Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan - ppdoor - HELP!


  • This topic is locked This topic is locked
20 replies to this topic

#1 ladyq

ladyq

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 29 May 2005 - 02:48 PM

Can anyone help. I am charged with sorting out my husband's PC which appears to have become infectd with the backdoor trojan win32.ppdoor. It disabled Norton, and I can't get the XP Security Centre to work, nor the Firewall. I have followed the advice in some of the other posts and tried e-scan and sysclean. Here is the Hijack log :-

Logfile of HijackThis v1.99.1
Scan saved at 20:40:23, on 29/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Freeserve
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: MyWay Search Assistant BHO -

{04079851-5845-4dea-848C-3ECD647AA554} - C:\Program

Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no

file)
O2 - BHO: OrbiscomROTBho2 Class -

{D81AB57B-7327-4347-B7C7-9EF7CA87CE09} -

C:\WINDOWS\System32\SlimBho2.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no

file)
O4 - HKLM\..\Run: [Access Meeting] C:\WINDOWS\system32\ntdodcnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common

Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD

Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD

Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE

/AUTORUN
O4 - HKLM\..\Run: [PinnacleDriverCheck]

C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program

Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program

Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware

Doctor\swdoctor.exe" /Q
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program

Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZSIM0002
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve -

res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Microsoft AntiSpyware helper -

{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll

(file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll

(file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -

{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll

(file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll

(file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} -

http://www.errornuker.com/products/errn200...efault/ErrorNuk

erInstaller.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID

Sniffer) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{3C28F7A8-CEDE-4437-924D-AC9CC0B1C5C0

}: NameServer = 195.92.195.95 195.92.195.94
O21 - SSODL: Themes Meeting - {2FE4C42D-2C6E-4372-B039-0134FDA42B36} -

C:\WINDOWS\system32\msg7dial.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe

I can post the logs from Sysclean and e-scan if anyone can help.

Cheers and fingers crossed!

Alex

BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 29 May 2005 - 10:17 PM

Hello ladyq and welcome to BleepingComputer.

Configure Windows to enable viewing of Hidden and System files.


Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- My Search Bar
- MyWay Speed Bar
- My Web Search Bar or any variant of My* that you don't recognize.
- Fun Web Products Easy Installer


Download LSPFix and unzip into it's own folder.
- Disconnect from the Internet and close all Internet Explorer Windows.
- Run LSPFix.
- Move all instances of flsmngr.dll to the 'Remove' pane.
- Check the "I know what I'm doing" box, then on Finish.
- Reboot.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =http://w-find.com/index.htm

O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: MyWay Search Assistant BHO -{04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKLM\..\Run: [Access Meeting] C:\WINDOWS\system32\ntdodcnt.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSIM0002

O9 - Extra button: Microsoft AntiSpyware helper - {80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper -{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll(file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -{80587901-717A-47CD-B048-84FE1AE52057} - C:\WINDOWS\system32\wldr.dll(file missing) (HKCU)

O21 - SSODL: Themes Meeting - {2FE4C42D-2C6E-4372-B039-0134FDA42B36} - C:\WINDOWS\system32\msg7dial.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\system32\flsmngr.dll <--Files
C:\WINDOWS\system32\wldr.dll
C:\WINDOWS\system32\ntdodcnt.exe
C:\WINDOWS\system32\msg7dial.dll

C:\Program Files\MyWay\ <--Folders
C:\Program Files\MyWebSearch\

If any of these resist being deleted, boot into Safe Mode and try from there. Let me know if anything absolutely refuses to be deleted.


This line:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
tells me you are running in Selective Startup Mode - you used MSCONFIG to turn off some startup items. Unless there is some specific reason you cannot, please return the system startup to normal. Do this by:
- Click on Start, then Run, then type in MSCONFIG and click on OK.
- On the General tab, select Normal Startup.
- Click on OK. Allow the system to reboot at this time.


Run HJT and create a fresh log. When HJT opens the log in Notepad, please go to the top menu, select format and if it is checked, remove the check mark from Line wrap.

Post the fresh log. Are we making any progress?
Derfram
~~~~~~

#3 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 May 2005 - 02:55 AM

Hi

Many thanks, I have done evrything you suggested and the new HJT is below. The only file that wouldn't go was the ntdodcnt.exe which I have renamed to hopefully kill it. There was a ntdodcnt.dll file with it, should that go too? Also when I boot there are some startup programs (obviously connected to the virus) that try to run.

Here is the HJT:-

Logfile of HijackThis v1.99.1
Scan saved at 08:50:45, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\RFA\rfagent.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F3 - REG:win.ini: load=??? ?
F3 - REG:win.ini: run=??? ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: OrbiscomROTBho2 Class - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\System32\SlimBho2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Many thanks

Alex

#4 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 May 2005 - 08:51 AM

Hi - just to add that I have now managed to the Windows Firewall back in but it seems to think it is governed by group policy and I can't change it at all to manually configure it (all the services tabs are set at 'not configured') and the security centre is not showing any functionality at all (same cause I guess as above!)

The PC is not on a network etc, it is stand-alone

Cheers

Alex

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 30 May 2005 - 01:46 PM

Also when I boot there are some startup programs (obviously connected to the virus) that try to run.

Can you expand on that? What programs try to run?


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

F3 - REG:win.ini: load=??? ?
F3 - REG:win.ini: run=??? ?

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Download Reglook.
- Unzip it into it's own folder.
- Open the Reglook folder and double click on Runme.bat. A Notepad window should open.


Copy the contents of Reglook.log to your next post along with a fresh HJT log.
Derfram
~~~~~~

#6 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 May 2005 - 03:28 PM

Hi there, thanks so much for your help.

