Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly Infected Computer Cleaned Up?


  • This topic is locked This topic is locked
39 replies to this topic

#1 Margarete

Margarete

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 22 January 2006 - 08:29 AM

Hi,

A friend connected her computer (that she had inherited from someone else) to broadband for her first Internet experience and was instantly infected with about a million things.

I am trying to restore her faith in computers and the Internet and have attempted to remove all the nasties that must have been waiting on her computer. Sorry that I don't have a list, but it was about 40 Trojans, worms and other malware and some hijackers, which is why some of them kept coming back.

I believe I have now gotten everything. The system is now running BitDefender, ZoneAlarm, Spybot-Teatimer. We also ran AGV Antivirus, Antivir and adaware, and each program found something. I had trouble getting house call to run.

I would like to make sure there is nothing else hiding before I return the computer.

Here is the log, thank you!!!:

Logfile of HijackThis v1.99.1
Scan saved at 14:18:23, on 22.01.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [objupdate] C:\WINDOWS\System32\msucom.exe
O4 - HKLM\..\Run: [Windows pad] qpad.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\RunServices: [Windows pad] qpad.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows pad] qpad.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows pad] qpad.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137155701134
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


m

#2 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 22 January 2006 - 04:17 PM

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.
Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.

Mat2



Posted Image

#3 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 22 January 2006 - 04:32 PM

Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:

We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

===============

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

==================

Go to Add/Remove programs and remove(uninstall) the following, if present:

TSCash

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [objupdate] C:\WINDOWS\System32\msucom.exe
O4 - HKLM\..\Run: [Windows pad] qpad.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\RunServices: [Windows pad] qpad.exe
O4 - HKCU\..\Run: [Windows pad] qpad.exe
O4 - HKCU\..\RunServices: [Windows pad] qpad.exe

O15 - Trusted Zone: *.elitemediagroup.net

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Using Windows Explorer, ( Start > All Programs > Accessories ). Locate and delete the following item(s), if present.

files...

C:\WINDOWS\System32\msucom.exe
C:\windows\winsysupd.exe
C:\windows\winsysban.exe

Search for...

qpad.exe

...using "Start | Search...".

===============

Post back a new HJT log & ewido log, and let me know how everything goes.
Mat2



Posted Image

#4 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 22 January 2006 - 05:22 PM

Dear Mat2

Thank you very much for your reply!

That is exactly why I posted, because I had the feeling that the absence of symptoms in this case did not mean that all was well. I have never seen an infection as bad as this, who knows where this computer has been before my friend got it....

I will follow your instructions and report back to you. Just one quick question: I should search for qpad.exe and then do what, and what is it? Also is winsysupd.exe the windows updater or is it something else. (ok, so it was two questions ;-)

Thanks again!
Ariane

#5 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 22 January 2006 - 05:35 PM

Hi

Thanks for your response.

Just one quick question: I should search for qpad.exe and then do what, and what is it? Also is winsysupd.exe the windows updater or is it something else. (ok, so it was two questions ;-)


The qpad.exe file once you have found it just needs deleting. This file relates to some form of virus.

winsysupd.exe file is no relation to the Windows updater it belongs to a form of malware.

I hope this helps you
Mat2



Posted Image

#6 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 24 January 2006 - 04:05 AM

Hi Mat2

Well, this was fun... ;-)

Here is a summary, all the logs are pasted toward the end:

1. I installed and ran Ewido which found nothing (see log below)

2. There was no program named TSCash to uninstall

3. I ran HijackThis and fixed the items you listed.
"O4 - HKLM\..\RunServices: [Windows pad] qpad.exe" later re-appeared and I had HijackThis fix it again. (final HijackThis log see below)

4. C:\WINDOWS\System32\msucom.exe, C:\windows\winsysupd.exe, C:\windows\winsysban.exe
were not at these locations. However a search revealed numerous references to winsysban and winsysupd in the prefetch and recycle folders which I deleted.
Additionally, winsysban sits in the Quarantaine folder of Bitdefender and cannot be deleted manually or cleared via Bitdefender!!

5. qpad.exe was not found on the system.

