Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem removing trojan Vundo.B


  • Please log in to reply
9 replies to this topic

#1 Paul999

Paul999

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 23 May 2005 - 02:46 PM

I have tried to remove the Trojan Vundo.B (as identified by NAV2004) using the Symantec removal tool, but without success. (Yes, I have followed the instructions carefully and many times.) Then I saw the detailed manual method suggested by Grinler posted May 13, 2005 at 10:09AM.
At step 14 (killing the threads with Process Explorer): 1) the threads are not resolved showing recognizable DLL names (even though I have downloaded the Microsoft debugging tools and symbols); 2) even if I could see recognizable DLL names it wouldn't help because when I try to kill any thread at random, I get the message "Access denied".
Thus, I arrive at a dead end at step 14.
The PC is running Windows XP-SP2 Home Edition. I don't include a HijackThis log because the difficulty seems to lie elsewhere.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 24 May 2005 - 08:36 AM

Please post a log anyway. It may show us the clues to what else is going on or a change to the infection, etc.

How to submit a Hijackthis Log

Can you confirm that you tried killing the threads in Safe Mode?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Paul999

Paul999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 24 May 2005 - 11:45 PM

Hi Papakid.
Yes I did indeed run in Safe mode. Although I can't kill threads in the winlogin process, I can kill threads in the explorer process. In the latter case, I can see the resolved DLL name (drvtask); there are four instances running and I can kill them all with Process Explorer. Another interesting thing: the infection seems to be involved with Symantec/Norton applications. If I boot using Selective boot having unchecked all Symantec/Norton loaded services, the PC runs almost normally --- of course its no longer has that protection! The major symptom of this infection is that the winlogin process occupies most of the CPU time and everything is painfully slow. Here is the HijackThis log file.
Logfile of HijackThis v1.99.1
Scan saved at 23:31:12, on 2005-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\SERVIC~1\drvtask.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [UninstallDellSupport2.x] msiexec /qn /x {43FCA273-9534-40DB-B7C5-D7758875616A}
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24deaabf59fc90...RdxIE601_fr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O20 - Winlogon Notify: drvtask - C:\WINDOWS\SERVIC~1\drvtask.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

The first O2 item and the first O20 item are the ones I have been concentrating on. Thanks.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 25 May 2005 - 11:03 AM

Hi Paul
This has happened before--the inability to see or kill the Winlogon threads after using the Symantec Tool unsuccessfully. It was unclear in the one incident I remember what actually worked to accomplish removal, but it did eventually happen. Let's try something simple first, and I'll try to research this problem some more.

1. Don't try using the Symantec tool again. Reboot your PC two or three times and surf around a bit in between. Then try the removal procedure in the Self Help Guide again and see if drvtask.dll shows up in the Winlogon threads and if you are able to kill it/them.

2. If you are still unable to see the bad dll in the Winlogon threads, go ahead and kill the ones in Explorer. Then go back to Winlogon and see if they show up. If not, close the winlogon properties box, and in Process Explorer's View menu click Refresh now and try again.

3. If still no joy--and even if there is--while you have Process Explorer open, check to see if you have any processes from Norton running in safe mode. If so, go to the View menu again, click Show lower pane to put a check by it, then View>Lower pane view, and click Dlls so there is a check by it. Report back if you see drvtask.dll in the list or any other odd files.

4. While in Safe Mode, if you have been unsuccesful in killing the bad process, scan again with HijackThis and post a log from safe mode. Otherwise post a log from Normal Mode. I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. HijackThis can't "see" those if they are malware and might need to be removed. So please do this before posting another log:

Please click on start, then run, and type msconfig and then press enter.  When the window opens click on the startup tab and make sure there are checkmarks in every entry.  Then press ok until you are out of the program.  If it asks to reboot, do not reboot.

Create a new HijackThis Log and post it in your next reply.  After the log is created you can reset it as it was before.


