Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Occasional Screen Blanks Out On Internet - Malware?


  • Please log in to reply
19 replies to this topic

#1 Bill N

Bill N

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 13 September 2008 - 12:41 PM

First of all, please forgive me for the rather long post that follows. I wanted to give you as much detail as possible. Rather than leave out something that might be important, I've probably erred on the side of being too verbose.

Basic system. Home network with DSL, linksys WRT54GX router, a desktop (wired) and a laptop (wireless), both running XP Pro SP3. Zonealarm and Avira antivir running all the time with frequent updates. Run SpybotSD every couple months to keep things clean - it usually doesn't find much other than Firefox cookies to get rid of.

About a month back I helped several people get rid of the amvo virus. In the process of learning about it, I got infected thru my thumb drive. Think I got it all clean with combofix and using an old DOS utility, PFM (personal file manager), to see and delete hidden files while explorer was closed, and regedit to clean up the directory.

Meanwhile, have had four incidents of the screen going to a solid color while on the internet. My notes from the most recent time are: 080828 again had the infamous colored screen takeover on the laptop. Again I immediately switched off the internet - this time by turning off the modem (which is before the router), leaving the wireless on (usually I just switch off the wireless on the laptop which immediately isolates the laptop). Today I thought I'd see if I could connect to the laptop via the network through the desktop. So, on the desktop I opened explorer and entered \\630m in the address bar. I could connect to the laptop this way and explore within the shared folders there. I could also do things on the laptop thru the keyboard (but couldn't see anything since my screen was solid blue color, FYI other times it's been green or purple). Anyway, looking at the shared folders over the network didn't do much for me other than to confirm that the laptop seemed alive and connected to the network.

Seems like there must be some kind of trojan/backdoor thing going on. Booted to the microsoft windows recovery console thing. Used the listsvc command to show all the services. Made an excel spreadsheet listing all the services that show up via the listsvc command. Then also booted normally and ran hijackthis, 'open the misc tools section', 'generate startup list' (with both 'list also minor sections' and 'list empty sections' boxes ticked). Then I compared the services section of that file with my spreadsheet of services found via the windows recovery console command listsvc thing. Interestly enough there were several services listed through the listsvc command that didn't show up at all on the hijackthis generated startup services list! But I don't know what to make of it. Services shown by listserv, but not by the HJT file include: Abiosdsk, abp480n5, ACPIEC, adpu160m, Aha154x, aic78u2, aic78xx, AliIde, amsint, asc, asc3350p, asc3550, Atdisk, Beep, bvrp_pci, cbidf2k, cd20xrnt, Cdaudio, Cdfs, cercsr6, Changer, CmdIde, Cpqarray, dac2w2k, dac960nt, dmload, dpti2o, Fastfat, Fdc, Fips, Flpydisk, Fs_Rec, hpn, i2omgmt, i2omp, ini910u, KSecDD, lbrtfdc, mnmdd, Modem, MountMgr, mraid35x, Msfs, Mup, MxlW2k, NDIS, NDProxy, Npfs, Ntfs, Null, Parport, PartMgr, ParVdm, PCIDump, PCIIde, Pcmcia, PDCOMP, PDFRAME, PDRELI, PDRFRAME, perc2, perc2hib, PGPdisk, PGPwded, ql1080, Ql10wnt, ql12160, ql1240, ql1280, RDPWD, Serial, Sfloppy, Simbad, Sparrow, symc810, symc8xx, sym_hi, sym­_u3, TDPIPE, TDTCP, TosIde, Udfs, ultra, ViaIde, VolSnap, WDICA, Winsock, and WS2IFSL.

Also, I looked through the programs list in zonealarm for anything that might be suspicious:
c:\windows\system32\net.exe got installed on 4/14/2008
c:\windows\network diagnostic\xpnetdiag.exe on 4/14/2008.
c:\windows\system32\ntvdm.exe on 4/14/2008
c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe on 3/22/2007
c:\windows\system32\rundll32.exe on 4/14/2008
c:\program files\windows defender\msmpeng.exe on 11/3/2006 (the product name is 'windows defender' but the name in the program list is 'service executable'
c:\windows\system32\services.exe on 4/14/2008
c:\windows\system32\sethc.exe on 4/14/2008
c:\windows\system32\wuauclt.exe on 4/14/2008
These seem a bit suspicious to me, but I really don't know for sure.

