Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT- 600XCSP


  • This topic is locked This topic is locked
4 replies to this topic

#1 600xcsp

600xcsp

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:A cold cold place!
  • Local time:10:10 PM

Posted 10 March 2005 - 09:04 PM

Hello, I know just enough about computers to be dangerous. I have tried SBS&D ADAWARE, and the Microsoft BETA adware/spyware remover. BUT... to no avail. I still get "backdoor-dbb" virus alert from Macafee each time I open explorer. PLEASE HELP. Below is the hijackthis log that I just got:

Logfile of HijackThis v1.99.1
Scan saved at 7:22:55 PM, on 3/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Xpoint\PE\pcrecsa.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\myCIO\Agent\myAgttry.exe
C:\WINDOWS\system32\iptz.exe
C:\Documents and Settings\Parent\AV\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D6D77F0F-5431-DB5B-4101-2093B152C09D} - C:\WINDOWS\system32\nethb32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [setup2k.exe] c:\wutemp\setup2k.exe
O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iptz.exe] C:\WINDOWS\system32\iptz.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\system32\winnd.exe
O4 - HKLM\..\RunOnce: [netdf.exe] C:\WINDOWS\system32\netdf.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.8.1.144.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe
O23 - Service: Network Security Service ( 6Q'8) - Unknown owner - C:\WINDOWS\sdktp.exe (file missing)

I look forward to your help with this. Not sure what is valid and what is JUNK! Thanks in advance, 600XCSP

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:10 PM

Posted 11 March 2005 - 04:44 AM

Hi

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Please make sure that you can view all hidden files:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process. Don't use it yet.

Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as remove.reg
Change the Save as Type to All Files
Save this file on the desktop.
We will use it later.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6Q'8]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6Q'8]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\6Q'8]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6Q'8]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]



Step 1:

Go to Start -> Run and type Services.msc, then press the OK button. Look for a service called Network Security Service. Double click on that service and press the Stop button, and then set the Startup type to Disabled. Press OK, and close all the windows.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

iptz.exe

This is very important ! Internet Explorer should remain closed during the cleanup. If you open Internet Explorer the fix will fail. (Steps 1 - 8)

Step 3:
Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D6D77F0F-5431-DB5B-4101-2093B152C09D} - C:\WINDOWS\system32\nethb32.dll

O4 - HKLM\..\Run: [setup2k.exe] c:\wutemp\setup2k.exe
O4 - HKLM\..\Run: [iptz.exe] C:\WINDOWS\system32\iptz.exe
O4 - HKLM\..\RunOnce: [winnd.exe] C:\WINDOWS\system32\winnd.exe
O4 - HKLM\..\RunOnce: [netdf.exe] C:\WINDOWS\system32\netdf.exe

O23 - Service: Network Security Service ( 6Q'8) - Unknown owner - C:\WINDOWS\sdktp.exe (file missing)


Step 4:
Reboot your computer into Safe Mode.

I now need you to delete the following files, if present:

C:\WINDOWS\system32\nethb32.dll <-- this file
C:\WINDOWS\system32\iptz.exe <-- this file
C:\WINDOWS\system32\winnd.exe <-- this file
C:\WINDOWS\system32\netdf.exe <-- this file
C:\WINDOWS\sdktp.exe <-- this file

c:\wutemp\ <-- this folder

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. if it is, uncheck it and try again.

Step 5:

Double-click on the remove.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Run AdAware, press the Start button, uncheck Scan for negligible risk entries, select Scan Volume for ADS and press Next. Let AdAware remove anything it finds.

Run AdAware again, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Step 8:

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Step 9:
Reboot your computer back to normal mode so that we can restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.
    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system
  • If you are using Windows 98*Grinler please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system
  • Download the Hoster from here. Press Restore Original Hosts and press OK. Exit Program. This will restore the original deleted Hosts file.
  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start -> Run -> type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll and press the OK button
Step 10:

Please check Internet Explorer settings:
Open Internet Explorer - > Tools -> Internet Options ... -> click the Security tab -> click Internet icon -> press the Custom Level ,,, button.
Under ActiveX controls and plug-ins tick:
- Download signed ActiveX controls - Prompt
- Download unsigned ActiveX controls Disable
- Initialize and script ActiveX controls not marked as safe Disable
- Run ActiveX controls and plug-ins Enabled
- Script ActiveX controls marked safe for scripting Prompt

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Reboot and post a new HJT log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 600xcsp

600xcsp
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:A cold cold place!
  • Local time:10:10 PM

Posted 14 March 2005 - 11:03 PM

Thank you very much for the help. I was out of town over the weekend, but I am back on top of trying to rid myself of this awful thing. Below is the new HJT log. Just a note, the following short list was not present to delete:
C:\WINDOWS\system32\nethb32.dll <-- this file
C:\WINDOWS\system32\winnd.exe <-- this file
C:\WINDOWS\system32\netdf.exe <-- this file
C:\WINDOWS\sdktp.exe <-- this file
c:\wutemp\ <-- this folder
It seems to have worked, :thumbsup: I can use IE normaly now. My Home page came back and I am not getting any errors. I hope all looks good! I look forward to your response. Thanks again, 600XCSP

Logfile of HijackThis v1.99.1
Scan saved at 9:44:58 PM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\Xpoint\PE\pcrecsa.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\myCIO\Agent\UpdDlg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC06.EXE
C:\Documents and Settings\All Users\Documents\AV\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Atari\Atari Arcade Hits 2\Atari icon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.8.1.144.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McShield - Network Associates, Inc. - C:\WINDOWS\myCIO\VScan\McShield.exe
O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - C:\WINDOWS\myCIO\Agent\myAgtSvc.Exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:10 PM

Posted 15 March 2005 - 10:24 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:10 PM

Posted 26 March 2005 - 05:32 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users