Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My G/f Should Not Be Unattended At The Computer...;)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Revenant

Revenant

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 18 March 2008 - 10:22 PM

Ok, so here's the skinny. Got completely toasted by a large scale infection. I tried to and believe I've cleaned it all solo, but, I hold you guys in the highest regard and wanted one of your analysts to take a look at my HJT log to be safe.

First, let me list everything that was going on before I took the steps I did to clean.

There was no anti-spyware, anti-virus, anti-idiot, anti-silly-me, or anti anything else installed on this computer. Yeah, I know, my bad. :thumbsup: This computer was mostly used for study and word processing and the like, and rarely touched the web, plus its slow as poo, so I didn't want to put any more resource hogs on here. That's what I get I suppose.
Then, yesterday, I found the desktop wallpaper changed to a blue, "Your system has spyware and viruses causing many fatal errors! Click here to protect your computer from these threats!" The system tray also had a yellow caution sign with and exclamation point popping up an info message that ran between 2-3 different messages. "Your computer is infected with spyware", "Your computer is working very slowly because viruses have caused errors", etc.
The task manager had been disabled as well. I attempted to restore access to the taskmanager through group policies, and it still did not work.
I was also getting 2 different pop-ups. Both were listed as Windows Security Center, one with a red background, one looking a little more authentic, both listing specific viruses like "TrojanDownloader.XS" and "123messenger".
Also had a few irritating little programs installed that did not want to go away, "OuterInfo", "Internet Speed Monitor", and "Bat". Removing them through windows would just prompt a reboot at which point they were back.

I installed Avast, Spybot, and Ad-Aware. Avast and Ad-aware pulled a couple little names each and listed them as repaired, but Spybot was the big winner listing:
180Solutions.SearchAssistant, 2020Search, CoolWWWSearch.Leftovers, Smitfraud-C, Win32.Agent.pz, SecondThought.STCLoader, Zango, Microsoft.WindowsSecurityCenter.TaskManager, and Zlob.DNSChanger.RTK
Spybot would crash if I attempted to fix all issues simultaneously, so I attempted to do them one at a time, which worked on everything except for one entry of win32.agent.pz which was in memory and was scheduled to be removed at reboot. Upon reboot, everything had returned.
There was also a program directory and listing in ad-aware for webHancer, but ad-aware seemed to rip that one out all by itself.
Using SmitFraudRem, Combofix, HJT, Spybot S&D, Avast, and AVG Anti-Spyware in that order, in safe mode, with system restore off and hidden files shown/show extensions for known file types/show system files checked, I believe everything has been banished to the realm of naughty code. That was a lot of rambling, I know, but I wanted you to have all the information you might need to analyze the HJT log as easily as possible. Now then, here is my HJT log, and I appreciate your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:11 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SMCSTA.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3462CBC7-5E7E-0ED3-0213-5900B8C98EE8} - C:\WINDOWS\system32\nwu.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [SMCSTA.EXE] SMCSTA.EXE START
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\James\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKCU\..\Run: [Aaew] "C:\DOCUME~1\Holly\MYDOCU~1\WNSXS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Cofbqpkf] C:\WINDOWS\system32\?ecurity\w?crtupd.exe
O4 - HKCU\..\Run: [QdrModule13] "C:\Program Files\QdrModule\QdrModule13.exe"
O4 - HKCU\..\Run: [QdrPack14] "C:\Program Files\QdrPack\QdrPack14.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{190AE47B-3688-4D32-990C-BE950A2F0A7C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A51846-46A0-4480-8BF7-86A242F1F3E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{72AE5BD6-ED80-477A-BB17-D35D432E8EBD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{910DE215-D1CA-4A71-B014-6C3080349720}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{190AE47B-3688-4D32-990C-BE950A2F0A7C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{190AE47B-3688-4D32-990C-BE950A2F0A7C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 7308 bytes

Also, as a sidenote, once things began running without symptoms again, I removed Avast and AVG in favor of McAfee's Security Center. I couldn't install it with the infections, it just wouldn't work, but now it installed properly. Any opinions on it?
Lastly, in the HJT log, there are multiple listings similar to:
O17 - HKLM\System\CCS\Services\Tcpip\..\{190AE47B-3688-4D32-990C-BE950A2F0A7C}: NameServer = 208.67.220.220,208.67.222.222
What does this represent?

Thanks again in advance for your help!
Revenant

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:23 PM

Posted 04 April 2008 - 08:32 PM

Hello Revenant,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:23 PM

Posted 16 April 2008 - 08:11 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users