Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mdm.exe


  • This topic is locked This topic is locked
6 replies to this topic

#1 conner7

conner7

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 January 2006 - 03:10 PM

I have run NAV, Spybot and Ad-aware in regular mode and in safe mode, but none of them find anything. According to the files here, mdm.exe files are undesirable and the result of a trojan (I think it was).
Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:34 PM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Turbo2Dialup\slipore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Turbo2Dialup\slipgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.torontosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.look.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by LOOK Communications
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Turbo2Dialup\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Turbo2Dialup\slipore.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Turbo2Dialup Web Accelerator.lnk = C:\Program Files\Turbo2Dialup\slipgui.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Turbo2Dialup\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Turbo2Dialup\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.look.ca
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A1249F4-4642-40DC-92A2-890EA09D4BA4}: NameServer = 66.38.192.231 66.38.192.233
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 January 2006 - 09:03 AM

You have mentioned that you wish to update your OS to SP2. That is often a hit/miss affair. Although your log appears reasonably clean, it never hurts to do an online scan.

Before that, please do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - Default URLSearchHook is missing


Then, perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a fresh HJT log
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Edited by sUBs, 17 January 2006 - 09:03 AM.


#3 conner7

conner7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 17 January 2006 - 11:36 AM

Oh, my. :thumbsup:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 17, 2006 11:29:38
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/01/2006
Kaspersky Anti-Virus database records: 171545
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 63904
Number of viruses found: 23
Number of infected objects: 55
Number of suspicious objects: 6
Duration of the scan process: 2163 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip/asmend.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\csimplicity.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013
C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\csimplicity.exe Infected: not-a-virus:AdWare.Win32.Gator.3013
C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\Joy theme.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013
C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\Joy theme.exe Infected: not-a-virus:AdWare.Win32.Gator.3013
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Quick.a
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.EZula.a
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe/WISE0020.BIN Infected: Trojan-Dropper.Win32.Small.jh
C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe Infected: Trojan-Dropper.Win32.Small.jh
C:\Program Files\filesubmit\Snow\nnez_388.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Program Files\Norton AntiVirus\Quarantine\008C618B Infected: Email-Worm.Win32.Bagle.ax
C:\Program Files\Norton AntiVirus\Quarantine\0411602F Infected: not-a-virus:AdWare.Win32.Virtumonde.p
C:\Program Files\Norton AntiVirus\Quarantine\19990C97 Infected: Email-Worm.Win32.Bagle.dt
C:\Program Files\Norton AntiVirus\Quarantine\1D0D6D7A/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\1D0D6D7A Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D4F1458 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\2D69643B/[From Toronto-HSE-ppp3698118.sympatico.ca [65.95.100.169]][Date Thu, 28 Apr 2005 10:24:00 -0400 (EDT)]/UNNAMED/[From jconner@idirect.com][Date Thu, 28 Apr 2005 10:23:23 -0700]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\2D69643B/[From Toronto-HSE-ppp3698118.sympatico.ca [65.95.100.169]][Date Thu, 28 Apr 2005 10:24:00 -0400 (EDT)]/UNNAMED/[From jconner@idirect.com][Date Thu, 28 Apr 2005 10:23:23 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\2D69643B/[From Toronto-HSE-ppp3698118.sympatico.ca [65.95.100.169]][Date Thu, 28 Apr 2005 10:24:00 -0400 (EDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\2D69643B Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3748538F/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\3748538F Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\392F784F/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\392F784F Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\462C37C5/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\462C37C5 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\4B762D21 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\4F3533C8/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\4F3533C8 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\53FF1273/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\53FF1273 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\54EF480D Infected: Trojan-Dropper.Win32.Delf.z
C:\Program Files\Norton AntiVirus\Quarantine\55353637/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\55353637 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\5B5D674C/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\5B5D674C Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\64A50CAE Infected: Email-Worm.Win32.Bagle.bo
C:\Program Files\Norton AntiVirus\Quarantine\64AC30E4/your_stuff.htm.scr Infected: Email-Worm.Win32.NetSky.c
C:\Program Files\Norton AntiVirus\Quarantine\64AC30E4 Infected: Email-Worm.Win32.NetSky.c
C:\Program Files\Norton AntiVirus\Quarantine\66805144 Infected: Trojan-Dropper.Win32.Small.lr
C:\Program Files\Norton AntiVirus\Quarantine\7853168C Infected: Trojan-Downloader.Win32.Small.bpk
C:\Program Files\Norton AntiVirus\Quarantine\7AAD2A84 Infected: not-a-virus:AdWare.Win32.Virtumonde.p
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028886.exe/WISE0015.BIN/data0002 Infected: not-a-virus:AdWare.Win32.Sidesearch.d
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028886.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Sidesearch.d
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028886.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028886.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028886.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028891.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028891.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.IGetNet
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028891.exe Infected: not-a-virus:AdWare.Win32.IGetNet
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028892.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028892.exe Infected: not-a-virus:AdWare.Win32.Gator.1050
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028893.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.EZula.j
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028893.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.IGetNet
C:\System Volume Information\_restore{1AF7C26A-0142-4B4D-979A-C70AE24D0E49}\RP133\A0028893.exe Infected: not-a-virus:AdWare.Win32.IGetNet
C:\WINDOWS\Lycos\ss_IGN1_setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sidesearch.d
C:\WINDOWS\Lycos\ss_IGN1_setup.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.d
C:\WINDOWS\system32\drivers\etc\hosts.bho Infected: Trojan.Win32.Qhost.f

