Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
4 replies to this topic

#1 jpc

jpc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 24 May 2005 - 04:42 AM

Problem: internet connection (adsl) very very very slow
Suspicion: trojan horses (cf. the following files: winsN2S.exe, eied_s7.cab, ...)
Spybot S&D: done
AVG scan: done
F-Prot scan: done

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 22:48:07, on 12/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINDOWS\System32\winsN2S.exe
C:\WINDOWS\System32\crssrs.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\crssrs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKCU\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKCU\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dxxx.met.be
O17 - HKLM\Software\..\Telephony: DomainName = dxxx.met.be
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dxxx.met.be
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dxxx.met.be
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: OracleOracle817ClientCache - Unknown owner - C:\ORACLE\ORA817\BIN\ONRSD.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:55 AM

Posted 24 May 2005 - 08:10 PM

Hello jpc and welcome to BleepingComputer.

I'm going to assume you purposely obfuscated the domain name in the O17 lines and that the actual listed domain name is valid. If that is not the case, please let me know.

Also, since this is a pre-processed log, I can only guess that you have HJT in a safe folder and not in a temporary location or being run out of a .zip. If HJT is not in it's own folder, please move it before proceeding so that any backups it creates will be safe.


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\RunServices: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKCU\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKCU\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service2] winsN2S.exe

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files (Don't be concerned if they can not be found):

C:\WINDOWS\System32\winsN2S.exe
C:\WINDOWS\System32\crssrs.exe
C:\WINDOWS\System32\vbsys2.dll

If any of these resist being deleted, boot into Safe Mode and try from there.


Reboot and post a fresh HJT log. Please post the whole log without any 'pre-processing'.

Edited by ddeerrff, 24 May 2005 - 08:17 PM.

Derfram
~~~~~~

#3 jpc

jpc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:55 PM

Posted 25 May 2005 - 05:25 AM

Concerning O17: No, I didn't obfuscated the domain. It was like this in the original hjt log.
Concerning HJT: yes, he is in is own safe directory.

Thanks for your help!

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:55 AM

Posted 25 May 2005 - 09:28 AM

OK, we'll get the domain name dxxx.met.be cleared after your next post.
Derfram
~~~~~~

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:55 AM

Posted 09 June 2005 - 11:49 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users