Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT- Trotwood


  • Please log in to reply
5 replies to this topic

#1 Trotwood

Trotwood

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 30 April 2005 - 03:22 PM

Every time I connect to the internet, McAfee infoems me it detected and cleaned QLowZones-2.gen from two files that I've never seeen before. I've run Spybot-SD and Ad-Aware, to no avail. I think that when the Trojan was originally downloaded, it must have corrupted either my internet connection client software (sympatico) or IE6. I have since re-installed sympatico but the problem remains. I don't know how to uninstall IE6. Anyway, my Hijackthis log follows.

Thanks guys, I know how busy you are.
Trotwood

(Log follows)

====================================================
Logfile of HijackThis v1.99.1
Scan saved at 2:17:23 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\System32\Logitech.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Spybot\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Logitech] Logitech.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [System32 TCP/IP Manager] service.exe
O4 - HKLM\..\RunServices: [Logitech] Logitech.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{468FB186-33EF-4F6D-A400-E6FD500DF15B}: NameServer = 206.47.244.59 206.47.244.113
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:04 PM

Posted 30 April 2005 - 05:26 PM

Hi Trotwood and welcome to the BC forums. I wuold like you to have a file scanned for me.

Go to the Jotti's malware scan site and submit the following files for a malware scanC:\WINDOWS\System32\Logitech.exe
Post the results of the scans back here and I will check the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Trotwood

Trotwood
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 30 April 2005 - 10:16 PM

Good grief. Thanks, OT. I thought it was a mouse driver. Amazing.

McAfee found none of this. I'm switching virus scanners.

(jotti.org scan follows)
============================================
Service load: 0% 100%

File: Logitech.exe
Status: INFECTED/MALWARE
MD5 1c9a6e91d89409e671b9de3da4a6389d
Packers detected: PE_PATCH.MORPHINE, MORPHINE, PEX, PE-CRYPT.STONE
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.RBot.B3656A20
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
mks_vir Found Win32.4 (probable variant)
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 119808 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\Logitech.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Logitech"="Logitech.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Logitech"="Logitech.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates key "HKCU\Software\Microsoft\OLE".
* Sets value "Logitech"="Logitech.exe" in key "HKCU\Software\Microsoft\OLE".

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Creates a mutex pissoff.
* Will automatically restart after boot (I'll be back...).
VBA32 Found nothing

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:04 PM

Posted 30 April 2005 - 11:04 PM

Hi Trotwood. I just had a feeling about that file. I have never heard of a file named Logitech.exe that was started like that. It just goes to show you that you can't trust anyone (haha).

Ok, before we do the fix I have GOT to have a copy of that thing to play with. It looks like it will be very interesting. Can you please do this for me:

Please go to the Bleeping Computer Malware Submittal page and submit the Logitech.exe file. Use the following for the Link to topic where this file was requested:http://www.bleepingcomputer.com/forums/HJT_Trotwood-tx17352-0.html
Thanks!

Ok, let's get on with the fix. Please proceed with the following steps in order.

Step #1

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\WINDOWS\System32\Logitech.exe
Step #2

Still in HijackThis, click the Back button and then click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Logitech] Logitech.exe
O4 - HKLM\..\RunServices: [Logitech] Logitech.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\Logitech.exe
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode please reboot normally now.

Step #4

Download CCleaner and install it. Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Trotwood

Trotwood
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 01 May 2005 - 12:42 AM

OMG, I'm sorry, OT ... I blew the thing away. I just figured I wouldn't be needing it :thumbsup:

I also fried the registry keys that were referenced in the log. I don't know where I could have got it from in the first place ... but I think it might have been on my OEM Windows installation, so I'll check the CD. (I'm not sure. All I know is, the very first thing I installed after Win XP was my internet client software ... the very next thing I did after that was connect to my ISP ... and bingo, it was bombs away.)

I'll see if I can hunt the thing up again.

Once again, I'm sorry ... it just never occured to me that anyone would actually *want* this!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:04 PM

Posted 01 May 2005 - 09:49 AM

Hey Trotwood. I can imagine that you wanted it off your system. I am assuming that you have taken care of the steps in my previous post and that your log is clean. How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users