Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 NULL

NULL

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 20 November 2007 - 03:14 PM

Hello I followed the steps with Adaware and spybot but both were unsucessful in removal. Anyway i can notice a few trojans runnin in the task manager and about 3 instances of rundll.exe Also sadly i closed those processes before i scanned with HJT
After the adaware scan windows explorer continously crashes but its not biggie because if i dont select a choice on the error report it continues to function. Also i cant start kaspersky and Zonealarm
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:37 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\My Documents\LIVE025A_EN\hfs.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\BitTyrant\Azureus.exe
C:\WINDOWS\system32\spooIsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Gigaware\Gigaware keyboard driver\5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kaspersky] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\system32\winamp.exe
O4 - HKLM\..\Run: [NvGraphicsInterface] C:\WINDOWS\system32\lefvu.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4642] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6983] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA412] command /c del "C:\WINDOWS\system32\vtutstu.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6544] cmd /c del "C:\WINDOWS\system32\vtutstu.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7789] command /c del "C:\WINDOWS\system32\vtutqol.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4566] cmd /c del "C:\WINDOWS\system32\vtutqol.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA757] command /c del "C:\WINDOWS\system32\vtutqnk.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6841] cmd /c del "C:\WINDOWS\system32\vtutqnk.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: HFS.lnk = C:\Documents and Settings\Administrator\My Documents\LIVE025A_EN\hfs.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O20 - AppInit_DLLs: c:\windows\system32\awtqnmj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6290 bytes

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\system32\winamp.exe
O4 - HKLM\..\Run: [NvGraphicsInterface] C:\WINDOWS\system32\lefvu.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe
these are the ones that shouldnt be there.
dwwin is from explorer crashing

Spybot said it encountered a memory error then something about zip.dll and unzip.dll
Adaware found things so here is its log. It was unable to remove them.
Adaware og attached. It was quite long
Vundofix picked up
C:\...\system32\ascmgr.dll
and
khfgggf.dll in the same directory so i fixed them

Attached Files


Edited by NULL, 20 November 2007 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 NULL

NULL
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 23 November 2007 - 10:14 PM

never mind it appears i fixed it by using those vundo removal instructions. Thanks for the resources sorry i didn't look sooner. I had to run bother VirtumundoBeGone and VundoFix in safe mode. Virtumundobegone seemed to work better then Vundofix because vundofix doesnt seem to target every aspect of vundo just the dll hooks but it does do a good job of finding the left over hooks from vundo that virtu missed so i would recommend that you change the guide to say to use both in safe mode one after the other.

#3 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 04 December 2007 - 05:20 PM

Since this issue appears to be resolved, this topic is now closed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users