I booted into safemode and ran sdfix, then I ran combofix. Cannot get Trend Micro's Housecall to work for me, SpybotSD, Avira, Malwarebytes' Anti-Malware, Trend Micro's RUBotted, and Prevx don't show anything. Uploaded a lot of different files from my system32 and system32\drivers folders to VirusTotal but most were negative. Admittedly my checking was a bit random since I don't really know what I'm looking for, but did get rid of a few suspicious files. Here the list as well as the program on virustotal that reported them suspicious:

swreg.exe eSafe7.0.17.02008.08.24Suspicious File; Panda 9.0.0.4 2008.08.25 Suspicious file
swsc.exe eSafe - - Suspicious File
swxcacls.exe PCTools4.4.2.02008.08.25Application.NirCmd; Webwasher-Gateway 6.6.2 2008.08.25 Virus.Win32.FileInfector.gen!90 (suspicious)
zip.exe eSafe7.0.17.02008.08.24Virus in password protected archive
u2ddisk.dll Webwasher-Gateway6.6.22008.08.25Win32.Malware.gen!88 (suspicious)
u2fdif.dll Webwasher-Gateway6.6.22008.08.25Win32.Malware.gen!88 (suspicious)
u2frec.dll Webwasher-Gateway6.6.22008.08.25Win32.Malware.gen!88 (suspicious)
u2fsepv.dll Webwasher-Gateway6.6.22008.08.25Win32.Malware.gen!88 (suspicious)
u2ftext.dll Webwasher-Gateway6.6.22008.08.25Win32.Malware.gen!88 (suspicious)
msvbvm60.dll Webwasher-Gateway6.6.22008.08.26Win32.Malware.gen!90 (suspicious)
mdm.exe F-Secure 7.60.13501.0 2008.08.26 Suspicious:W32/Hidd.k!Gemini
vs7jit.exe F-Secure 7.60.13501.0 2008.08.26 Suspicious:W32/Hidd.k!Gemini
SDUpdate.exe Webwasher-Gateway6.6.22008.08.27Virus.Win32.FileInfector.gen!90 (suspicious)

I've gotten really bugged with this whole thing and have been working on it for well over a week nearly full time. I didn't want to have to reinstall everything from scratch, so tweaked my services files, disabling a lot of things like remote desktop, etc. following advice on blackviper.com regarding tweaks. My thinking was that if it was some sort of back door thing, that maybe by disabling services it would not be able to work. Anyway, my frustration level has maxed out, so here I am asking you smart folks to assist me!

Okay, here are the current symptoms. There are several hidden directories that I don't know where they came from. Examples include:
c:\documents and settings\default user
c:\documents and settings\localservice
c:\documents and settings\networkservice
Even though the CPU usage is 5% to 20%, sometimes the system is very slow. For example, just now it takes a full 15-25 seconds to open even a small text file in Notepad, and 30 seconds to open Excel, right click on a file and wait 5 seconds for the menu to pop up, etc. But after a reboot, things seemed back to normal speed. Sysinternals' RootkitRevealer showed 21 discrepencies. Here is the logfile of that(). Weirdness in connecting to the internet. Sometimes when I'm connected Zonealarm shows activity but Firefox, Avira Antivir updater, Outlook Express, etc cannot connect to the internet, even though I seem to be connected. Other times they all connect okay with no difference in what I'm doing to connect in either case! In a DOS window, I've used netstat and nbtstat to try to check on what might be going on, but I'm new to them and don't really know what I'm doing there. Seems like something had changed (not me!) to enable NetBIOS over TCP/IP because my ports 137 to 139 and 445 were active. Went in (network connections > connection properties > internet protocol (TCP/IP) properties > advanced TCP/IP properties > WINS tab) and disabled TCP/IP for both my wired and wireless connections. That helped somewhat, but something is still actively listening over port 445 and I can't figure out how to stop it. The data from netstat is:
C:\>netstat -abv
Active Connections
Proto Local Address Foreign Address State PID
TCP 630m:microsoft-ds 630m:0 LISTENING 4
-- unknown component(s) --
[System]
UDP 630m:microsoft-ds *:* 4
-- unknown component(s) --
[System]
C:\>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
What component(s) in System is using port 445? I checked through ShieldsUp at grc.com and my ports are all hidden (thanks zonealarm!), but it still worries me about my port 445 being active. Also, seems like something suspicious was happening on a couple other ports. Here's the netstat data, as well as what I got when using grc's idserve.exe to check them out. I added the process name to the PID in parentheses, oh, and I only had a 15 day version of forcefield, so it's no longer active, or at least not supposed to be (so, why's it still doing something?). Anyway, here's the data:

