Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What should I do?


  • Please log in to reply
4 replies to this topic

#1 MaryJane

MaryJane

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario
  • Local time:02:44 PM

Posted 28 May 2005 - 08:02 AM

Ok. I will start off by saying that I recently got the Haxdoor Trojan on this comp. Now, I've gone through all my files, deleted the AVPX_32 and AVPX_64 entries from my system 32 file.
I have also unistalled NAV, and installed eScan, AntiVir, BHODemon and CWShredder. I already had Spybot S&D, Ad-aware, Microsoft AntiSpyware and Winpatrol.
eScan found Haxdoor, as well as another trojan, although I'm not sure whether or not it's completely gone.
I need some advice. Have I installed the right programs? Is there anything else I should be using for virus protection?
I am posting a HiJackThis log, maybe there's something I missed.

Logfile of HijackThis v1.99.1
Scan saved at 9:00:13 AM, on 28/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\AvpM.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\Adware Progs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A5DDC5B-EF07-40F6-84D8-A33BBE2E4714}: NameServer = 206.47.244.53 206.47.244.137
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: eScan Server-Updater (eScan-trayicos) - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for - in order to get to the job you need to pay for the clothes and the car, and the house you leave vacant all day so you can afford to live in it."

BC AdBot (Login to Remove)

 


m

#2 MaryJane

MaryJane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario
  • Local time:02:44 PM

Posted 28 May 2005 - 09:10 PM

AntiVir has been popping up with warnings regarding:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B4D98FAE-9C4F-49DE-B612-30C5105A6B69}\RP454\A0066112.SYS
Contains a signature of the (dangerous) backdoor program BDS/Haxdoor.BG.4 Backdoor server programs

as well as:

C:\SYSTEM VOLUME INFORMATION\_RESTORE{B4D98FAE-9C4F-49DE-B612-30C5105A6B69}\RP431\A0040410.DLL
Contains code of the Windows virus W95/Bumble

I have clicked on "delete file", as well as "deny acess", but it still seems to be popping up every now and then.
Any advice?

Edited by MaryJane, 28 May 2005 - 09:14 PM.

"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for - in order to get to the job you need to pay for the clothes and the car, and the house you leave vacant all day so you can afford to live in it."

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 29 May 2005 - 05:15 PM

Hi MaryJane and welcome to the BC forums. After reviewing your log I see no signs of viruses or malware at this time. the log is clean.

the messages that you are getting show that the file is in the System Restore area. The operating system will not allow other applications to access that area so to clean it we will need to flush the restore points and create a new one.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 MaryJane

MaryJane
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario
  • Local time:02:44 PM

Posted 30 May 2005 - 10:47 AM

Thank you. I'm glad to know my system is doing Ok.

The only other question I have is; Am I using the right tools for virus protection? NAV in my opinion, was a useless program, so replacing it with AntiVir was an easy decision. It seems to be doing it's job.
I have familiarized myself with Windows "netstat" feature through your tutorials.
Is there anything else I should do or learn about to prevent future infections?
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for - in order to get to the job you need to pay for the clothes and the car, and the house you leave vacant all day so you can afford to live in it."

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:44 PM

Posted 30 May 2005 - 04:52 PM

Hi MaryJane. I am not familiar with AntiVir but if it is doing a good job then I would say that's good enough. Here are the programs and steps that we recommend for users to keep their computer clean and healthy:

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users