Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 Fishead

Fishead

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 05 October 2007 - 01:06 PM

Hello-

Apologies, I had originally posted my problem to the wrong forum, and thread was moved to misplaced here:
http://www.bleepingcomputer.com/forums/t/110815/really-infected-now/

My system is running pretty smooth now without all of the symptoms I was having, BUT, I have gotten this far several times only to have the whole thing start all over once I connect to the net.
Could someone please review my HJT log and advise, with many thanks in advance!!!
Here is a quick summary of what I have been dealing with, recent scans/results etc.

Ccleaner on both admin/user in safe mode.
The Trend-Micro SystemClean Package found /cleaned (1) virus
SpyBot crashed, but I think it valiantly took a couple bugs out in the process.
Stinger
ComboFix also had issues running properly this time.
SmitFraudFix
CounterSpy found nothing this time around, but did find/quarantine the following the day before:
Trojan.Downloader.Win32.Agent.bxx
AnyPBookmark (plugin)
Trojan.FakeAlert
On a previous scan CounterSpy found:
Trojan.Win32/SystemHijack.gen
and has found FakeAlert several times...recurring bug

Finally, Trojan.Win32.Agent.ali was found earlier by something I remember...think it was ComboFix, it's all a blur now....

***I have been unable YET to be able do any of the online scans, last I tried I was still being redirected to nul-ville, and prevented from all AV and search domains, including (I think) any URL's in my favorites/bookmarks.

I still have a couple major issues:
1. NO ANTIVIRUS INSTALLED! Downloaded and installed AVG+Firewall with all updates (and without) and got blue-screen-death on every reboot attempt. Uninstalled/Reinstalled several times with same results. Of note, the updater function had issues running (from 'file' of course), but seems virus messed with files associated with 'updating' in general.
As a secondary related to AVG install, I was prompted to update Roxio because of a bug that AVG has problems with a bug in older versions, I did so, but did not 'upgrade' to purchasing v.10 when mine worked just fine as it was. Unfortunately, the updates I loaded seem to have it running 'buggy' now...but I managed to burn txt/log files over that I am now sending. Spitting Error Msgs. now however with each function, and slow...any thoughts to repair possible damaged files?
CAN YOU PLEASE RECOMMEND A (GOOD) ANTI-VIRUS + FIREWALL? ...one that I can download along WITH the current definition files so I can install/run completely offline? I am not concerned with it being Free, I just want something that can accomplish the above is not a bloated suite of crap. This machine came with Norton2003 installed, and I am familiar with it, just didn't renew scirpt last time arround looking for something better...then I got ZAPPED. Have CorpEdition on my W2k desktop and it's fine I guess (but it wont run on my infected XPHome laptop). I've not heard much praise of Norton in general these days...purchased System Suite long time ago and hated all the extra (____) and annoyances! The one thing I do like is being able to download separately, the current definitions as an .exe that I can run and its done. Anything you know of other than Norton that offers updates this way, that doesn't require updating from within the running app?

2. Still finding bunch of host URLs in scans, and located some Reg. files containing them that Tools are leaving behind. Something, somewhere is re-populating this mess.

I found a couple key/files like this that the scans are NOT catching or seeing as threats:
HKLM/SOFT\Microsoft\Windows\Current Version\Internet Settings\P3P\History/(many bogus URL folders) all with value/keys set to Vname "default" REG_WORD (5)
Similar but more threatening looking ones:
HKLM/SOFT\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domains\...
(many many more) bogus URL folders, but many of these have multiple sub-folders with names like... \007Guard.com\install...www.install...the...www.the, etc.
Vname is just * and value set to (4)
For the life of me I can't discern the root/malware source that is behind all this, and with all the new lil progs I have loaded in last week, the process list is even getting hard to know what is good or evil.
QUESTION: Is it safe delete these creepy Reg folders (P3P) in regedit, will this actually get rid of them? Or is there another way I must go about removing them?

I'm hoping you can spot the offender/s easily in my logs, after reading all this, sorry for the long read. Thank you for your help!!!!
I wont do a thing till I hear back............


******************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:20, on 2007-10-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\HijackThis\analyze.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169104632250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169104598562
O20 - AppInit_DLLs: C:\WINDOWS\system32\cmcache.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 6381 bytes

BC AdBot (Login to Remove)

 


#2 Fishead

Fishead
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 08 October 2007 - 08:41 PM

Still haven't heard a word from anyone...sorry to bump, but think I feel through the cracks.
Can someone please help?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:53 AM

Posted 14 October 2007 - 10:03 PM

Hello Fishead,

Welcome to Bleeping Computer :blink:

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:53 AM

Posted 29 October 2007 - 12:12 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users