Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections, trojans and malware


  • Please log in to reply
31 replies to this topic

#1 bearsfan

bearsfan

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 04 June 2005 - 09:08 PM

I will be as brief and accurate as possible. I am fairly knowledgeable with computers, so I will be able to follow any advice offered. Thank you.

The OS for this computer is Windows XP Home SP1, and there are three user accounts.

Symptoms of my problem:
  • Locked out of Task Manager.
  • Dialogues freeze when trying to save files to the desktop.
  • Other freezing has occurred when attempting various actions.
  • Occasional slowed/disabled web surfing.
  • Numerous virus alerts from both AVG and ewido SS.
  • Re-spawning files in C:\Windows and C:\Windows\system32.
  • Complete computer freeze-ups resulting in manual restarts.
  • Inability to log more than one person in to Windows in at the same time.
Actions already taken, and the results yielded:
  • Ran AVG scans for all three accounts.
    - Total of 21 infected files found and deleted in the original two scans.
    - Since those scans, more trojan horses have been detected. IRC/BackDoor.SdBot.187.BG (svchost.exe) ; Downloader.Apropo.O (AutoUpdate.exe) ; IRC/BackDoor.SdBot.185.BE (.exe, four instances) ; BackDoor.Small.27.AQ ; IRC/BackDoor.SdBot.89.F (cool.exe)
    - Those detected were healed and moved to the Virus Vault.
  • Booted into Safe Mode and ran scans with the following programs:
    - Ad-Aware (many objects found -- dialers, hijack attempts, etc.)
    - Spybot S&D (a couple problems found, don't recall what they were)
    - ewido security suite. Infections found: Backdoor.SdBot.xd (eraseme_58237.exe) ; Trojan.Rootkit.k (eraseme_76764.exe) ; Backdoor.SdBot.xd (eraseme_38005.exe) ; Backdoor.SdBot.xd (wkssvc.exe) ; Trojan.Rootkit.k (rdriv.sys) ; TrojanSpy.Small.y (services.exe) ; Backdoor.SdBot.xd (aim.exe) ; Spyware.Wheaterbug.a (MiniBugTransporter.dll)
  • Ran HijackThis and removed 4-5 items at my own discretion.
  • Again in Safe Mode, used TheKillBox to delete recently placed files in the C:\, C:\Windows, C:\Windows\system32, and C:\Windows\system directories.
The following files have re-spawned and are found in the C:\Windows\system32 directory:
  • i
  • TFTP3968
  • cmd.ftp
  • TFTP3260
  • eraseme_08241.exe
In additonal to those already mentioned, I also have the following programs already at my disposal:
  • RapidBlasterKiller
  • VX2 Finder
  • CCleaner
  • CleanUp!
  • Hoster
  • Autoruns
  • SpywareBlaster
Here is my most recent HJT scan:

Logfile of HijackThis v1.98.2
Scan saved at 6:33:31 PM, on 6/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Jared\Desktop\Scans\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ussmariner.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 5.0
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEHandler Class - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2} - C:\Documents and Settings\Jared\Desktop\Archives\Programs\NetLeech\IEExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download With NetLeech - C:\Documents and Settings\Jared\Desktop\Archives\Programs\NetLeech\NLExtMenu.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/bl...x/blockwerx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8584FD59-FEC2-4EC7-9248-EF4BD42BDD31}: NameServer = 205.171.3.65 205.171.2.65
O20 - AppInit_DLLs: c:\windows\system32\comjpd.dll


I hope I have provided all necessary info. I would immensely appreciate any and all help that can possibly be provided. Thank you.


Update:

ewido just detected two more infections, one of which was Backdoor.Rbot (crssrs.exe), which was quarantined along with the others previously mentioned.

Edited by bearsfan, 04 June 2005 - 10:08 PM.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 05 June 2005 - 10:47 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

c:\windows\system32\comjpd.dll

To copy the files simply navigate to the directory they are in and right click on the file name, and then click on copy option. Now go back to the c:\submit folder and right click in the folder and select the paste option.

Once the files are all copied zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a file called yourmembername.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that.

When the files are zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browsing to the file you are submitting Finally click on the Send File button.

#3 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 05 June 2005 - 04:59 PM

Thank you for your response. Unfortunately, since posting this thread I've already used HijackThis to fix the comjpd.dll entry, and that file now no longer exists in the system32 directory. Did I do the wrong thing?

Edit: The computer's still infected with most of the viruses listed above, despite this file now being gone.

Edited by bearsfan, 05 June 2005 - 08:01 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 05 June 2005 - 08:16 PM

Not sure if you did wrong without seeing the file, but if everything seems to work still, its no harm I guess :thumbsup:

Download http://www.bleepingcomputer.com/files/pfind-new.php

Extract pfind-new.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

#5 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 05 June 2005 - 10:13 PM

The link you provided did not work. It told me the page could not be found.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 06 June 2005 - 10:59 AM

Try this:

http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

#7 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 06 June 2005 - 08:19 PM

Thank you. Here are the results of the scan.