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 Paul999

Paul999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 27 May 2005 - 11:03 PM

Hi Papakid.
I followed your suggestions with the following results:
1. Can't see identifiable dll's in winlogon process; can't kill any threads.
2. this doesn't change the situation.
3. No I don't see any Norton/Symantec processes running - I checked them OFF in the Services tab of msconfig so that the PC would respond reasonably normally. But I do see one instance of drvtask.dll in the explorer process (in both Normal and Safe modes).
4. No I have not been able to solve the problem. The only items checked OFF are the Symantec/Norton services mentioned before. Here is the log from Safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 23:36:14, on 2005-05-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\SERVIC~1\drvtask.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24deaabf59fc90...RdxIE601_fr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O20 - Winlogon Notify: drvtask - C:\WINDOWS\SERVIC~1\drvtask.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 28 May 2005 - 12:11 PM

OK, Paul, I've found another case similar to yours. The fix involves using XP's Recovery Console, but before we do that I would like try something else and get some more information. I do need to know beforehand if you have your XP installation CD or if the machine you are running is one with OEM recovery disks. How to use Recovery Console, if necessary, depends on the distinction between the two.

Let's try this first:

1. Please download rkfiles.zip and unzip it to its own permanent folder.
http://skads.org/special/rkfiles.zip

Dont run it yet.

Also redownload FixVundo Registry File and save it to your desktop.


2. I would like to see a list of modules for each process by means of a special AdAware logfile. If you already have AdAware SE 1.05 installed, we will use that to save time as the program has just been upgraded to v 1.06. If you need to download it, please use this link:
http://fileforum.betanews.com/detail/Adawa...nal/965718306/1

And then do the following:

:thumbsup: A. Please follow the instructions in the Ad-Aware Tutorial to download, update and configure AdAware.

:flowers: B. Change the configuration to the following options:

Advanced button>Logfile detail level>disable Include negligible objects information.

Tweak button:

:trumpet: Scanning Engine
Disable Unload recognized processes & modules during scan[/b]

:inlove: Log Files
Enable Include module list in log file.

Click Proceed then close AdAware.

3. Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop. Install the program. Don't use it yet.

4. Please print or copy these instructions because you are not able to access the Internet in SafeMode.

5. Disconnect from the internet. If you are on an always on connection like DSL, physically disconnect the cable from your PC.

6. Go back into msconfig and re-enable the services you had disabled. and immediately boot into Safe Mode.

7. Scan with AdAware. When scan is complete, click Show Logfile button>right click and choose Select All> right click and choose Copy to Clipboard> paste the log into Notepad or your Word Procesor of choice and save this file. Then paste the contents in your next reply to this thread.

8. Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When you have booted back into normal mode, locate C:\log.txt. Copy & Paste those results back here.

9. Run HijackThis and place a check beside each of the following:

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\SERVIC~1\drvtask.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24deaabf59fc90...RdxIE601_fr.cab

O20 - Winlogon Notify: drvtask - C:\WINDOWS\SERVIC~1\drvtask.dll

Click Fix Checked and close HiajckThis.

10. Now double-click on the vundo.reg file that you saved on your desktop earlier and allow it to merge with the registry.

11. Open System Security Suite. Be very careful with this step and do the following excactly:

In theItems to Clear tab put checkmarks in all the boxes.

Click the User Defined Folders tab.

Click the Add button.

In the browse window navigate to C:\WINDOWS\ServicePackFiles directory, highlite it and click OK.

Select the entry added then click Edit.

Copy and paste the following bold text into the Filter field: drvtask.dll Be sure you have replaced the *.* filter with the bad file name, then Click OK. If you make a mistake, click the Delete button to clear any entries in the User Defined Folders field and try again.

Put a checkmark next to the line you just entered.

Click on the Items to Clear tab and then Clear Selected Items.

Depending on the size of your browser cache, your hard drive may work for a time, then you will get a window asking if you would like to reboot. Say yes.

12. Allow your system to reboot back into normal mode, scan again with HijackThis and post a fresh log. Also the log from AdAware and rkfiles and let me know which type CD you have for reinstalling Windows. And if this procedure has done any good.

If the logs I have asked you to post are too long for this board, continue them in anaother reply.

If you have any questions, please ask before carrying out these instructions.

