Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with several Trojans


  • This topic is locked This topic is locked
6 replies to this topic

#1 novirusplease

novirusplease

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 30 August 2005 - 09:46 AM

My computer is infected with several Trojans. I have scanned several times all my harddisks with anti-virus programs (AVG, Spyware Doctor, on-line BitDefender, on-line Panda, Stinger, Ewido) but there still remain many of them. Help is kindly needed to definitively remove them.
Trojan list:
- Generic.ET
- Downloader.Generic.CPP
- IRC/Backdoor.SdBot.IRK
- IRC/Backdoor.SdBot.ILH
- Clicker.MH
- others?.


Could anyone help me?

My HijackThis logfile is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 16:35:30, on 30.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\runs.pif
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\WINDOWS\System32\boot32.pif
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\boot32.pif

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [MS taskbar W] task32w.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Games Updater] msgame32.exe
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [System Updates Service] updates.pif
O4 - HKLM\..\Run: [MS-DOS Boot Service] boot32.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Games Updater] msgame32.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKLM\..\RunServices: [System Update Service] system.pif
O4 - HKLM\..\RunServices: [System Updates Service] updates.pif
O4 - HKLM\..\RunServices: [MS-DOS Boot Service] boot32.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MS taskbar W] task32w.exe
O4 - HKCU\..\Run: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [System Updates Service] updates.pif
O4 - HKCU\..\Run: [MS-DOS Boot Service] boot32.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - HKCU\..\RunServices: [System Updates Service] updates.pif
O4 - HKCU\..\RunServices: [MS-DOS Boot Service] boot32.pif
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINDOWS\ntfsprotect.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe (file missing)

BC AdBot (Login to Remove)

 


#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 September 2005 - 12:25 AM

Hi, novirusplease.
Well, this may take a while, lots of bad files listed.


First, since these are backdoor trojans, let's try installing a firewall to stop them from connecting.

Free versions of Zone Alarm, sygate or Kerio are listed for download at PCWorld.
I use zone alarm, it's easy to set up. Once installed it will notify you when any program tries to connect to the internet. Block anything you don't recognize.

I know you have already run scans, but let's run them again in safemode.
Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open stinger and run a scan. When that's finished run the next scan.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Reboot to normal mode.

Check for updates in AVG and run a full system scan.

Download and install the update patches for xp from these microsoft sites:

http://www.microsoft.com/technet/security/...n/ms04-007.mspx
http://www.microsoft.com/technet/security/...n/ms04-012.mspx
http://www.microsoft.com/technet/security/...n/ms05-039.mspx


Restart your system after all patches are installed.
Scan with hijackthis and post a fresh log.
Also post the report from ewido.
Posted Image

#3 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 September 2005 - 07:19 AM

I have done re-scan with Ewido in safe mode and installed the 3 Windows patches as well as ZoneAlarm. Meanwhile some virus has taken control of my e-mailer and is sending thousands or millions of mails to unknown addresses (I receive error messages from inexistent addresses, today already 5000 error messages). My e-mailer is saturated my error message and cannot read my regular mails. I cannot use my computer as it is slowed down by a factor of 1000 at least. Need urgently to remove viruses.

HijackThis log file:
Logfile of HijackThis v1.99.1
Scan saved at 14:14:47, on 01.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\update32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\runs.pif
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\WINDOWS\System32\KeyboardHlpr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [MS taskbar W] task32w.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Games Updater] msgame32.exe
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [System Updates Service] updates.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KeyboardHlpr.exe] C:\WINDOWS\System32\KeyboardHlpr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Games Updater] msgame32.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKLM\..\RunServices: [System Update Service] system.pif
O4 - HKLM\..\RunServices: [System Updates Service] updates.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MS taskbar W] task32w.exe
O4 - HKCU\..\Run: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [System Updates Service] updates.pif
O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - HKCU\..\RunServices: [System Updates Service] updates.pif
O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9530F07B-29B1-429F-AC77-9316721AC542}: NameServer = 194.230.1.103 194.230.1.39
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINDOWS\update32.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINDOWS\ntfsprotect.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Ewido:
---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 11:27:23, 01.09.2005
+ Somme de contrôle: FEA53B58

+ Résultats du scan:

C:\WINDOWS\SYSTEM32\MSASP32.exe -> Backdoor.Codbot.ag : Nettoyer et sauvegarder
C:\WINDOWS\SYSTEM32\TFTP3896 -> Backdoor.Rbot : Nettoyer et sauvegarder
E:\System Volume Information\_restore{1CF158A2-535C-4E4D-82CB-7A969FA8AE56}\RP1\A0000070.exe -> Backdoor.IP_Protect : Nettoyer et sauvegarder


::Fin du rapport

#4 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 01 September 2005 - 10:56 AM

Stay disconnected from the internet as much as possible. Unplug the modem or router, except when you must go online. if you have access to another computer, use that one to communicate.

We need to make some changes to your system that spyware doctor may try to block. Shutdown spyware doctor before opening hijackthis.

Copy the following instructions to notepad since you will need to close this window.

