Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please


  • Please log in to reply
3 replies to this topic

#1 TWF ATCT

TWF ATCT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 07 March 2005 - 02:15 PM

Hi,

Having troubles with trojan virus of the BC!DLL!, SILLYDL, and possibly other variants. This is on a Win98 machine. It's a client on a small peer to peer type of LAN. Our internet access is through a Proxy Server. I am running the most current version/signature of Computer Associates Etrust antivirus software and using IE 6.0 and Mozilla browsers.

I've attached a copy of my Hijack this log and would welcome any help or suggestions you can provide. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:16:26 AM, on 3/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\PSSVC.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\DMI\BIN\MONITOR.EXE
C:\DMI\BIN\NIC.EXE
C:\DMI\BIN\COO.EXE
C:\DMI\BIN\DNAR.EXE
C:\DMI\BIN\NODEMNGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\EPOAGENT\NAIMAS32.EXE
C:\EPOAGENT\NAIMAG32.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\IPCH32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TMA32N.EXE
\\ANM_TWF_CRUX1\PUBLIC\INSTALLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjhtl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vjhtl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vjhtl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vjhtl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awaproxy.faa.gov:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.faa.gov;172.*.*;10.*.*
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {8EACBFBD-1011-201F-AF25-49D912593462} - C:\WINDOWS\SYSTEM\APIPT32.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NaimAgent_Service] C:\EPOAgent\naimas32.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\REALMON.EXE -s
O4 - HKLM\..\Run: [IPCH32.EXE] C:\WINDOWS\SYSTEM\IPCH32.EXE
O4 - HKLM\..\Run: [tma32n] C:\WINDOWS\SYSTEM\tma32n.exe
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe c:\windows\SYSTEM\ShellExt\MSDServ.dll,CheckRegistry
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Dell Home - {BADBF200-7A17-11D4-BA19-00B0D01DF264} - http://government.dellnet.com/ (file missing) (HKCU)
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.18.1.8,172.24.0.3,172.18.115.36

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:17 AM

Posted 08 March 2005 - 01:32 PM

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#3 TWF ATCT

TWF ATCT
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 14 March 2005 - 12:42 PM

Thanks,

Ran the Shredder and here are the latest Hijack This scan results.

Logfile of HijackThis v1.99.1
Scan saved at 10:26:08 AM, on 3/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\PSSVC.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\DMI\BIN\MONITOR.EXE
C:\DMI\BIN\NIC.EXE
C:\DMI\BIN\COO.EXE
C:\DMI\BIN\DNAR.EXE
C:\DMI\BIN\NODEMNGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\EPOAGENT\NAIMAS32.EXE
C:\EPOAGENT\NAIMAG32.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\IPCH32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\TLAOA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
\\ANM_TWF_CRUX1\PUBLIC\INSTALLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awaproxy.faa.gov:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.faa.gov;172.*.*;10.*.*
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {8EACBFBD-1011-201F-AF25-49D912593462} - C:\WINDOWS\SYSTEM\APIPT32.DLL (file missing)
O2 - BHO: Class - {A3DCC5C3-B256-F491-5178-E6ACA27D9CF0} - C:\WINDOWS\IEYV32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NaimAgent_Service] C:\EPOAgent\naimas32.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\REALMON.EXE -s
O4 - HKLM\..\Run: [IPCH32.EXE] C:\WINDOWS\SYSTEM\IPCH32.EXE
O4 - HKLM\..\Run: [tlaoa] C:\WINDOWS\SYSTEM\tlaoa.exe
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe c:\windows\SYSTEM\ShellExt\MSDServ.dll,CheckRegistry
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Dell Home - {BADBF200-7A17-11D4-BA19-00B0D01DF264} - http://government.dellnet.com/ (file missing) (HKCU)
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 172.18.1.8,172.24.0.3,172.18.115.36

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:17 AM

Posted 14 March 2005 - 03:27 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: Class - {8EACBFBD-1011-201F-AF25-49D912593462} - C:\WINDOWS\SYSTEM\APIPT32.DLL (file missing)
O2 - BHO: Class - {A3DCC5C3-B256-F491-5178-E6ACA27D9CF0} - C:\WINDOWS\IEYV32.DLL
O4 - HKLM\..\Run: [IPCH32.EXE] C:\WINDOWS\SYSTEM\IPCH32.EXE
O4 - HKLM\..\Run: [tlaoa] C:\WINDOWS\SYSTEM\tlaoa.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\IEYV32.DLL
C:\WINDOWS\SYSTEM\IPCH32.EXE
C:\WINDOWS\SYSTEM\tlaoa.exe


Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users