I have sorted the startup problems by finding a program that analysed the startup and enabled me to delete the two problem entries. The main problem now is the issue about the security centre (sorry center!!). The machine settings seem to think it is part of a network and that group policies apply but it is a stand alone. I tried to cahnge it's properties in System from it thinking it was on a network to being stand alone but when I re-booted it switched it back to thinking it was not stand alone. So I spent most of today trying to configure whether the group policies were to blame (unlikely as they are all 'not configured'?), wiht no success. The Firewall says it is governed by group policy and the security centre is showing nothing as being active. I will post a HJT log probably tomorrow (it's 9.30pm here in the UK and the computer that has the problems on it is switched off at the moment!).

Any ideas about the problems with the Firewall in the meantime would be appreciated.

Thanks sooooo much!!

Alex

PS I have Norton installed again and that Firewall is running. I am more interested in sorting out WHY the Windows Firewall is not running than getting it to run necessarily

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 30 May 2005 - 10:17 PM

Is this Windows XP Home or Windows XP Professional ?
Derfram
~~~~~~

#8 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 31 May 2005 - 02:32 AM

Its Windows XP Home 'Media Centre', or something, certainly not professional.

Thanks, and I'll post the logs when I get home tonight from work

Alex

Edited by ladyq, 31 May 2005 - 02:35 AM.


#9 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 31 May 2005 - 12:25 PM

Hi again

Right here is the HJT log (most recent) followed by the RegLook log :-

Logfile of HijackThis v1.99.1
Scan saved at 18:18:45, on 31/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Desktop\Emergency Restore Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: OrbiscomROTBho2 Class - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\System32\SlimBho2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://www.support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


And the RegLook log :-

A reg_look by IMM
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
(key has 0 subkeys and 7 value entries - last modified 12:55(UTC) 28/05/2005)
[AppInit_DLLs] = "" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(key has 5 subkeys and 32 value entries - last modified 17:10(UTC) 31/05/2005)
[Userinit] = "C:\WINDOWS\system32\Userinit.exe" (REG_SZ)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
(key has 0 subkeys and 5 value entries - last modified 14:37(UTC) 18/09/2003)
[Shell] = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" (REG_SZ)

Many thanks again, you are a Star!!

Alex

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 31 May 2005 - 10:37 PM

I asked the HJT team if anyone had any suggestions of the firewall issue. One possibility emerged.

Go to Start, then Run, then type in services.msc. Click OK. Click on the 'Standard' tab. Scroll down the list of services until you locate Security Center. It should be set to automatic and show as started.

If it is not set to automatic...
Double click the Security Center service. Change the 'Startup type' to 'Automatic'. Click on 'Apply'. Then click on 'Start' and 'OK' your way out.
Derfram
~~~~~~

#11 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 June 2005 - 03:50 AM

Ah, interesting point this, the Security Center in the services list has disappeared so I have no configuration control from that way in! As did the Firewall disappear until I figured how to get it back. Could the trojan have got rid of both of those entries in the services when it hit?

Thanks for your continuing support, I am keen to find out the cause.

Alex

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 01 June 2005 - 09:28 AM

I'm continuing to look into the firewall issue. In the mean time, there was a bad item returned by reglook. Let's clear that:

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.

