Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT land trojan help


  • Please log in to reply
7 replies to this topic

#1 pieguy288

pieguy288

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 31 May 2005 - 10:02 PM

Hey,

Two problems: 1) my homepage is set to about:blank and i have unwanted bookmarks in my favorites
2) Pretty much everytime i use my computer a "trojan horse" or "trojan low zones" notice will appear from norton anti-virus.

I ran ad-aware and it found over hundred "cool web search" things.
I then ran spybot and it only found one thing (i forgot what it was

below is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:28 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\msftp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\iekv32.exe
C:\WINDOWS\ipdc.exe
C:\Documents and Settings\Owner\Desktop\bleep\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mmnnd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {FF52FC75-302C-5DED-C090-F77905337D75} - C:\WINDOWS\winez.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ethernet] msftp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [apiwt32.exe] C:\WINDOWS\system32\apiwt32.exe
O4 - HKLM\..\Run: [WinScMngr] C:\WINDOWS\winsmc.exe
O4 - HKLM\..\Run: [iekv32.exe] C:\WINDOWS\system32\iekv32.exe
O4 - HKLM\..\Run: [swhost] C:\WINDOWS\System32\swhost.exe
O4 - HKLM\..\RunServices: [ethernet] msftp.exe
O4 - HKLM\..\RunOnce: [ipdc.exe] C:\WINDOWS\ipdc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\crvj.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 02 June 2005 - 02:49 PM

Hello pieguy288 and Welcome! :thumbsup:
Sorry you're having malware trouble.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
PLEASE FOLLOW ALL THE STEPS SLOWLY AND CAREFULLY.

STEP 1:
Please make sure that you can view all hidden files.
Instructions can be found here.

STEP 2:
Please download CWShredder™ Version 2.1 here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster by RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite 3.0 1.) Download and install the Ewido Security Suite 3.0 here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
Go to Start, Run and type in services.msc and click OK. 1.) Scroll down and find the service called Workstation NetLogon Service
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
Copy the contents of the Quote Box below to Notepad. Name the file as cwsfix.reg. Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]


STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier.
Make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.
Be sure to run the program again a second time.

STEP 15:
Now double-click on the cwsfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

STEP 16:
From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.
Scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked.
(These may be deleted already)

C:\WINDOWS\winez.dll <----Delete this file.
C:\WINDOWS\ipdc.exe <----Delete this file.
C:\WINDOWS\winsmc.exe <----Delete this file.
C:\WINDOWS\crvj.exe <----Delete this file.
C:\WINDOWS\system32\iekv32.exe <----Delete this file.
C:\WINDOWS\System32\msftp.exe <----Delete this file.
C:\WINDOWS\System32\swhost.exe <----Delete this file.

STEP 17:
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#3 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 03 June 2005 - 04:02 PM

I followed all the steps and here is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 4:55:05 PM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\appuh32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [swhost] C:\WINDOWS\System32\swhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\appuh32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 04 June 2005 - 10:21 AM

We have a few problems here. :thumbsup:

Download pfind-new.zip here and unzip the contents to its own permanent folder named pfind.

Important! The pfind tool must be run from SAFE MODE !!

Start in Safe Mode Using the F8 method:1.) Restart the computer in Safe Mode.
2.) As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
3.) Use the arrow keys to select the Safe Mode menu item.
4.) Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so please be patient. When the DOS window closes, reboot back to normal mode (Windows).

Post the contents of C:\pfind.txt here in this thread for review.

Edited by SirJon, 04 June 2005 - 10:24 AM.


#5 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 05 June 2005 - 09:36 AM

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder



Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\CoreAAC.ax: UPX!
C:\WINDOWS\SYSTEM32\divx.dll: PEC2
C:\WINDOWS\SYSTEM32\divx.dll: PECompact2
C:\WINDOWS\SYSTEM32\lame_enc.dll: UPX!
C:\WINDOWS\SYSTEM32\MP3Source.ax: UPX!
C:\WINDOWS\SYSTEM32\RLMPCDec.ax: UPX!
C:\WINDOWS\SYSTEM32\smgrt.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Owner\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Owner\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Sun Jun 5 2005 10:26:42a A.S.. 2,048 2.00 K
window~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K
winnt.bmp Mon May 30 2005 3:31:04a A.SH. 48,680 47.54 K
winnt256.bmp Fri May 27 2005 8:36:06a A.SH. 48,680 47.54 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Thu May 12 2005 2:07:42a ...H. 65 0.06 K

C:\WINDOWS\FONTS\
desktop.ini Thu May 12 2005 2:08:18a A.SH. 67 0.06 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Thu May 12 2005 2:07:42a ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Thu May 12 2005 2:12:12a A..H. 229,376 224.00 K

C:\WINDOWS\SYSTEM32\
cdplay~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K
logonu~1.man Thu May 12 2005 2:07:42a A..HR 488 0.48 K
ncpacp~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K
nwccpl~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K
sapicp~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K
window~1.man Thu May 12 2005 2:07:42a A..HR 488 0.48 K
wuaucp~1.man Thu May 12 2005 2:07:36a A..HR 749 0.73 K