C:\>netstat -aon
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 (System)
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1580 (alg.exe)
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 436 (ForceField.exe)
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING 436
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 436
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 436
TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING 436
TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED 3416 (Firefox.exe)
TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED 3416
TCP 127.0.0.1:1033 127.0.0.1:1034 ESTABLISHED 3416
TCP 127.0.0.1:1034 127.0.0.1:1033 ESTABLISHED 3416
TCP 192.168.2.101:1839 125.252.226.19:80 CLOSE_WAIT 3416
TCP 192.168.2.101:1849 128.241.20.244:443 TIME_WAIT 0 (System Idle Process)
UDP 0.0.0.0:445 *:* 4 (System)

Initiating server query ...
Looking up the domain name for IP: 125.252.226.19
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 186
Expires: Wed, 03 Sep 2008 21:53:33 GMT
Date: Wed, 03 Sep 2008 21:53:33 GMT
Connection: close
Query complete.

Initiating server query ...
Looking up the domain name for IP: 128.241.20.244
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.1 403 Forbidden
Date: Wed, 03 Sep 2008 14:38:31 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Query complete.

Is it possible that something has hijacked or is masquerading as my system and/or system idle process? How would I find out?

Another worry is that I had several open shares, which I have since locked down using Sysinternals' ShareEnum. Using this led me to another worry (from my ignorance), and that's this: when I right click on a share that shows up in ShareEnum, click properties, then a permissions window comes up for that folder. If I click on the add button, and then on the advanced button within the 'select users or groups' window that comes up and then on the 'find now' button in the next window that opens, I see the following list of users: _ISW_RESTRICTED_GROUP_, Administrator, Administrators, ANONYMOUS LOGON, ASPNET, Authenticated Users, Backup Operators, BATCH, CREATOR GROUP, CREATOR OWNER, Debugger Users, DIALUP, Everyone, Guest, Guests, Help Assistant, HelpServicesGroup, INTERACTIVE, LOCAL SERVICE, NETWORK, Network Configuration Operators, NETWORK SERVICE, Power Users, Remote Desktop Users, REMOTE INTERACTIVE LOGON, Replicator, SERVICE, SUPPORT_388945a0, System, TERMINAL SERVER USER, Users, as well as my normal accounts. My worry is why are there so many potential users and usergroups on the computer? Is this normal? Is there some way simply to delete some of those so that they are not even potentially able to logon? Originally I had opened the shares so that I could share files back and forth between my desktop and laptop. Is there some way to safely share files back and forth between the desktop and laptop only on the LAN *WITHOUT* exposing them to potentially malicious people on the WAN (=internet)?

One thing I noticed is that I have a reference to a service called vsdatant. The System Internals section of the Tools tab of SpybotSD showed that I have a missing shared DLL reference to c:\windows\system32\drivers\vsdatant.sys, whereas the actual file is c:\windows\system32\vsdatant.sys (Zone Labs, LLC, 7/9/2008 9:05 AM, ver.7.0.483.0, size 394,952 bytes). I assume this is a ZoneAlarm thing and is legit. Maybe an older version kept it in the drivers file, whereas the newer version keeps it in the system32 file?

