Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager Disabled, Xp Antivirus, Worm.win.32?


  • Please log in to reply
3 replies to this topic

#1 omgmel

omgmel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 28 November 2007 - 12:53 PM

I believe the problem started when my mother okayed a pop-up download. From there, windows task manager was disabled by administrator (though no one did that). I re-enabled the task manager, but that has been the least of the problems that followed.
This morning 4 icons were on my desktop that were suspicious, I deleted the icons (I know, probably didn't do anything), so by memory the icons were:
-xp antivirus 2008
-privacy (something)
-error cleaner
-??
I did, however, right click the icon and use properties to find the website source. It came from the following ( I wouldn't go to the site, though):
//viruswebprotect.com/shandler.php?sid=0&pn=&said=0&aid=0&sg=2
After that I did a search for xp antivirus on my computer and found a notepad log. The log came from this site:
www.XPAntivirus.com/help.php
I can post the log if you think it will be of help.
The error message that comes up a lot starts like this:
"Worm.Win.32 Netsky deteceted on your machine. This virus is distrubited via the internet through email and active-x objects. This worm has it's own smtp engine which means it gathers e-mails from your local computer and re-distributes itself. In worse cases this worm can allow attackers to access your computer..." Another thing that happens is a small window flashes with a url that i can't read in time on the top bar. It's black (i think it's called the command prompt???) and it only appears for a second.
I ran search and destroy yesterday several times. I also ran it again this morning...all scans came up with something...this morning the the scan results were the smallest, but xp antivirus still has an icon in my desktop toolbar. I am currently running stinger as we speak, and have run hijack this. I checked the link from the site on removing xp antivirus and compared the hijack this list of bad items with my results and none of them were the same. I attatched the log from hijack this.
Thank you for your time and let me know if I wasn't thorough enough or there are any questions. :D

Attached Files


Edited by KoanYorel, 28 November 2007 - 01:03 PM.
To sanitize hot link URL above


BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 PM

Posted 30 November 2007 - 06:18 PM

Hi omgmel and welcome to Bleeping Computer.
I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

You are using an old version of HijackThis.........
A new version of HijackThis has now been released.
Please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log.
Please post the new log as a reply to this thread and not as an attachment.

Thx

BBPP6nz.png


#3 omgmel

omgmel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 30 November 2007 - 11:05 PM

Hi thank you for assisting me.
After running stinger and spybot a few times, things seem a little better. Most of the pop ups are gone but I feel like my computer is still on thin ice. I've also noticed that tabbed browsing isn't working on my IE 7. I have it clicked to be enabled but the option to open a window in a new tab isn't highlighted/clickable. I don't know if that's related. here's my most recent hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:53 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1160471345\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E75B284A-D5D0-4F5D-9BD3-59637A85F5D0} - (no file)
O2 - BHO: (no name) - $ - (no file)
O2 - BHO: (no name) - $ - (no file)
O3 - Toolbar: (no name) - {872F66C1-E394-4545-8843-EDE16648058A} - (no file)
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1160471345\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Norton AntiVirus 2004.lnk = C:\Program Files\Common Files\Symantec Shared\NMain.exe
O4 - Startup: Norton Personal Firewall.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O20 - Winlogon Notify: kbdo35 - kbdo35.dll (file missing)
O21 - SSODL: gormet - {3D28689B-8119-49E5-9AC9-FCB8ABE947A0} - (no file)
O21 - SSODL: pmkret - {5501215C-A762-426A-B08B-FC451B64C4A1} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8763 bytes

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 PM

Posted 01 December 2007 - 04:11 PM

Hi omgmel

Step 1
Download SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
    Now close down SuperAntiSpyware.
    Do Not do a scan yet.

    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
    Do Not do a scan yet.

    Step 2
    Please disable Spybot S&Ds TeaTimer protection, because it is known to interfere with our fixes.
    You can enable it again after you're clean.
    Open Spybot and click on 'Mode' then click 'Advanced Mode'.
    Click on 'Tools' in bottom left hand corner.
    Click on the 'System Startup' icon.
    Uncheck 'Teatimer' box and/or uncheck 'Resident'.
    Click the 'Allow Change' box.
    Then, check next to the computer clock to see if the icon for Spybot is still there.
    If it is, right click it and choose 'exit Spybot-S&D Resident'.

    Reboot the computer.

    Step 3
    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows and browsers--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {E75B284A-D5D0-4F5D-9BD3-59637A85F5D0} - (no file)
    O2 - BHO: (no name) - $ - (no file)
    O2 - BHO: (no name) - $ - (no file)
    O3 - Toolbar: (no name) - {872F66C1-E394-4545-8843-EDE16648058A} - (no file)
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
    O20 - Winlogon Notify: kbdo35 - kbdo35.dll (file missing)
    O21 - SSODL: gormet - {3D28689B-8119-49E5-9AC9-FCB8ABE947A0} - (no file)
    O21 - SSODL: pmkret - {5501215C-A762-426A-B08B-FC451B64C4A1} - (no file)


    Optional
    These items are not malware related but are not needed to run at startup as they can be started manually when required.
    Disabling them will save you unecessary resources. But these are up to you to decide.

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized


    Please reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    * Select the first option, to run Windows in Safe Mode, (you will have to use the 'arrow' keys to navigate on this window) then press "Enter".
    * Choose your usual account.

    Step 4
    Scan with SuperAntiSpyware
    Click the desktop icon.......when it starts, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Run Deckard's System Scanner (DSS)
1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt <-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner).

Make sure you notice the extra.txt second log that will show as minimized on your Task Bar, "Maximize" that and be sure to paste those contents here as well.

In you next reply, please post:
The SAS scan results
Both DSS logs.

Thx

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users