6. For good measure I scanned the system again with BitDefender and low and behold found a whole new virus that wasn't there before (as I said ...it has been fun)

Here is the BitDefender log:


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Erstellt am: 24/01/2006 07:54:01
//
//-----------------------------------------------------------------


Statistik

Pfad : C:\
Ordner : 2076
Dateien : 181326
Archive : 751
Komprimierte Dateien : 24597
Erkannte Viren : 5
Infizierte Dateien : 9
Warnungen : 0
Verdächtige Dateien : 0
Desinfizierte Dateien : 0
Gelöschte Dateien : 4
Kopierte Dateien : 0
Verschobene Dateien : 1
Umbenannte Dateien : 0
I/O Fehler : 27
Prüfzeit : 00:46:51
Prüfgeschwindigkeit (Dateien/Sekunde) : 64

Virusdefinitionen : 39329991
Scan Plug-Ins : 15
Archiv Plug-Ins : 42
Archiv Plug-Ins : 4
E-Mail Plug-Ins : 6
System Plug-Ins : 5

Prüf-Optionen

Erkennung
[X] Boot-Sektoren prüfen
[X] Archive prüfen
[X] Komprimierte Dateien prüfen
[X] E-Mails prüfen

Dateimaske
[ ] Programme
[X] Alle Dateien
[ ] Benutzerdefinierte Erweiterungen:
[ ] Ausgeschlossene Erweiterungen: ;

Aktion

Infizierte Objekte
[ ] Ignorieren
[X] Desinfizieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[ ] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Zweite Aktion
[ ] Ignorieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[X] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Prüf-Optionen
[X] Warnungen aktiviert
[X] Heuristik aktiviert
[ ] Alle Dateien im Bericht anzeigen
[X] Berichtsdatei: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1138085641.log


Zusammenfassung:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0013 Entdeckt: Application.Targetsavers.B
C:\WINDOWS\system32\s3rv1ce.exe Infiziert mit: Backdoor.SDBot.ALA
C:\WINDOWS\system32\s3rv1ce.exe Desinfizieren fehlgeschlagen
C:\WINDOWS\system32\s3rv1ce.exe Verschoben
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0013 Entdeckt: Application.Targetsavers.B


================================

Here is the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 06:49:25, 24.01.2006
+ Report-Checksum: 47C446E8

+ Scan result:

No infected objects found.


::Report End

=====================================

Here is the last Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 09:34:40, on 24.01.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137155701134
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} -
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

==============================


I have the feeling that the "winsysban" in the quarantaine folder of bitdefender could be a problem. Especially because it is not in the usual quarantaine format. When I open the quarantaine folder manually I immediatly get a Warning from BitDefender that the winsysban virus has been blocked.


Please let me know how we are doing.

Thank you very much for your help!!!

#7 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 24 January 2006 - 04:24 AM

Hi

Thanks for the new logs, Yes it can be fun and also frustrating trying to remove all theses nasties. In your case we are winning. I would recommend you empty the quarantine section of your av.

On with the next stage.

===============

We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} -

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\WINDOWS\System32\PSSDNSVC.EXE
Click Open
Please let me know the results.

================

Post back a new log, and let me know how everything goes.
Mat2



Posted Image

#8 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 24 January 2006 - 08:13 AM

Thanks Mat2

I will move on to stage two as soon as I get home tonight.

<<I would recommend you empty the quarantine section of your av.>>> The problem with this is that I can't. I had already emptied the quarantine section in BitDefender. It now shows as empty within the program. But winsysban.exe still sits in the folder under C>Program files>bitdefender> Quarantine. I tried to manually delete it from the Explorer, but it won't let me. It also can't be moved.

Thanks
Ariane

#9 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 24 January 2006 - 11:36 PM

Ok, so here it goes:

First a list of current symptoms that I can detect:

Remember the original items we had HijackThis fix, as requested, I had the Spybot Teatimer turned off. Now, on startup The Teatimer wants to confirm each of these registry changes.... each time I start the computer. Is this normal? Shouldn't it be enough to confirm these changes once?

Random blue screen crashes...mostly when ZoneAlarm or BitDefender are trying to do something...so this might be related to other issues on this computer

Winsysban.exe in the Quaranine folder of BitDefender that cannot be deleted or moved.

=========

I did run HijackThis to fix the additional entry (see newest log below)

I also ran PSSDNSVC.EXE through http://virusscan.jotti.org/ but it didn't find anything
Here is the log:
Service load: 0% 100%
File: PSSDNSVC.EXE
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 1118e2eabd7fa428d75b636079f22771
Packers detected:
-
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

However, I do agree with you that the file looks suspicious, so I googled a bit and found the following posting on a German site (the file has many more his in German btw.)

(Clumsy translation by me ;-):

<<<<<Panda spit out the following:
Psshutdown.A is a hacking tool that allows a hacker to shut down or restart the victim's computer (similarly to the Unix "shutdown" command). Restarting the computer could cause loss of all the information that has not been saved. Psshutdown.A can be used by several worms and Trojans with malicious intentions.