Best of luck to you. I would rather use Recovery Console as a last resort, but we should be able to remove this with that method next if we have to.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 Paul999

Paul999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 29 May 2005 - 08:49 PM

Hi Papakid.
I tried the new procedure, but it does not help. FYI, at step 11 when I put checkmarks in all the boxes, then try to Clear Selected Items I get an error message:"Access violation at address 0047616B in module 'sss.exe'. Read of address 00000000". If I do NOT put a checkmark for Item "AutoCompleted Forms", then the error message does not appear and the process goes on - however, it does not get rid of "drvtask.dll". HijackThis did remove "O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url="http://software-dl.real.com/24deaabf59fc90...RdxIE601_fr.cab""]http://software-dl.real.com/24deaabf59fc90...01_fr.cab"[/url], but I did not think this was causing a problem.
I have also considered using the Recovery Console before we started our discussion here, but only as a last resort; I think we are now at that point. The PC is a Dell with the OS pre-installed. Windows XP Home Edition, SP 1a was originally installed, but I have upgraded to SP2. When I use the Reinstallation CD from Dell and try to use the Repair option to get the Recovery Console, I get a message to the effect that the currently installed version is later than the originally installed version. Therefore, I think I will need to uninstall SP2 to get to the recovery Console and delete "drvtask.dll".

Here is the Ad-Aware log file:

Ad-Aware SE Build 1.06r1
Logfile Created on:29 mai 2005 16:05:24
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R47 24.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
DyFuCA(TAC index:3):1 total references
MRU List(TAC index:0):20 total references
Tracking Cookie(TAC index:3):22 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2005-05-29 16:05:24 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 132
ThreadCreationTime : 2005-05-29 20:02:00
BasePriority : Normal

Scanning Module:\SystemRoot\System32\smss.exe...
Scanning Module:C:\WINDOWS\system32\ntdll.dll...

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 2005-05-29 20:02:13
BasePriority : High

Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...
Scanning Module:C:\WINDOWS\system32\kernel32.dll...
Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...
Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...
Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...
Scanning Module:C:\WINDOWS\system32\msvcrt.dll...
Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...
Scanning Module:C:\WINDOWS\system32\USER32.dll...
Scanning Module:C:\WINDOWS\system32\GDI32.dll...
Scanning Module:C:\WINDOWS\system32\MSASN1.dll...
Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...
Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...
Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...
Scanning Module:C:\WINDOWS\system32\USERENV.dll...
Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...
Scanning Module:C:\WINDOWS\system32\REGAPI.dll...
Scanning Module:C:\WINDOWS\system32\Secur32.dll...
Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...
Scanning Module:C:\WINDOWS\system32\VERSION.dll...
Scanning Module:C:\WINDOWS\system32\WINSTA.dll...
Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...
Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...
Scanning Module:C:\WINDOWS\system32\WS2_32.dll...
Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...
Scanning Module:C:\WINDOWS\system32\MSGINA.dll...
Scanning Module:C:\WINDOWS\system32\SHELL32.dll...
Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...
Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...
Scanning Module:C:\WINDOWS\system32\ODBC32.dll...
Scanning Module:C:\WINDOWS\system32\comdlg32.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...
Scanning Module:C:\WINDOWS\system32\odbcint.dll...
Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...
Scanning Module:C:\WINDOWS\system32\sfc.dll...
Scanning Module:C:\WINDOWS\system32\sfc_os.dll...
Scanning Module:C:\WINDOWS\system32\ole32.dll...
Scanning Module:C:\WINDOWS\system32\Apphelp.dll...
Scanning Module:C:\WINDOWS\system32\WINMM.dll...
Scanning Module:C:\WINDOWS\system32\serwvdrv.dll...
Scanning Module:C:\WINDOWS\system32\umdmxfrm.dll...
Scanning Module:C:\WINDOWS\system32\cscdll.dll...
Scanning Module:C:\WINDOWS\SERVIC~1\drvtask.dll...
Scanning Module:C:\WINDOWS\system32\shfolder.dll...
Scanning Module:C:\WINDOWS\system32\wininet.dll...
Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...
Scanning Module:C:\WINDOWS\system32\wsock32.dll...
Scanning Module:C:\WINDOWS\system32\urlmon.dll...
Scanning Module:C:\WINDOWS\system32\rsaenh.dll...
Scanning Module:C:\WINDOWS\system32\WlNotify.dll...
Scanning Module:C:\WINDOWS\system32\WinSCard.dll...
Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...
Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...
Scanning Module:C:\WINDOWS\system32\MPR.dll...
Scanning Module:C:\WINDOWS\system32\UxTheme.dll...
Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...
Scanning Module:C:\WINDOWS\system32\cscui.dll...
Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...
Scanning Module:C:\WINDOWS\system32\WLDAP32.dll...
Scanning Module:C:\WINDOWS\system32\msacm32.drv...
Scanning Module:C:\WINDOWS\system32\MSACM32.dll...
Scanning Module:C:\WINDOWS\system32\imaadp32.acm...
Scanning Module:C:\WINDOWS\system32\msadp32.acm...
Scanning Module:C:\WINDOWS\system32\msg711.acm...
Scanning Module:C:\WINDOWS\system32\msgsm32.acm...
Scanning Module:C:\WINDOWS\system32\tssoft32.acm...
Scanning Module:C:\WINDOWS\system32\tsd32.dll...
Scanning Module:C:\WINDOWS\system32\msg723.acm...
Scanning Module:C:\WINDOWS\system32\msaud32.acm...
Scanning Module:C:\WINDOWS\system32\sl_anet.acm...
Scanning Module:C:\WINDOWS\System32\l3codeca.acm...
Scanning Module:C:\WINDOWS\system32\iac25_32.ax...
Scanning Module:C:\WINDOWS\system32\COMRes.dll...
Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...
Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 248
ThreadCreationTime : 2005-05-29 20:02:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
Scanning Module:C:\WINDOWS\system32\services.exe...
Scanning Module:C:\WINDOWS\system32\SCESRV.dll...
Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...
Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...
Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...
Scanning Module:C:\WINDOWS\system32\ShimEng.dll...
Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...
Scanning Module:C:\WINDOWS\system32\eventlog.dll...

