Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Perfect Defender/ Computer 1


  • This topic is locked This topic is locked
7 replies to this topic

#1 JAJR

JAJR

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 11 January 2009 - 07:26 PM

I have 2 issues. (1) should I delete gdi32.dll and kernel32.dll as discussed below? (2) please review HJT log for any problems.

My computer was attacked by Perfect Defender. I have removed it successfully using a link from this website. The attack occurred on 1/10/09 at 6:12pm. Besides installing Perfect Defender, the attack installed these files: usanaz.exe, manol.exe, xerks.exe, sinashi.exe, and rasim.exe.

I have deleted all of these files. HOWEVER, at the same time as the attack, 2 additional files were modified: kernell32.dll and gdi32.dll. Both were installed in Application Data files, just as the offending files were.

Searches on the internet advise me that these .dll files are OK. However, since they were modified at the same time as the attack, I am not sure whether to delete them or not. Should I delete them?

Please also review my HJT log, which follows, for these and any other issues. Thank you in advance for your assistance.
Joe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:25 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aliotolawfirm.local
O17 - HKLM\Software\..\Telephony: DomainName = aliotolawfirm.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aliotolawfirm.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: McAfee Application Installer Cleanup (0165381231191014) (0165381231191014mcinstcleanup) - Unknown owner - C:\DOCUME~1\JALIOT~1.ALI\LOCALS~1\Temp\016538~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6747 bytes

BC AdBot (Login to Remove)

 


#2 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 11 January 2009 - 07:40 PM

Sorry, I forgot to post the DDS.txt file and zipped Attach file. Here they are. My thanks, Joe

Attached Files



#3 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 12 January 2009 - 11:25 AM

THIS IS AN UPDATE:

On a scan this morning, AVG found svchost.exe process trying to open a trojan. Threat name: "Trojan horse Downloader.Agent.AMSH." When I attempt to have AVG heal the threat, it returns an error "Specified file cannot be found." The screenshots are attached in Word doc.

Thank you in advance for your assistance,
Joe

Attached Files



#4 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 13 January 2009 - 03:04 PM

THIS IS AN UPDATE -- PART 2

It's getting ugly. AVG this morning found nine (9) instances of trojans. They are (1) Zlob, (2) Generic12ATMU, and instances (3) thru (9) Downloader.Agent.ASMH.

The first three trojans seem to have attacked my Symantec, as processes running are C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe. Please also note that my Symantec virus scan finds NOTHING when a scan is run. Did this beast disable my Symantec?

The other six (6) trojans (or same one run 6 times) are running processes from the following: C:\WINDOWS\SYSTEM32\svchost.exe.

I'm getting worried this is on the verge of crippling the system. The computer has rebooted twice on its own the last few days. Your help, as always, is very much appreciated.

Screenshots are attached.

Joe

#5 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 13 January 2009 - 03:11 PM

The screenshots were too large to attach. I've divided the screenshots into 2 files. The first is attached, zipped. The second will be attached to the next reply.

Attached Files



#6 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 13 January 2009 - 03:14 PM

OK, it won't let me attach anything else. Suffice to say that the screenshots in the preceding show the viruses found (1) thru (7) out of a total of 9. Viruses instances 8 and 9 are identical to 4 thru 7. Hope that makes sense. Thanks, Joe

#7 JAJR

JAJR
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 18 January 2009 - 11:02 PM

I've had to move ahead and reloaded Windows. Please close this string. I still need help here, though: http://www.bleepingcomputer.com/forums/ind...p;#entry1088641.

Thank you.

#8 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:27 AM

Posted 19 January 2009 - 08:26 AM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users