I used cleanmgr to remove temp files and temp internet files. I ran AdAware. It found three MRUs the first time, which I removed. Again, it found 1 MRU the next two times, which I also removed. The next it found nothing. I also ran SpybotSD and it didn't find anything. When I tried to run Trendmicro's housecall as it was updating and starting housecall it gave me a yellow triangle message saying "Warning, the HouseCall-API did not define a Native Binding!" and then it wouldn't work. (how to fix that?) On my desktop housecall seemed to run, but after over 8 hours it didn't seem to be getting anywhere. On the results tab it listed four errors: MS08-031, MS08-033, MS08-046, & MS08-049. Each error said, "An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available." Then I ran Panda software's activescan, aside from identifying combofix and processor.exe within sdfix, it found a few things, nothing of which seemed very significant. Here's its report:
Threats with free disinfection (1)
Medium danger level (1)
Trj/Citifraud.... Virus Latent Hide + Info
1. Local Folders\Sent Items\Fw: [TAGGED] SunTrus...To_Email] - Verification\~0000003.~
Threats disinfected with the paid version (2)
Low danger level (2)
Application/Pr... Tracking Application Latent Hide + Info Not disinfectable
1. C:\Documents and Settings\Bill-Alice\Desktop\...\SDFix.exe][SDFix\apps\Process.exe]
2. C:\Documents and Settings\Bill-Alice\Desktop\...\SDFix.exe][SDFix\apps\Process.exe]
3. C:\Documents and Settings\Bill-Alice\Desktop\...\SDFix.exe][SDFix\apps\Process.exe]
4. C:\SDFix\apps\Process.exe
HackTool/Scans... Hack Tool Latent Hide + Info
1. C:\WINDOWS\Installer\842a66f.msi[unk_0058]
2. C:\Program Files\Lg\SafeArch\SafeArch.exe
3. C:\Program Files\Lg\SafeArch\FindArch.exe
Suspicious files (1)
C:\Documents and Settings\Bill-Alice\Desktop\System disk\ComboFix\ComboFix.exe Not sent

I deleted the phishing email, as well as the .msi file. SafeArch and FindArch are programs I use to back up the registry and system files, so I don't suspect them to be a problem. I next ran bitdefender's online scanner on the laptop, but couldn't get it to run on the desktop. I noticed on the desktop that when I open internet explorer something wanted to add a browser extension, which I denied (via teatimer). On the laptop bitdefender found nothing. I ran McAfee's stinger program on both computers and it found nothing. I also ran HJT and checked the log with http://www.spyandseek.com/, but it didn't seem like there was anything unusual.

Sorry to go on and on. I've been able to solve virus problems in the past, but this time it's just beyond my ability. Should I just reformat and reinstall everything from scratch? Please forgive my lengthy post, but please do help me out. Thanks in advance!
-Bill

Edited by Orange Blossom, 13 September 2008 - 10:44 PM.
Move to more appropriate forum. ~ OB

Bill

being made of mud, it's possible to be a bit muddled, no?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 12:04 AM

4/14/2008


born on date for sp3 files

Examples include:
c:\documents and settings\default user
c:\documents and settings\localservice
c:\documents and settings\networkservice


they are standard for xp
Chewy

No. Try not. Do... or do not. There is no try.

#3 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 03:00 PM

Chewy, thanks for the reply. I'm no geek, so I'd really like some help if you can tell me what to try next, I'd be grateful. At this point, if you just say 'reinstall everything from scratch' I'm totally open to that since I've been real frustrated with this and have worked on this about 2-3 weeks on my own before venturing into the forum to post about it. This is the first time I've ever posted to any forum, so your bearing with a newbie is appreciated in advance. Thanks.
Bill

being made of mud, it's possible to be a bit muddled, no?

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 03:29 PM

I would probably reload my best or easiest computer, but there's no way i would load that witch's brew you are running.

I keep my programs simple, too much security can be worse than too little

I had a usb autorun.inf infection hit me back in march, it was "state of the art", I was immediately told we can't treat that in the "am I infected" subforum.

I had already downloaded MBAM, SAS, and updates, SDFix. ATFCleaner and other selfhelp tools to a folder on my desktop, for some odd reason I didn't use combofix, HJT or any other advanced tool. I wasted? an hour or two running some extra scans, even 2 or 3 rootkit ones.

I like avira(I have tested it), I do not like zone alarm or teatimer

I let spybot immunize me and install the sdhelper, I am fully updated

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HJT.exe


3 years, 2 major infections and maybe 1 repair disk
Chewy

No. Try not. Do... or do not. There is no try.

