Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie7 Homepage Hacked: Potential Malware (worm.vbs.small.n)


  • Please log in to reply
15 replies to this topic

#1 Saurav Raaj

Saurav Raaj

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 22 May 2008 - 04:50 AM

Hi.

I am carrying this topic here from the Am I infected? What do I do? and the topic Ie: Xpc Infosystems, IE Homepage hijacked !!!. All troubleshooting included in the earlier post.

The problem in short is that the IE7 Homepage is hijacked to "http://nvr.xpc.co.in" and the IE Window Title has changed to XPC Infosystems.

1. Performed an scan using Kaspersky Online Scan, which showed Worm.VBS.Small.n as the infection. result attached.

2. Perfromed a scan using Deckard's System Scanner. However, I ended up closing the notepad files "main" and "extra". How can I locate them on the system drive?

3. Have followed the steps as mentioned in the topic Ie: Xpc Infosystems, IE Homepage hijacked !!! but enabled the Windows Scripting so that it could be caught by the scans.

Please help to solve this.

Thanks


The HJT Log is attached below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:57 PM, on 22/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\etlitr50.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\ntvdm.exe
D:\Installation Files\Malware\DeckardSystemScanner.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\sraaj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC Infosystems
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Password Reminder] remind.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [GetInfo] C:\Program Files\McAfee\Common Framework\GetInfo.exe
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\ART\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\ART\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.smartforce.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207287059229
O16 - DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} (Schlumberger Log Graphics Wrapper) - https://bombay.interact.slb.com/webdd/LgWrapper.CAB
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gateway.slb.com/dana-cached/setup/J...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mea.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = mea.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mea.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mea.slb.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINDOWS\etlisrv.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10412 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 29 May 2008 - 11:00 AM

Saurav Raaj

Sorry for the delay

You have a suspicious file I would like to look at

Please go HERE

Put Your Name, and Bleeping Computer HJT forum

and In the file to submit box, click Browse. Locate the fileC:\WINDOWS\system32\NewVirusRemoval.vbs
In the comments tell them that I asked you to upload the file
Then Select Send File.

Thanks

2. Rerun Hijackthis (scan only) and place checks beside the following entriesR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC Infosystems
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#3 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 29 May 2008 - 11:48 PM

Hi Bamajim,

Thanks for taking the time out to look into this problem.

I could not find the file NewVirusRemoval.vbs in the C:\WINDOWS\system32\. Did a complete search of 'C Drive' but unable to find.

I ran HJT and did the fix on 3 items as indicated, (saved the log before that) and then restarted, ran the HJT Scan again. Logs attached.

(I would like to add that AVG was uninstalled and IE8 beta installed and uninstalled, since the last HJT scan. Not sure if that could affect the scan result, but the problem continues to persist.)

The fixed items appear again.

Let me how to proceed from here on.

Thanks again.
Saurav

HJT Log After Fix and Restart:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:28 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\oracle\ora10\bin\omtsreco.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Novadigm\radtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\etlitr50.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hub.slb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC Infosystems
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Password Reminder] remind.vbs
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [GetInfo] C:\Program Files\McAfee\Common Framework\GetInfo.exe
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\ART\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\RunOnce: [EFS_Check] C:\PROGRA~1\NOVADIGM\RADREXXW.EXE VIPEVENT.REX EFS
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\ART\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.smartforce.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1207287059229
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E399A0AF-72FA-4D8F-927F-28856D6B4E36} (Schlumberger Log Graphics Wrapper) - https://bombay.interact.slb.com/webdd/LgWrapper.CAB
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://securegateway.slb.com/dana-cached/s...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mea.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = mea.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mea.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mea.slb.com
O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust® - C:\WINDOWS\etlisrv.exe
O23 - Service: Entrust/TrueDelete™ (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9919 bytes

Attached Files


Edited by Saurav Raaj, 29 May 2008 - 11:49 PM.


#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 30 May 2008 - 08:30 AM

Saurav Raaj

You are most welcome.

The File shows up in the KV scan you posted as well. LEt's make sure it's not hidden.

To enable the viewing of Hidden and System files follow these steps: Right click on Start and select Explore.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Click Yes To confirm
Press the Apply button and then the OK button.

Then see if you can locate the fileC:\WINDOWS\system32\NewVirusRemoval.vbs
And this one as wellC:\WINDOWS\system32\RadiaVeri.vbs
Finally do you have Adminisrator rights on this PC?
Posted Image
Microsoft MVP - Windows Security

#5 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 03 June 2008 - 12:56 AM

Hi bamajim,

I was able to locate the file NewVirusRemoval.vbs and have uploaded the file at the location suggested by you. The other file RadiaVeri.vbs should be due an application that runs on my machine. I dont suspect that to be malicious. Let me know if you need that file.

Thanks
Saurav

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 03 June 2008 - 08:32 AM

Saurav Raaj

I got the file. After examination, I have not decided if it malicious or not, but it is linked to the entries that need to be deleted. Further study is needed on the file.

I suggest that we remove it since it does load other files and Registry entries which could easily be used for malicious purposes.

1. Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following fileC:\WINDOWS\system32\NewVirusRemoval.vbs
Close windows explorer

2. Rerun Hijackthis (scan only) and place checks beside the following entries R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC Infosystems
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

3. If you don't mind I would like a copy of that other file please.

Edited by bamajim, 03 June 2008 - 08:34 AM.

Posted Image
Microsoft MVP - Windows Security

#7 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 03 June 2008 - 10:54 PM

Bamajim.

When I went to locate the file NewVirusRemoval.vbs in C:\WINDOWS\system32\, McAfee OAS pop up came up which deleted the file and several registry items. I have attached the snapshot. It detected the infection as VBS/Autorun.worm.k. McAfee Log file for today attached.

