Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • Please log in to reply
8 replies to this topic

#1 juliemango

juliemango

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 19 March 2005 - 01:31 PM

Hi gurus. I had tremendous help from another pro recently with removing some syware, now I've got these three ominous sounding germs and I need help again. I just downloaded a trial version of a photo editing program (P2Show) and when my weekly scheduled NAV ran, these were identified: Installer v7.exe (twice) - (Backdoor sdbot) + tester500.exe (Hacktool.) This is the HJT log. Please help.
Thanks in advance.

Juliemango

Logfile of HijackThis v1.99.1
Scan saved at 1:33:28 PM, on 19/03/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:46 PM

Posted 19 March 2005 - 03:40 PM

Hello juliemango and welcome to the BC forums. After reviewing your log I see no problems with viruses or malware. That is good since we now know that there are no bad programs starting up when Windows starts up. Many times malware files reside in the system's temporary files area or the temporary Internet Exlporer file area. Let's clean those areas out and then run another virus scan.

Download and run Steven Gould's free CleanUp! program. After it is installed start CleanUp! and click the CleanUp! button. This will clean up all areas of temporary files on your computer. When the program is finished running reboot your computer and have your anti-virus application perform a full system scan. Post back here and let me know if there were any viruses or malware found.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 19 March 2005 - 05:34 PM

Thanks for your swift reply OldTimer. Did the CleanUp, but NAV still returned the three infected files. They all cannot be repaired, quarantined or deleted. I've gone through the Symantec site, run regedit and cannot locate the right pane value they named and directed I delete: "Miosf Update"="wimsqaad.exe." I'm not sure now that this should have been an HJT log because I think :thumbsup: it is for spyware only, not viruses or worms. But...who am I. Anyway, hwere do I go from here? Thanks again OldTimer.

Juliemango

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:46 PM

Posted 19 March 2005 - 05:53 PM

Hi juliemango. Can you provide me with the complete path and file names of the files that are coming up as infected? Depending on where they reside it could affect an anti-virus applications ability to quarantine or delete them.

Thanks,

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 19 March 2005 - 07:19 PM

Hi again, OT. This is what NAV says about each item:

1. The compressed file Installer_v7.exe within test.rar within C:\Program Files\Common Files\scanatos.exe is infected with the Backdoor.Sdbot virus.

2. The compressed file Installer_v7.exe within C:\Program Files\Common Files\updates\test.rar is infected with the Backdoor.Sdbot virus.

3. The compressed file tester500.exe within C:\Program Files\Common Files\scanatos.exe is infected with the Hacktool virus.

Merci,

Juliemango

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:46 PM

Posted 19 March 2005 - 10:11 PM

Hi again juliemango. To delete the files do this:

Open Windows Explorer and in the left pane navigate to C:\Program Files\Common Files\. In the right pane look for the scanatos.exe file and click on it to select it. Then hold down the Shift key and press the Del key to delete it without sending it to the Recycle Bin.

Next, in the left pane navigate to C:\Program Files\Common Files\updates\ and in the right pane look for test.rar. Click on it to select it and then press the Shift and Del keys again.

If you cannot find the files then follow these steps to show all hidden files and folders:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Done! Try your scan again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 20 March 2005 - 12:28 PM

Thank you OT...you da mahn! I've got my "Precioussssss" back :thumbsup: Much appreciated.

Juliemango

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:46 PM

Posted 20 March 2005 - 12:56 PM

You are very welcome juliemango. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster, SpywareGuard and IESpy-Ad. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

It is good that you are running a good firewall and anti-virus program. It is critical to have both to protect your system. Make sure to keep them updated with the latest updates available.

To keep your system up to date and clean visit Windows Update monthly, run AdAware SE and Spybot Search & Destroy weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 18 March 2006 - 07:37 PM

Thank you so much OT. It looks like there may have been another moderator involved before you. I think it was about spyware removal and the instructions were to Start>Search files /Folders>...then I had to type in *chk*,tmp....I'm really not sure of the characters. Anyway, I'd do that in conjuction with the Norton and AdAware scans. I'll take a look at the names of the moderators and maybe the name'll trigger my memory again. Once again though, you've been very helpful. Merci.

Juliemango




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users