Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help again!


  • This topic is locked This topic is locked
5 replies to this topic

#1 ari

ari

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 13 September 2005 - 03:05 PM

hi
i keep getting reinfected. i installed limewire for a couple of days so it must have been from that. i have uninstalled it but i still have the virus.
heres my log, hope you can help:

Logfile of HijackThis v1.99.1
Scan saved at 21:03:08, on 13/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3F75.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 14 September 2005 - 08:10 AM

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

I see you already have ewido installed.
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3F75.tmp
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe


* Click on Fix Checked when finished and exit HijackThis.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open Ad-aware and do a full scan. Remove all it finds.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an online scan with Kaspersky WebScanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Edited by miekiemoes, 14 September 2005 - 08:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 14 September 2005 - 11:49 AM

hi
everything seems to be fine now :thumbsup:
here are my logs

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 14, 2005 17:43:41
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/09/2005
Kaspersky Anti-Virus database records: 140304
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51299
Number of viruses found: 10
Number of infected objects: 93
Number of suspicious objects: 2
Duration of the scan process: 1646 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip/e.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip Suspicious: Password-protected-EXE
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP100\A0058387.exe Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP101\A0058450.dll Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP101\A0058534.old Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0039083.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0039084.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0040076.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0040087.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0040097.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041081.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041097.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041122.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041134.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041148.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041161.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041179.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0041188.exe Infected: Trojan-Dropper.Win32.Agent.sa
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0042177.exe Infected: Trojan.Win32.Stervis.e
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0042179.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0042181.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0042182.exe Infected: Trojan.Win32.Puper.an
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0042185.exe Infected: Trojan-Dropper.Win32.Agent.sa
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP72\A0043421.exe:fhrxv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP81\A0049691.INI:stmka:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP82\A0049719.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049756.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049756.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049756.EXE:rkhgzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049756.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049763.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049763.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049763.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049763.EXE:rkhgzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049763.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049815.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049815.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049815.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049815.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049831.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049831.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049831.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049831.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP83\A0049831.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:vcuiv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049836.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:vcuiv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:vrrve:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP84\A0049852.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:kqctn:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:vcuiv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:vrrve:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049854.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049897.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:aacgar:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:iarbfg:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:kqctn:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:vcuiv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:vrrve:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049903.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049964.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049970.cfg:rrnbx:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049972.OLD:tmwibc:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049978.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049980.ini:nbbrov:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049981.INI:stmka:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049981.INI:xoidgv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049982.ini:ykdvn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049983.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:aacgar:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:gjewd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:iarbfg:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:kqctn:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:lwisr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:pkbsd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:vcuiv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:vrrve:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:wpwlk:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{ECFC50E5-4810-4663-B3C3-1FB2EC39CDC9}\RP85\A0049985.EXE:yjobfd:$DATA Infected: Trojan-Downloader.Win32.Agent.bc

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 17:47:19, on 14/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


smitRem log file
version 2.3

by noahdfear

The current date is: 14/09/2005
The current time is: 16:15:04.28

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :flowers:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Dating.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~

ole32vbs.exe
msole32.exe
shnlog.exe
intmon.exe
hhk.dll
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini
popuper.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :trumpet: Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :inlove: ~~~~


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:58:06, 14/09/2005
+ Report-Checksum: 2108B72C

+ Scan result:

C:\Program Files\Play65\update.ini -> Trojan.Smitfraud : Cleaned with backup
C:\WINDOWS\system32\ebr7vje8.dat -> Trojan.Smitfraud : Cleaned with backup


::Report End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 14 September 2005 - 11:52 AM

Hi, I see a clean log. :thumbsup:

Please open your Spybot S&d and choose the recovery-option and DELETE everything that is in there.

Also, An important thing to do is please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :flowers:

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.
If you don't have those programs yet, you can find the downloadlocations in my sig.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :trumpet:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ari

ari
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 14 September 2005 - 11:59 AM

thanks for your help
i appreciate it!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 14 September 2005 - 12:18 PM

Glad I could help you. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users