUDAP] C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM\..\Run: [PMHandler] C:\PROGRA~1\Lenovo\PMDRIV~1\PMHandler.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\genutls\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\comutls\yahoo\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [New Value #1] IEProtection
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Removable

Edited by Craig S, 20 September 2007 - 12:02 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:43 AM

Posted 29 September 2007 - 04:26 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users