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 11:32:51 AM, on 1/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Turbo2Dialup\slipore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Turbo2Dialup\slipgui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.torontosun.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.look.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by LOOK Communications
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Turbo2Dialup\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Turbo2Dialup\slipore.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Turbo2Dialup Web Accelerator.lnk = C:\Program Files\Turbo2Dialup\slipgui.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Turbo2Dialup\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Turbo2Dialup\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.look.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137112135593
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A1249F4-4642-40DC-92A2-890EA09D4BA4}: NameServer = 66.38.192.233 66.38.192.231
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Can I just ask a question about SP2? I assumed that I should download it if I was able- should I not bother with it?

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 January 2006 - 11:50 AM

Can I just ask a question about SP2? I assumed that I should download it if I was able- should I not bother with it?

All of my XP machines are SP2 enabled. :thumbsup:


* * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\csimplicity.exe
    C:\Documents and Settings\James\Desktop\Data Salvage Conner 040504\Internet downloads\Joy theme.exe
    C:\Documents and Settings\James\Desktop\Internet downloads\tghighseas.exe
    C:\Program Files\filesubmit\Snow\nnez_388.exe
    C:\WINDOWS\Lycos
    C:\WINDOWS\system32\drivers\etc\hosts.bho
Delete the contents of these folders, leaving them empty
  • C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
    C:\Program Files\Norton AntiVirus\Quarantine\
* * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
* * * *


This will clear the System Volume Information folder)[/COLOR]
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


* * * *


When you have completed the above, go update your OS to SP2.

Reminder:
SP2 can be uninstalled if it's causing issue. Just allow it to create a backup of your system before it starts to install.


Please come back back & tell me how it went. I shall keep this thread opened till then.

Edited by sUBs, 17 January 2006 - 11:52 AM.


#5 conner7

conner7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 17 January 2006 - 02:08 PM

Everything went well, except I can't seem to convince SP2 to download. Ahh, the joys of dial-up. I'll keep trying.

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 January 2006 - 02:13 PM

SP2 is a huge download if you're on dialup.

If you have a friend who has cable/broadband have him download it for you & burn it onto a cd. The installer file for complete offline installation is 266MB. It may be downloaded here > http://www.microsoft.com/downloads/details...&displaylang=en

Edited by sUBs, 17 January 2006 - 02:14 PM.


#7 conner7

conner7
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 January 2006 - 01:37 PM

We decided not to download SP2 right now, so you can consider this one "case closed." :thumbsup:

Thanks so much for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users