Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Htepo.com Virus/adware


  • Please log in to reply
1 reply to this topic

#1 ragarwal05

ragarwal05

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 09 November 2007 - 11:07 AM

Hi,

My computer has been hit with HTEPO.COM virus/adware, even though I have Symantec anti-virun installed and constantly running. I have tried scanning the system several times, but no luck. I am at my wits end now. I did a search and found that you guys have helped a lot of people with the same issue. I will really appreciate your help in getting me back up.

Thank you in advance. I look forward to hearig back from you guys. I have attached the HiJackThis log below.

Thank you again.

ragarwal05

----------------------------------





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:30 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\fedex\FedEx_RemoteConfig\RemoteConfigService.exe
C:\fedex\FedEx_Comm\fftserv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\rmid.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MRService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ConnectShip\Progistics\MSDE\MSSQL$CSI_DATA\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\FedEx\FedEx_ShipManager\ShipManagerConsole.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\fedex\fedex_oshp\openshipservice.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\fedex\fedex_rate\rateservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\fedex\fedex_shipmanager\shipmanager.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\fedex\fedex_comm\trakservice.exe
C:\fedex\fedex_ursa\ursaservice.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\fedex\fedex_admn\admnservice.exe
C:\fedex\fedex_comm\commservice.exe
C:\fedex\Fedex_Broadcast\broadcastservice.exe
C:\fedex\FedEx_Comm\Nt_CstServerService.exe
C:\fedex\fedex_print\printingservice.exe
C:\fedex\fedex_query\queryservice.exe
C:\Program Files\Java\j2re1.4.2_03\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CMS Consultants Inc.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ulgvsnid.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE"/STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [NI.UWAS7_0001_N99M3108] "C:\DOCUME~1\ragarwal\LOCALS~1\Temp\WinAntiSpyware 2007 FreeInstall.exe" -nag
O4 - HKLM\..\Run: [944e4840] rundll32.exe "C:\WINDOWS\system32\eqvuvgnw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\189\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ShipManager Console.lnk = C:\FedEx\FedEx_ShipManager\ShipManagerConsole.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with X&ML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cmsconsultants.com
O15 - Trusted Zone: http://TEST.CMSCONSULTANTS.COM
O15 - Trusted Zone: http://worldlink.CMSCONSULTANTS.COM
O15 - Trusted Zone: http://www.connectship.com
O15 - Trusted Zone: http://TEST.CMSCONSULTANTS.COM (HKLM)
O15 - Trusted Zone: http://worldlink.CMSCONSULTANTS.COM (HKLM)
O15 - Trusted IP range: http://192.168.0.10
O15 - Trusted IP range: http://192.168.0.246
O16 - DPF: ClientCountryList - http://rahul/wl/Cabs/ClientCountryList.CAB
O16 - DPF: ClientPrintEngine - http://rahul/wl/Cabs/ClientPrintEngine.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3C412101-79BD-4C59-A03D-3F3CED374CEA} (PrintCtrl Class) - http://localhost/wl/Cabs/WLClientReports.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {42F757DC-D3D3-44B6-92EB-AA1E9D46147F} (WLScannerControl.WLScanner) - http://rahul/dtl/Cabs/WLScanner.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149184108625
O16 - DPF: {72645462-3581-4394-AD29-64C01188E20C} (WLScaleControl.WLScale) - http://rahul/dtl/Cabs/Scale.cab
O16 - DPF: {B196568C-9EF5-4A05-B028-3C9433637449} (WLScaleControl.WLScale) - http://localhost/wl/Cabs/Scale.CAB
O16 - DPF: {C0EAC0D6-62A0-49AE-89C1-A1288FFC60B4} (ScriptControl.WLScript) - http://rahul/wl/Cabs/Script.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E698D37E-9E5C-4E75-A884-0138D81A68B8} (ScriptControl.WLScript) - http://localhost/wl/Cabs/WLCab30.CAB
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = va.cmsconsultants.com
O17 - HKLM\Software\..\Telephony: DomainName = va.cmsconsultants.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = va.cmsconsultants.com
O23 - Service: Fedex Admin (AdmnService) - Unknown owner - C:\fedex\fedex_admn\admnservice.exe
O23 - Service: FedEx SQL Anywhere - FXRS_DB (ASANYs_FXRS_DB) - iAnywhere Solutions, Inc. - C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Fedex Communication (CommService) - Unknown owner - C:\fedex\fedex_comm\commservice.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Fedex Broadcast Service - Unknown owner - C:\fedex\Fedex_Broadcast\broadcastservice.exe
O23 - Service: Fedex Cst Server - Unknown owner - C:\fedex\FedEx_Comm\Nt_CstServerService.exe
O23 - Service: Fedex Print Service - Unknown owner - C:\fedex\fedex_print\printingservice.exe
O23 - Service: Fedex Query Service - Unknown owner - C:\fedex\fedex_query\queryservice.exe
O23 - Service: FedEx RemoteConfig Service - Unknown owner - C:\fedex\FedEx_RemoteConfig\RemoteConfigService.exe
O23 - Service: FFT Server (FFTServ32) - Federal Express - C:\fedex\FedEx_Comm\fftserv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MailRoom Server (MailRoomServer) - Unknown owner - C:\WINDOWS\system32\MRService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Fedex OpenShip (OpenShipService) - Unknown owner - C:\fedex\fedex_oshp\openshipservice.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Progistics Remote Administration (ProgisticsRemoteAdmin) - ConnectShip, Inc. - c:\program files\connectship\progistics\bin\progisticsremoteadminsvc.exe
O23 - Service: Progistics Automated Task Scheduler (ProgisticsScheduler) - ConnectShip, Inc. - c:\program files\connectship\progistics\bin\progisticsscheduler.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Fedex Rating (RateService) - Unknown owner - C:\fedex\fedex_rate\rateservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Fedex Ship Manager (ShipManager) - Unknown owner - C:\fedex\fedex_shipmanager\shipmanager.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Fedex Tracking (TrakService) - Unknown owner - C:\fedex\fedex_comm\trakservice.exe
O23 - Service: Fedex Routing (UrsaService) - Unknown owner - C:\fedex\fedex_ursa\ursaservice.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13220 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 10 November 2007 - 04:58 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ragarwal05 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users