Then double-click on the fix.reg file on the desktop.
- When it prompts to add or merge, say yes.
- You can now delete fix.reg from your desktop.
Derfram
~~~~~~

#13 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 June 2005 - 11:22 AM

OK, done, thanks. What did that do? (Sorry I just have a desire to know why things happen, possibly overt nosiness!)

I'll wait with interest your views on the Security Center - here is a log of the machine's security center :-

Alerter Started Automatic Local Service
Application Layer Gateway Service Started Manual Local Service
Application Management Manual Local System
ASP.NET State Service Manual Network Service
Automatic Updates Started Automatic Local System
Background Intelligent Transfer Service Started Manual Local System
ClipBook Disabled Local System
COM+ Event System Started Manual Local System
COM+ System Application Manual Local System
Computer Browser Started Automatic Local System
Cryptographic Services Started Automatic Local System
DCOM Server Process Launcher Started Automatic Local System
DHCP Client Started Automatic Local System
Distributed Link Tracking Client Started Automatic Local System
Distributed Transaction Coordinator Manual Network Service
DNS Client Started Automatic Network Service
Error Reporting Service Started Automatic Local System
Event Log Started Automatic Local System
Fast User Switching Compatibility Started Manual Local System
Help and Support Started Automatic Local System
HID Input Service Started Automatic Local System
HTTP SSL Manual Local System
IMAPI CD-Burning COM Service Manual Local System
Indexing Service Manual Local System
IPSEC Services Started Automatic Local System
ISSVC Started Automatic Local System
Logical Disk Manager Started Automatic Local System
Logical Disk Manager Administrative Service Manual Local System
Media Center Scheduler Service Started Automatic Local System
Messenger Disabled Local System
MS Software Shadow Copy Provider Manual Local System
Net Logon Manual Local System
NetMeeting Remote Desktop Sharing Manual Local System
Network Connections Started Manual Local System
Network DDE Disabled Local System
Network DDE DSDM Disabled Local System
Network Location Awareness (NLA) Started Manual Local System
Network Provisioning Service Manual Local System
Norton AntiVirus Auto-Protect Service Started Automatic Local System
NT LM Security Support Provider Manual Local System
NVIDIA Driver Helper Service Started Automatic Local System
Office Source Engine Manual Local System
Performance Logs and Alerts Manual Network Service
Plug and Play Started Automatic Local System
Portable Media Serial Number Service Manual Local System
Print Spooler Started Automatic Local System
Protected Storage Started Automatic Local System
QoS RSVP Manual Local System
Remote Access Auto Connection Manager Manual Local System
Remote Access Connection Manager Started Manual Local System
Remote Desktop Help Session Manager Manual Local System
Remote Procedure Call (RPC) Started Automatic Network Service
Remote Procedure Call (RPC) Locator Manual Network Service
Remote Registry Started Automatic Local Service
Removable Storage Manual Local System
Routing and Remote Access Disabled Local System
SAVScan Manual Local System
ScriptBlocking Service Automatic Local System
Secondary Logon Started Automatic Local System
Security Accounts Manager Started Automatic Local System
Server Started Automatic Local System
Shell Hardware Detection Started Automatic Local System
Smart Card Manual Local Service
SSDP Discovery Service Started Manual Local Service
Symantec Core LC Started Automatic Local System
Symantec Event Manager Started Automatic Local System
Symantec Network Drivers Service Started Automatic Local System
Symantec Network Proxy Started Automatic Local System
Symantec Password Validation Manual Local System
Symantec Settings Manager Started Automatic Local System
Symantec SPBBCSvc Started Automatic Local System
System Event Notification Started Automatic Local System
System Restore Service Started Automatic Local System
Task Scheduler Started Automatic Local System
TCP/IP NetBIOS Helper Started Automatic Local Service
Telephony Started Manual Local System
Telnet Disabled Local System
Terminal Services Started Manual Local System
Themes Started Automatic Local System
Uninterruptible Power Supply Manual Local Service
Universal Plug and Play Device Host Manual Local Service
Volume Shadow Copy Manual Local System
WebClient Started Automatic Local Service
Windows Audio Started Automatic Local System
Windows Firewall/Internet Connection Sharing (ICS) Started Automatic Local System
Windows Image Acquisition (WIA) Manual Local System
Windows Installer Manual Local System
Windows Management Instrumentation Started Automatic Local System
Windows Management Instrumentation Driver Extensions Manual Local System
Windows Time Started Automatic Local System
Windows User Mode Driver Framework Started Automatic Local Service
Wireless Zero Configuration Started Automatic Local System
WMDM PMSP Service Started Automatic Local System
WMI Performance Adapter Manual Local System
Workstation Started Automatic Local System

Thanks again

Alex

#14 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:59 AM

Posted 01 June 2005 - 11:45 AM

The AppInit_DLL is a file that runs whenever another application runs. Normally this key is empty. Your registry had a random character showing ("")- it was most likely not an executable program so it was harmless - but it shouldn't have been there. The regedit script should have cleared that entry.

As for the 'Security Center' service.... I don't have access to an XP SP2 machine here at work - I do at home. When I get home I want to check to see what file is associated with that service and have you check if that file still exists on your machine. If it does, we may be able to reinstall the service. Not sure if this is possible or not, I have never done it.

If the file is also gone, it may be necessary to uninstall then reinstall SP2. That *should* be straightforward, but again it's something I have never done and hesitate to recommend unless you have a good backup of your system.

Can you tell we're getting a bit outside my area of experience? :thumbsup:

Edited by ddeerrff, 01 June 2005 - 11:49 AM.

Derfram
~~~~~~

#15 ladyq

ladyq
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 01 June 2005 - 12:18 PM

You're doing great as far as I'm concerned and I can't thank you enough!!! Sorry to have taken you off track but I'm quite intrigued to find out why the Service Centre has disappeared and why the Firewall was messed up. If you get fed up then tell me and I'll let it go!! If it is possibly down to the Trojan it might be useful for us to know too.

Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users