Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

One virus remains


  • Please log in to reply
25 replies to this topic

#1 dchorton

dchorton

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 06 July 2005 - 09:19 AM

My friend's machine started out with 31 viruses. I have run AdAware SE and AVG and removed all but 1 of them. I can't get the last one.
The hijack this scan shows:

HKLM\..\run for 2 entries for AVG
HKLM\..\run [oxfywjc] windows\system32\nojtoqo.exe r
winlogin notify runonce c:\windows\system32\mohtml.dll
service, 2 entries for AVG
sevice system startup c:\windows\svcproc.exe

When I delete the line oxfywjc, it is recreated with a different name. MOHTML line will also not delete.

Any ideas.

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 07 July 2005 - 08:09 PM

Could I see a full log please?

#3 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 07 July 2005 - 09:33 PM

Ok, let me type it all out since that computer is not on the web.

HKLM\..\run:[avg7_cc]c:\program files\grisoft\avgfre~1\avgcc.exe /startup
HKLM\..\run:[avg7_emc]c:\program files\grisoft\avgfre~1\avgemc.exe
HKLM\..\run:[vnozvsr]c:\windows\system32\qjzteoj.exe r
HKLM\..\run:[kavsvc]c:\windows\system32\raumnp.exe reg_run
O20-winlogon notify:dynamic directory-c:\windows\system32\mohtml.dll
O23-service:avg7 alert manager server(avg7alrt)-grisoft,s.r.o.-c:\program files\grisoft\avgfre~1\avgamsvr.exe
O23-service:avg7 update service(avg7updsvc)-grisoft,s.r.o.-c:\program files\grisoft\avgfre~1\avgupsvc.exe
O23-service:system startup service(svcproc)-unknown owner-c:\windows\svcproc.exe


Those are the only lines in the scan log.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 07 July 2005 - 09:44 PM

What did you get that log from? If you could, would you look at a few other logs in the HJT section here? You will see that you don't have anywhere near a complete log. I can't help until I see the entire log.

#5 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 08 July 2005 - 12:04 PM

On the computer, I ran HijackThis, and clicked on SCAN. Those items I typed in are the ONLY ones that displayed. Is there some other area I need to go to in HiJackThis?

This is XP Home.

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 08 July 2005 - 03:50 PM

Once the scan is complete, the scan button turns into a "save log" button. Click on that, and notepad will open. Paste the entire contents of the notepad into your reply.

If you click on the first line inside notepad, then hit CRTL-A, it will hilight all of the text. Then, if you click on CTRL-C, it will copy the contents to the clipboard. Then start a reply in this thread, and click on CTRL-V, and it will paste the entire contents into this thread.

I'm sorry..I should have given better directions.

#7 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 July 2005 - 01:06 PM

Problem is that computer isn't on the web, but I will see what I can do.

#8 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 July 2005 - 01:44 PM

Here is the entire log.


Logfile of HijackThis v1.99.1
Scan saved at 1:41:16 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\zwpoxoy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system\jrea.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nact.exe
C:\hijack\hijackthis.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\raumnp.exe reg_run
O4 - HKLM\..\Run: [usnruib] c:\windows\system32\zwpoxoy.exe r
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\MOHTML.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 09 July 2005 - 04:18 PM

You have a qoologic trojan on there, plus some other infection. That computer is going to need an Internet connection though in order to download all of the tools and scans that you need.

I am PMing you a link to a script. Download it and run it on the infected computer. It will create a text file. Post that text file in here.

This isn't an infection that can be removed by just removing some lines. It consists of numerous hidden files, and hidden registry entries, and they take a bit to find. Plus, if we don't get all of them, it will come right back. So is there any chance that machine can somehow get connected?

#10 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 July 2005 - 09:30 PM

I will be able to do it, but not now. The storm is going to hit us tomorrow so we will probably not have power until tuesday.
How do you PM a script to me? I knew the thing was deep hidden, and I have many computers here, that is why that one isn't connected to the net, I didn't (don't) want to take the chance of infecting any other machine. But, I will connect it by itself to the internet. Maybe tuesday (or earlier if possible).
Thanks.

#11 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 July 2005 - 09:38 PM

I downloaded the link, but the zip file never could open. I got errors that it wasn't a zip file.

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 09 July 2005 - 09:43 PM

Hmm. Not sure why it screwed up. Inside the zip file is a VBS file. I just tried it and it worked fine...

A .vbs file is somply a text file, and I could PM the contents to you if you can't get it to work properly.

#13 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 12 July 2005 - 06:16 AM

Please just past the text and I will put it in a text file to run on the machine.
Thank.s

#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:15 PM

Posted 12 July 2005 - 08:57 AM

I can't fit it all in one post, so you can get the text here:
http://www.silentrunners.org/Silent%20Runners.vbs

Copy and paste the entire contents into notepad. Save the file as "silent.vbs including the quotation marks. Double-click on it to run the script. When it is done, notepad will open with a log in it. Paste the contents of the log in here please.

#15 dchorton

dchorton
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 13 July 2005 - 06:41 PM

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"jrea.exe" = "C:\WINDOWS\system\jrea.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"KavSvc" = "C:\WINDOWS\System32\raumnp.exe reg_run" [null data]
"C:\WINDOWS\VCMnet11.exe" = "C:\WINDOWS\VCMnet11.exe" [null data]
"zqzfrta" = "c:\windows\system32\redfjoz.exe r" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{D4B1A988-57AC-4422-B002-133E5BB86F3B}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\opesvr32.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{EED1FB6D-8B11-4D93-9449-2C074F63CF32}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dysetup.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! H323TSP\DLLName = "C:\WINDOWS\system32\kedno.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
fykqtxmt\(Default) = "{27086338-eb8e-41a7-8c20-c4191f63684b}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ukvnq.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\ZKLSPR.DLL ["Zero-Knowledge Systems Inc."], 01 - 09, 15
%SystemRoot%\system32\mswsock.dll [MS], 10 - 12, 16 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 13 - 14


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" ["Yahoo! Inc."]

"{FA91B828-F937-4568-82C1-843627E63ED7}" = "&Zero-Knowledge Freedom" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll" ["Zero-Knowledge Systems Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{79406F24-8E95-4AF8-9FEF-2EA2B504E707}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\ttext.dll" [empty string]

HKLM\Software\Classes\CLSID\{8F7D96AA-489A-4194-AB34-21EF42507932}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\ttext.dll" [empty string]

HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\ = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 124 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 382 seconds)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users