Change these settings to search for and show hidden files:
Click start > search > change preferences
Click "change file and folder search behavior"
Choose "advanced" then ok
Click the drop down arrow at "more advanced options"
Place a checkmark at the following:
search system folders
search hidden files and folders
search subfolders


Open Windows Explorer & Go to Tools > Folder Options.
Click on the View tab
Place a checkmark at "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Uncheck "hide extensions for known file types"
click "Apply to all folders"
Click "Apply" then "OK"


Scan with hijackthis and checkmark these lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O4 - HKLM\..\Run: [MS taskbar W] task32w.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [Microsoft Windows Automatic Games Updater] msgame32.exe
O4 - HKLM\..\Run: [Windows Update Service] update32.pif
O4 - HKLM\..\Run: [System Updates Service] updates.pif
O4 - HKLM\..\Run: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif

O4 - HKLM\..\Run: [KeyboardHlpr.exe] C:\WINDOWS\System32\KeyboardHlpr.exe

O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Games Updater] msgame32.exe

O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Windows Update Service] update32.pif
O4 - HKLM\..\RunServices: [System Update Service] system.pif
O4 - HKLM\..\RunServices: [System Updates Service] updates.pif
O4 - HKLM\..\RunServices: [Microsoftf DDos Contr0l] runs.pif
O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif

O4 - HKCU\..\Run: [MS taskbar W] task32w.exe
O4 - HKCU\..\Run: [Windows Update Service] update32.pif
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [System Updates Service] updates.pif
O4 - HKCU\..\Run: [MSDOS Security Service] msdos.pif
O4 - HKCU\..\RunServices: [Windows Update Service] update32.pif
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - HKCU\..\RunServices: [System Updates Service] updates.pif
O4 - HKCU\..\RunServices: [MSDOS Security Service] msdos.pif

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Microsoft Windows Service - Unknown owner - C:\WINDOWS\update32.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINDOWS\ntfsprotect.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe (file missing)

Close all browsers and open windows , except hijackthis, and click fix checked. You can open the notepad text you saved earlier after clicking fix checked.

Click the start button on the taskbar then click Run...
Copy from your notepad instructions the following lines, one at a time, into the Run box. Click OK after each one. You may see a command prompt open and close quickly, which is normal.

sc stop Microsoft Windows Service
sc delete Microsoft Windows Service
sc delete hexadecimal
sc delete WIN32
sc delete Net Functions Library
sc delete NTFSprotect
sc delete UDP Sub Packet Classifier


Next, Right click the start button and choose explore.
Navigate to C:\WINDOWS\Prefetch and open the prefetch folder.
Delete all contents of the prefetch folder, but not the folder itself.

Delete these files marked in bold:
C:\WINDOWS\System32\KeyboardHlpr.exe
C:\WINDOWS\update32.exe

Run a search for and delete these files (some may be missing, delete all you find):
task32w.exe
winproc.exe
msgame32.exe
update32.pif
updates.pif
runs.pif
msdos.pif


Clean out temporary and TIF files.

Click the start button, then click on Run..... and type in the box: cleanmgr.
Let it scan your system for files to remove.
Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin



Repeat your previous online scans at bitdefender and panda scan.
After the online scans, scan again with ewido and post the report.

Restart your system after all scans are done.
Scan with hijackthis and post the new log.
Posted Image

#5 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2005 - 07:51 AM

everything has been done as indicated. Some viruses are though still detected by AVG.

Ewido log file:

---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 14:40:39, 02.09.2005
+ Somme de contrôle: EA702060

+ Résultats du scan:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPQJOLUR\s[1].exe -> Backdoor.Prorat.ak : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[1].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[3].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[4].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@download.com[2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@download.com[1].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[5].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
E:\WINDOWS\Cookies\yoshinori senuma@com[6].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder


::Fin du rapport




HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 14:47:03, on 02.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9530F07B-29B1-429F-AC77-9316721AC542}: NameServer = 194.230.1.103 194.230.1.39
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINDOWS\ntfsprotect.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 02 September 2005 - 03:40 PM

No bad files are listed in your running processes, it looks much better.
Some clean up remains to be done. AVG may be showing files contained in system restore. We can clean system restore and set a fresh restore point.

Let's download the following security update. Download it to your harddrive, but do not install it yet.

Download the version for xp service pack 1:
http://www.microsoft.com/technet/security/...n/MS04-011.mspx


Click the start button on the taskbar then click Run...
Copy and paste the following lines, one at a time, into the Run box. Click OK after each one. You may see a command prompt open and close quickly, which is normal.

sc stop hexadecimal
sc delete hexadecimal

sc stop WIN32
sc delete WIN32

sc stop Net Functions Library
sc delete Net Functions Library

sc stop NTFSprotect
sc delete NTFSprotect

sc stop UDP Sub Packet Classifier
sc delete UDP Sub Packet Classifier


To install the security updates downloaded earlier, first disconnect from the internet by unplugging your modem. Next, shutdown your anti-virus and spyware doctor.

Double click the first file downloaded and follow the prompts to install.
Continue to install the remaining files.

System restore may contain copies of the bad files on your system. Turning off system restore will remove all restore points.
Right click the My Computer icon, click on Properties.
Click on the System Restore tab.
Put a check mark next to 'Turn off System Restore on All Drives'.
Click the 'OK' button.
You will be prompted to restart the computer. Click Yes.

Repeat the steps except remove the checkmark at 'Turn off System Restore on All Drives'.
This will create a clean restore point.

Run a full system scan with AVG. If it continues to show an infection, please write down the full message and post it here.

Scan with hijackthis and post a fresh log.
How is your system running now, any better?

Edit: removed two links, duplicates from my first post.

Edited by JG427, 03 September 2005 - 02:18 PM.

Posted Image

#7 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:05:56 AM

Posted 24 September 2005 - 10:21 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users