C:\WINDOWS\TASKS\
sa.dat Sun Jun 5 2005 10:24:00a A..H. 6 0.00 K

C:\WINDOWS\LASTGOOD.TMP\INF\
oem0.inf Thu May 12 2005 2:27:02a A..H. 0 0.00 K
oem0.pnf Thu May 12 2005 2:27:02a A..H. 0 0.00 K
oem1.inf Thu May 12 2005 2:27:42a A..H. 0 0.00 K
oem1.pnf Thu May 12 2005 2:27:42a A..H. 0 0.00 K
oem10.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem10.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem11.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem11.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem12.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem12.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem13.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem13.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem14.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem14.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem15.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem15.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem16.inf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem16.pnf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem17.inf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem17.pnf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem18.inf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem18.pnf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem19.inf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem19.pnf Wed May 11 2005 11:34:32p A..H. 0 0.00 K
oem2.inf Wed May 11 2005 11:31:16p A..H. 0 0.00 K
oem2.pnf Wed May 11 2005 11:31:16p A..H. 0 0.00 K
oem20.inf Wed May 11 2005 11:39:48p A..H. 0 0.00 K
oem20.pnf Wed May 11 2005 11:39:48p A..H. 0 0.00 K
oem21.inf Wed May 11 2005 11:39:48p A..H. 0 0.00 K
oem21.pnf Wed May 11 2005 11:39:48p A..H. 0 0.00 K
oem3.inf Wed May 11 2005 11:34:28p A..H. 0 0.00 K
oem3.pnf Wed May 11 2005 11:34:28p A..H. 0 0.00 K
oem4.inf Wed May 11 2005 11:34:28p A..H. 0 0.00 K
oem4.pnf Wed May 11 2005 11:34:28p A..H. 0 0.00 K
oem5.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem5.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem6.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem6.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem7.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem7.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem8.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem8.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem9.inf Wed May 11 2005 11:34:30p A..H. 0 0.00 K
oem9.pnf Wed May 11 2005 11:34:30p A..H. 0 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Sun Jun 5 2005 10:26:36a A..H. 8,192 8.00 K
sam.log Sun Jun 5 2005 10:26:52a A..H. 1,024 1.00 K
security.log Sun Jun 5 2005 10:26:44a A..H. 12,288 12.00 K
software.log Sun Jun 5 2005 10:27:56a A..H. 86,016 84.00 K
system.log Sun Jun 5 2005 10:26:42a A..H. 720,896 704.00 K
userdiff.log Mon May 9 2005 5:36:48p A..H. 1,024 1.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
packag~1.cab Thu May 12 2005 2:08:04a ..SHR 727 0.71 K
packag~2.cab Thu May 12 2005 2:08:04a ..SHR 19,854 19.39 K
packag~3.cab Thu May 12 2005 2:08:04a ..SHR 243,124 237.43 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Fri Jun 3 2005 6:35:58p A..H. 0 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Wed May 11 2005 6:59:48p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Wed May 11 2005 6:59:48p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Thu May 12 2005 2:07:46a A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Wed May 11 2005 6:59:48p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Thu May 12 2005 2:08:50a A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
a434fc~1 Wed May 11 2005 11:41:18p A.SH. 388 0.38 K
prefer~1 Wed May 11 2005 11:41:18p A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Thu May 12 2005 2:08:50a A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Thu May 12 2005 2:08:50a A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\FUFVHT8V\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\NPPV4GJQ\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\OLAR8DEJ\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\VAM7CSN3\
desktop.ini Thu May 12 2005 2:08:06a A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Thu May 12 2005 2:08:50a A.SH. 348 0.34 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Thu May 12 2005 2:08:50a A.SH. 84 0.08 K

89 items found: 89 files, 0 directories.
Total of file sizes: 1,430,213 bytes 1.36 M

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 05 June 2005 - 04:43 PM

STEP 1:
Download Killbox from here.

STEP 2:
Extract killbox.exe into a new folder named killbox and then open Killbox.exe and be sure that "Delete on Reboot" is checked.

STEP 3:
One at a time copy and paste the following files into the address bar:

C:\WINDOWS\SYSTEM32\appuh32.exe
C:\WINDOWS\SYSTEM32\smgrt.exe

STEP 4:
After each one, press the Delete File button on the far right of the address bar. It's the button that looks like a RED circle with a WHITE X in it.

STEP 5:
Each time you will get a dialog box asking if you want to reboot.
Press NO for all but the last file path.

STEP 6:
After the last file path has been entered, press YES.
Your computer will reboot and delete the files.

(NOTE: Since your HJT log indicated that you are still infected, we will have to start over with the removal procedures. Please repeat ALL the steps below as indicated. DO NOT leave out any steps.)

STEP 7:
Go to Start, Run and type in services.msc and click OK.1.) Scroll down and find the service called Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 9:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 10:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

STEP 11:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier.
Make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.
Be sure to run the program again a second time.

STEP 15:
Now double-click on the cwsfix.reg file you saved earlier and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

#7 pieguy288

pieguy288
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 06 June 2005 - 02:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:40:46 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\imapi.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9ABBF8BA-C35E-205B-6D84-95401DED6DAD} - C:\WINDOWS\system32\mstm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [winmngr.exe] C:\WINDOWS\system32\SMGRT.EXE
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://txiframe.biz//adverts//09//targ.chm::/win32.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{879DD6F6-7569-494E-9EA6-54B1D7F26757}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#8 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 06 June 2005 - 05:11 PM

Good Job! :thumbsup:
Things are looking up.

Now please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9ABBF8BA-C35E-205B-6D84-95401DED6DAD} - C:\WINDOWS\system32\mstm32.dll
O4 - HKLM\..\Run: [winmngr.exe] C:\WINDOWS\system32\SMGRT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://txiframe.biz//adverts//09//targ.chm::/win32.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{879DD6F6-7569-494E-9EA6-54B1D7F26757}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{1413580A-5654-4D14-B0C5-DD3611C7F3FB}: NameServer = 69.50.184.84,195.225.176.37


NOTE: Unless you or an administrator set this entry, check this in HJT also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Programs such as Spybot-S&D and others may have set this also)

Go to Start, Search, For Files or Folders, and type in each file or folder name.
Scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked.

C:\WINDOWS\system32\mstm32.dll <----Delete this file. (If found)
C:\WINDOWS\system32\SMGRT.EXE <----Delete this file. (If found)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users