#5 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 04:38 PM

I read thru my original post again. Forgot to mention that the *only* time I've had the problems with the colored screen thing are when I've been online using StrategyDesk (a program from TDAmeritrade for screening stocks & looking at market data). I wrote to their techsupport folks about the problem and they said they haven't had others complain about any problems like that (which is what made me think it was a possible hack rather than a software bug in StrategyDesk). It doesn't happen all the time, and on any given day I can be doing the exact same things with no problems at all.

Chewy, other than zone alarm and tea timer, what other part(s) of my "witch's brew" would you avoid on a re-install? I know lots of people don't like zone alarm, but I've been using it for years, and have learned to live with its idiosyncrasies. ...anyway, if you or anyone could help me take a couple steps to see if I've been hacked or have some malware onboard, I'd be grateful. I appreciate your advice so far.
Bill

being made of mud, it's possible to be a bit muddled, no?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 04:48 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!



**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Chewy

No. Try not. Do... or do not. There is no try.

#7 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 05:12 PM

When I downloaded SmitfraudFix.exe, Avira AntiVir Guard said that it was infected with SPR/Tool.Reboot.F. Is this normal (=false positive) with SmitfraudFix, or is something else trying to attach itself to, or change, the download? The message from AntiVir Guard said, "Affected files in archives are not repaired or deleted! Note: The entire archive is selected from the affected! Contains recognition pattern of the SPR/Tool.Reboot.F program." So, should I run SmitfraudFix?
Bill

being made of mud, it's possible to be a bit muddled, no?

#8 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 05:43 PM

Okay, did a search on smitfraudfix, (should have done that before posting the question - sorry). I'll count it as a false positive & run it.
Bill

being made of mud, it's possible to be a bit muddled, no?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 05:49 PM

Smitfraudfix is a relatively safe program, running just a scan with it is very very safe, like any other good antimalware tool there are some powerful components that antivirus doesn't like, similar to your scans showing sdfix and combofix
Chewy

No. Try not. Do... or do not. There is no try.

#10 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 06:15 PM

Here's the SmitfraudFix rapport.txt:

SmitFraudFix v2.350

Scan done at 4:25:46.90, Mon 09/15/2008
Run from C:\Documents and Settings\Bill-Alice\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill-Alice


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill-Alice\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILL-A~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="PGPmapih.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Bill

being made of mud, it's possible to be a bit muddled, no?

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 06:33 PM

Select option #1 - Search by typing 1 and press Enter


Chewy

No. Try not. Do... or do not. There is no try.

#12 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 06:53 PM

did that, posted it (above). what else?
Bill

being made of mud, it's possible to be a bit muddled, no?

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 07:25 PM

SmitFraudFix v2.350

Scan done at 19:29:08.21, Sun 09/14/2008
Run from C:\Documents and Settings\Chewy\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\xxx\My Documents\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


what happened to that part of the log?

Edited by DaChew, 14 September 2008 - 07:27 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#14 Bill N

Bill N
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Location:India
  • Local time:01:34 PM

Posted 14 September 2008 - 09:39 PM

Hi Chewy,

This time I copied SmitfraudFix to the root of C and ran it again. There was one error as it ran (which I think was there each of the last two times as well). It said, "Scanning Process...
C:\SmitfraudFix\ProcessList.vbs(18, 1) Microsoft VBScript runtime error: The remote server machine does not exist or is unavailable." I was online at the time I ran it and don't think anything should have been blocking access to any remote server. So, I wonder what the deal is.

Here's the complete text of rapport.txt:
SmitFraudFix v2.350

Scan done at 8:00:25.98, Mon 09/15/2008
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill-Alice


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill-Alice\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILL-A~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="PGPmapih.dll"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

So, what do I do now? :thumbsup: Grateful for your help!
Bill

being made of mud, it's possible to be a bit muddled, no?

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:34 PM

Posted 14 September 2008 - 09:44 PM

Then also booted normally and ran hijackthis, 'open the misc tools section', 'generate startup list'


I would like to see this
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users