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 2005-05-29 20:02:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Scanning Module:C:\WINDOWS\system32\lsass.exe...
Scanning Module:C:\WINDOWS\system32\LSASRV.dll...
Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...
Scanning Module:C:\WINDOWS\system32\DNSAPI.dll...
Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...
Scanning Module:C:\WINDOWS\system32\cryptdll.dll...
Scanning Module:C:\WINDOWS\system32\msprivs.dll...
Scanning Module:C:\WINDOWS\system32\kerberos.dll...
Scanning Module:C:\WINDOWS\system32\msv1_0.dll...
Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...
Scanning Module:C:\WINDOWS\system32\netlogon.dll...
Scanning Module:C:\WINDOWS\system32\w32time.dll...
Scanning Module:C:\WINDOWS\system32\schannel.dll...
Scanning Module:C:\WINDOWS\system32\wdigest.dll...
Scanning Module:C:\WINDOWS\system32\scecli.dll...

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 412
ThreadCreationTime : 2005-05-29 20:02:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\system32\svchost.exe...
Scanning Module:c:\windows\system32\rpcss.dll...

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 2005-05-29 20:02:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\cryptsvc.dll...
Scanning Module:c:\windows\system32\certcli.dll...
Scanning Module:c:\windows\system32\ATL.DLL...
Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...
Scanning Module:c:\windows\system32\ESENT.dll...
Scanning Module:c:\windows\system32\wbem\wmisvc.dll...
Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...
Scanning Module:c:\windows\system32\srsvc.dll...
Scanning Module:c:\windows\system32\POWRPROF.dll...
Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemcore.dll...
Scanning Module:C:\WINDOWS\System32\wbem\esscli.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemcomn.dll...
Scanning Module:C:\WINDOWS\System32\wbem\FastProx.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wmiutils.dll...
Scanning Module:C:\WINDOWS\System32\wbem\repdrvfs.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wmiprvsd.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemess.dll...
Scanning Module:C:\WINDOWS\System32\wbem\ncprov.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemcons.dll...

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 756
ThreadCreationTime : 2005-05-29 20:03:13
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINDOWS\Explorer.EXE...
Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...
Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...
Scanning Module:C:\WINDOWS\System32\themeui.dll...
Scanning Module:C:\WINDOWS\System32\MSIMG32.dll...
Scanning Module:C:\WINDOWS\System32\msutb.dll...
Scanning Module:C:\WINDOWS\System32\MSCTF.dll...
Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...
Scanning Module:C:\WINDOWS\system32\ntshrui.dll...
Scanning Module:C:\WINDOWS\system32\msi.dll...
Scanning Module:C:\WINDOWS\system32\SXS.DLL...
Scanning Module:C:\WINDOWS\System32\drprov.dll...
Scanning Module:C:\WINDOWS\System32\ntlanman.dll...
Scanning Module:C:\WINDOWS\System32\NETUI0.dll...
Scanning Module:C:\WINDOWS\System32\NETUI1.dll...
Scanning Module:C:\WINDOWS\System32\NETRAP.dll...
Scanning Module:C:\WINDOWS\System32\davclnt.dll...