Interesting, it never did this earlier.

I was unable to locate the file NewVirusRemoval.vbs

Ran HJT and could find only one entry ,so FIXd that, the entry with F2 had changed so did not touch that. HJT Logs attached.

I started IE and this time it came up with www.msn.com as the homepage and says Windows Internet Explorer instead of XPC Infosystem. So how to ensure the system is completely free of infection.

I can see NewVirusRemoval.vbs in My Recent Documents List in start menu.

Attached Files


Edited by Saurav Raaj, 03 June 2008 - 10:56 PM.


#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 04 June 2008 - 08:24 AM

Saurav Raaj

When I went to locate the file NewVirusRemoval.vbs in C:\WINDOWS\system32\, McAfee OAS pop up came up which deleted the file and several registry items. I have attached the snapshot. It detected the infection as VBS/Autorun.worm.k. McAfee Log file for today attached.

Interesting, it never did this earlier.

It would appear that McAfee was a little late.

I was unable to locate the file NewVirusRemoval.vbs

McAfee beat you to it.

Ran HJT and could find only one entry ,so FIXd that, the entry with F2 had changed so did not touch that. HJT Logs attached.

The Hijackthis log looks fine.

I started IE and this time it came up with www.msn.com as the homepage and says Windows Internet Explorer instead of XPC Infosystem.

Thats what we wanted. With the removal of the .VBS file, the home page reset. Which is good. You can now set your home page to what ever you want by using the Tools menu in IE.

Almost there. Let's take one more look.

Please perform an Ewido Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

Posted Image
Microsoft MVP - Windows Security

#9 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 05 June 2008 - 02:01 AM

Bamajim,

ewido report.

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Webtrends
Path: C:\Documents and Settings\sraaj\Cookies\sraaj@m.webtrends[1].txt
Risk: Medium

Name: TrackingCookie.Statcounter
Path: C:\Documents and Settings\sraaj\Cookies\sraaj@statcounter[1].txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\sraaj_old\Cookies\sraaj@ssl-hints.netflame[1].txt
Risk: Medium


Removed Infections
from my understanding webtrends is microsoft cookie, though not sure of statcounter and netflame.

Another thing, McAfee flagged warning messages today as well, saying it cleaned/deleted the infections of Autorun.Worm.k. Todays McAfee OnAccessScan Log...

6/5/2008 9:00:23 AM Engine version = 5200.2160
6/5/2008 9:00:23 AM AntiVirus DAT version = 5310.0000
6/5/2008 9:00:23 AM Number of detection signatures in EXTRA.DAT = None
6/5/2008 9:00:23 AM Names of detection signatures in EXTRA.DAT = None
6/5/2008 10:25:57 AM Cleaned MEA\SRaaj C:\Program Files\Internet Explorer\iexplore.exe Start Page VBS/Autorun.worm.k (Virus)
6/5/2008 10:26:15 AM Cleaned MEA\SRaaj C:\Program Files\Internet Explorer\iexplore.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit VBS/Autorun.worm.k (Virus)
6/5/2008 10:26:16 AM Cleaned MEA\SRaaj C:\Program Files\Internet Explorer\iexplore.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell VBS/Autorun.worm.k (Virus)
6/5/2008 10:26:16 AM Deleted MEA\SRaaj C:\Program Files\Internet Explorer\iexplore.exe C:\System Volume Information\_restore{09A74410-2A7A-4F52-81C3-2188083C2136}\RP184\A0032828.vbs\A0032828.vbs VBS/Autorun.worm.k (Virus)


This is the third time, McAfee is pointing to the same locations since yesterday. Infection still on the machine?
I had posted another problem, whcih you may want to look at. Registry Infected / Hijacked Dont Know. Not sure if this is related to the current problem.

Thanks for all the help.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 05 June 2008 - 11:30 AM

Saurav Raaj

What McAfee has found is 2 reg entries (empty now) and System Restore Reference. The file is gone.

Your other issue could be related. What application are you trying to uninstall that is creating this error?

Please keep your reponses in this thread so we don't have 2 open threads, thanks
Posted Image
Microsoft MVP - Windows Security

#11 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 05 June 2008 - 10:57 PM

Bamajim,

I am trying to uninstall Adobe Acrobat 6.0.1 Porfessional. I also have Adobe Reader 8.1.1 installed.

I have been trying to uninstall Adobe Acrobat 6.0.1 Porfessional but after sometime it gives the error with the registry -

Error 1402. Could not open key:
HKEY_LOCAL_MACHINE\Software\Classes\adbanner.adbanner\CurVer.
Verify that you have sufficient access to that key, or contact your support personnel.


After hitting OK button, the uninstall processs cancels itself and gives the message

Fatal error during installation

1. Tried using Administrator Account to uninstall, but same error
2. Tried several times to repair the application (hoping it will fix the registry items), and then uninstall, but same error.
3. Tried RegCleaner (4.3, Build 780 by Jouni Vuorio, homepage www.jv16.org) to clean up registry, but to no benefit.

I have attached the snapshot of the portion of the registry, which definitely looks abnormal. Duplication of registry entries !!!

What would you think the problem is?

Attached Files



#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 06 June 2008 - 08:49 AM

Saurav Raaj

It seems to be a problem with Adobe.

Have you tried the solution offered by Adobe HERE ?

See if that helps
Posted Image
Microsoft MVP - Windows Security

#13 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 09 June 2008 - 11:36 AM

Bamajim,

The third method worked. Thanks.

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 June 2008 - 09:19 AM

Saurav Raaj

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#15 Saurav Raaj

Saurav Raaj
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 12 June 2008 - 11:48 PM

It is running fine. Thanks.

I dont see any messages, or cryptic title bars.

I see you are now Distinguished Member. Congrats.

Saurav




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users