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\choice.exe: UPX!
C:\WINDOWS\q1214.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4


Checking the C:\WINDOWS\SYSTEM32 folder



Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Jared\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Jared\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
aim.exe Sun Jun 5 2005 5:45:38p ..SHR 61,440 60.00 K
bootstat.dat Mon Jun 6 2005 6:10:58p A.S.. 2,048 2.00 K
qtfont.qfn Mon Jun 6 2005 8:46:36a A..H. 54,156 52.89 K

C:\WINDOWS\HELP\
thumbs.db Fri Jun 3 2005 3:13:20p A.SH. 8,192 8.00 K

C:\WINDOWS\SYSTEM\
svchost.dll Fri Jun 3 2005 4:19:00p ..SHR 26,624 26.00 K
svchost.exe Fri Jun 3 2005 1:22:14p ..SHR 33,280 32.50 K

C:\WINDOWS\SYSTEM32\
exe~1 Mon Jun 6 2005 3:03:26p A.SH. 6,694 6.54 K

C:\WINDOWS\TASKS\
sa.dat Mon Jun 6 2005 6:10:18p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Mon Jun 6 2005 6:10:52p A..H. 8,192 8.00 K
sam.log Mon Jun 6 2005 6:11:20p A..H. 1,024 1.00 K
security.log Mon Jun 6 2005 6:11:00p A..H. 16,384 16.00 K
software.log Mon Jun 6 2005 6:12:14p A..H. 90,112 88.00 K
system.log Mon Jun 6 2005 6:10:58p A..H. 790,528 772.00 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
a5e574~1 Sat Apr 30 2005 2:40:54a A.SH. 388 0.38 K
prefer~1 Sat Apr 30 2005 2:40:54a A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\8RYZ2VYN\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\KAUZ3F3F\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\MZU9GHK7\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\QH2103MX\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

19 items found: 19 files, 0 directories.
Total of file sizes: 1,099,360 bytes 1.05 M

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 06 June 2005 - 09:13 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\q1214.exe
c:\windows\system\svchost.dll
c:\windows\system\svchost.exe
C:\WINDOWS\SYSTEM32\exe~1


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#9 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 06 June 2005 - 09:21 PM

I've submitted the bearsfan.cab file.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 06 June 2005 - 09:31 PM

Reboot into safe mode and delete all 4 of those files. Reboot back to normal mode and post a new log

#11 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 06 June 2005 - 09:47 PM

I did as instructed and was able to delete C:\WINDOWS\q1214.exe.

However, I could not locate the other three, as they did not appear in the directories specified:

c:\windows\system\svchost.dll
c:\windows\system\svchost.exe
C:\WINDOWS\SYSTEM32\exe~1

I should also mention, in case it's relevent or helpful, that on every start-up I'm alerted that "changeme.exe" cannot be found.

Here's the latest HJT scan, and I can already see an entry that needs to be fixed, but I'll let you instruct me further rather than doing it myself. And again, thank you for all your help up to this point.


Logfile of HijackThis v1.98.2
Scan saved at 7:44:29 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Jared\Desktop\Scans\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ussmariner.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 5.0
F2 - REG:system.ini: Shell=Explorer.exe changeme.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEHandler Class - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2} - C:\Documents and Settings\Jared\Desktop\Archives\Programs\NetLeech\IEExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download With NetLeech - C:\Documents and Settings\Jared\Desktop\Archives\Programs\NetLeech\NLExtMenu.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .cfm: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/bl...x/blockwerx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Edited by bearsfan, 06 June 2005 - 09:48 PM.


#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 07 June 2005 - 10:09 AM

Do me a favor and open c:\pfind.txt and post the contents again.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 07 June 2005 - 12:56 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - [windowsupdate] c:\windows\system\svchost.exe /s


Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system\svchost.exe
c:\windows\system\svchost.dll
c:\windows\system\svchosthook.dll

Reboot your computer to go back to normal mode and post a new log.

#14 bearsfan

bearsfan
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 07 June 2005 - 04:49 PM

I'm not sure those last instructions were intended for me, as that entry does not exist in my HJT log and none of those files exist in my C:\Windows\system directory. However, here are the results of my latest pfind scan, as requested in your post before last.


Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\choice.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\navupdts.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: FSG!u1
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Jared\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Jared\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Tue Jun 7 2005 2:37:46p A.S.. 2,048 2.00 K
qtfont.qfn Mon Jun 6 2005 8:46:36a A..H. 54,156 52.89 K

C:\WINDOWS\HELP\
thumbs.db Fri Jun 3 2005 3:13:20p A.SH. 8,192 8.00 K

C:\WINDOWS\SYSTEM\
svchost.dll Fri Jun 3 2005 4:19:00p ..SHR 26,624 26.00 K
svchost.exe Fri Jun 3 2005 1:22:14p ..SHR 33,280 32.50 K

C:\WINDOWS\TASKS\
sa.dat Tue Jun 7 2005 2:37:04p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Tue Jun 7 2005 2:37:38p A..H. 8,192 8.00 K
sam.log Tue Jun 7 2005 2:38:06p A..H. 1,024 1.00 K
security.log Tue Jun 7 2005 2:37:48p A..H. 16,384 16.00 K
software.log Tue Jun 7 2005 2:38:54p A..H. 90,112 88.00 K
system.log Tue Jun 7 2005 2:37:46p A..H. 798,720 780.00 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
a5e574~1 Sat Apr 30 2005 2:40:54a A.SH. 388 0.38 K
prefer~1 Sat Apr 30 2005 2:40:54a A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\8RYZ2VYN\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\KAUZ3F3F\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\MZU9GHK7\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\QH2103MX\
desktop.ini Sun Jun 5 2005 5:45:40p ..SH. 67 0.06 K

17 items found: 17 files, 0 directories.
Total of file sizes: 1,039,418 bytes 1,015.05 K

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 08 June 2005 - 10:37 AM

Yes it was meant for you. Can you go into safe mode and create a hjt log there. Then reboot back to normal mode and post it from there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users