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 880
ThreadCreationTime : 2005-05-29 20:03:47
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Scanning Module:C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe...
Scanning Module:C:\WINDOWS\system32\olepro32.dll...
Scanning Module:C:\WINDOWS\system32\RICHED32.DLL...
Scanning Module:C:\WINDOWS\system32\RICHED20.dll...

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

DyFuCA Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-207580134-4151055358-571848199-1007\software\policies\avenue media

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 21


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@server.iad.liveperson[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:paul@server.iad.liveperson.net/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@linksynergy[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:paul@linksynergy.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@qksrv[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:paul@qksrv.net/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:paul@hitbox.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:paul@advertising.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:paul@mediaplex.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@revenue[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:paul@revenue.net/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@statcounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:paul@statcounter.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@servedby.advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:paul@servedby.advertising.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@bfast[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:paul@bfast.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@apmebf[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:paul@apmebf.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@ehg-tigerdirect2.hitbox[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:paul@ehg-tigerdirect2.hitbox.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : paul@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:paul@2o7.net/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 34



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@ehg-esa.hitbox[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@ehg-esa.hitbox[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@estat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@estat[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@fastclick[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@real[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@real[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chantal@w128.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Chantal\Cookies\chantal@w128.hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nathalie@list[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Nathalie\Cookies\nathalie@list[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nathalie@rambler[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Nathalie\Cookies\nathalie@rambler[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nathalie@real[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Nathalie\Cookies\nathalie@real[2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 43


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1150 entries scanned.
New critical objects:0
Objects found so far: 43




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 43

16:24:54 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:19:29.516
Objects scanned:132933
Objects identified:23
Objects ignored:0
New critical objects:23


Here is the log file from rkfile.bat:
C:\Documents and Settings\Paul\Desktop\emergency\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\DFRG.MSC: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

I will send the HijackThis log file as an added reply.

#8 Paul999

Paul999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 29 May 2005 - 08:51 PM

Hi Papakid.
Here is the HijackThis log file:
Logfile of HijackThis v1.99.1
Scan saved at 21:34:12, on 2005-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\SERVIC~1\drvtask.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O20 - Winlogon Notify: drvtask - C:\WINDOWS\SERVIC~1\drvtask.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Thanks.

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,582 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 30 May 2005 - 12:03 AM

Well, Paul, thought it was worth a shot and sorry to hear it didn't work. An earlier version of this malware had a hidden file in temp folders that had to be deleted on reboot, so...

Thanks for the information. Every little bit helps.

Let's not uninstall SP2 just yet. Instead of trying to run RC from the CD, install and update it for now just to see if we can get it to work. If you get an error again, please post back the exact wording.

To install the Recovery Console, follow the instuctions in this tutorial from theeldergeek
http://www.theeldergeek.com/recovery_console.htm

When you get to the Dynamic Update step, allow the update to occur. You must, of course, be connected to the internet for this to happen.

If the installation is successful, reboot. During Startup, select Recovery Console from the startup options menu.

You will be prompted for your Administrator password. Most people running XP Home edition have never set a password since the Administrator account referred to is only accessable in Safe Mode. If you haven't set a password, hit Enter. If that doesn't work, type in Admin then hit enter. If you still are denied access and haven't set an Administrator account, you'll need to edit the registry. See the end of the elder geek tutorial for the modification. Let me know if you need any help with that.

For now, I just want to see if you can get into RC. So once you get in, type Exit, press Enter, then boot back into windows and let me know how it went.

And if you can do me a favor, try running the same type AdAware scan in normal mode with those services re-enabled and post that log. It might help figure out a few things.

Also, could you post a screenshot of the what you see in Process Explorer in the threads tab window? There is a tutorial on how to post a screenshot here: http://www.bleepingcomputer.com/forums/How...dows-tut96.html
In XP it is easier to paste the image into Paint, but be sure to save it as a jpeg.

BTW, the 016 you deleted is not part of the Vundo problem and may not even be bad, but the CLSID was associated with Netster in the past and 016's are generally safe to remove since they will be redownloaded when you visit the webpage if needed.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 Paul999

Paul999
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 04 June 2005 - 03:19 PM

Hi Papakid.
I decided to go the Recovery Console route. I think I should have done that a couple of weeks ago because it was easy to do and worked very well. After deleting "drvtask.dll" and three other suspicious files in the same folder, I rebooted, cleaned up the registry and now everything is back to normal. I still can't see the resolved DLL names in Process Explorer, but that is secondary. Thanks for trying to help out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users