Since it is a simulated service many scanners regard this file as insignificant. I deleted the service and now everything is fine.>>>>>>>>>

I wanted to run another online virus scan anyway to see if it can remove the "winsysban.exe" from the quarantine folder. So I am going to do the Panda online scan now and we'll see what it finds.

Oh, and here the lates HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 05:16:39, on 25.01.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137155701134
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Thank you for your help!!!

PS: Is there a way for me to track this thread. I am having a hard time finding it each time. Thanks

Edited by Margarete, 24 January 2006 - 11:38 PM.


#10 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 25 January 2006 - 07:20 AM

Update:

HELP!!!!!!!

Bad news I fear. Below please find the logs of the Panda scan, which found things but didn't do anything about it and of the BitDefender scan that I did again this morning. Here is the bad news: BitDefender found the same things it already removed in the last scan. Mostly in temp files.

The only good news is that I finally was able to empty that nasty out of the quarantine folder and I no longer get the spybot teatimer confirm notices on startup.

Here is the Panda log:

Ereignis Zustand Standort

Adware:adware/dollarrevenue Nicht desinfiziert C:\WINDOWS\enewsletterpro1.dat
Spyware:spyware/media-motor Nicht desinfiziert Windows-Registry
Potenziell unerwünschtes Tool:Application/Psshutdown.A Nicht desinfiziert C:\WINDOWS\system32\PSSDNSVC.EXE
Adware:Adware/Sqwire Nicht desinfiziert C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe

Additionally this is from the Panda website
Brief Description

Psshutdown.A is a hacking tool. Though these programs are legal and useful tools when they are appropriately used, a hacker could take advantage of them in order to carry out malicious actions.

Psshutdown.A is a program that allows to shut down or restart the computer. It is very similar to the Unix command shutdown.

Psshutdown.A is not a risk if the user runs it consciously, but it is also used by several worms and Trojans with malicious intentions. Restarting the computer would turn into losing the unsaved information.


Visible Symptoms

Psshutdown.A is difficult to recognize, as it does not show any messages or warnings that indicate it has reached the computer.

And here is my Bitdefender log from this morning showing my re-infection:


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Erstellt am: 25/01/2006 08:19:41
//
//-----------------------------------------------------------------


Statistik

Pfad : C:\
Ordner : 2087
Dateien : 182908
Archive : 777
Komprimierte Dateien : 24706
Erkannte Viren : 4
Infizierte Dateien : 8
Warnungen : 0
Verdächtige Dateien : 0
Desinfizierte Dateien : 0
Gelöschte Dateien : 4
Kopierte Dateien : 0
Verschobene Dateien : 0
Umbenannte Dateien : 0
I/O Fehler : 26
Prüfzeit : 00:52:07
Prüfgeschwindigkeit (Dateien/Sekunde) : 58

Virusdefinitionen : 14430865
Scan Plug-Ins : 15
Archiv Plug-Ins : 42
Archiv Plug-Ins : 4
E-Mail Plug-Ins : 6
System Plug-Ins : 5

Prüf-Optionen

Erkennung
[X] Boot-Sektoren prüfen
[X] Archive prüfen
[X] Komprimierte Dateien prüfen
[X] E-Mails prüfen

Dateimaske
[ ] Programme
[X] Alle Dateien
[ ] Benutzerdefinierte Erweiterungen:
[ ] Ausgeschlossene Erweiterungen: ;

Aktion

Infizierte Objekte
[ ] Ignorieren
[X] Desinfizieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[ ] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Zweite Aktion
[ ] Ignorieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[X] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Prüf-Optionen
[X] Warnungen aktiviert
[X] Heuristik aktiviert
[ ] Alle Dateien im Bericht anzeigen
[X] Berichtsdatei: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1138173581.log


Zusammenfassung:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0013 Entdeckt: Application.Targetsavers.B
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0013 Entdeckt: Application.Targetsavers.B


Please help, I really would like to return this computer to my friend, but I can't as long as it keeps re-infecting itself.

Please let me do what I should do next.

Many Thanks!!!

#11 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 25 January 2006 - 09:40 AM

Hi

Thanks for the update.

The latest log is looking good.

And thanks for the translation, it looks like the panda scan is find things in the temp files which we are going to clean out.

Additionally this is from the Panda website
Brief Description

Psshutdown.A is a hacking tool. Though these programs are legal and useful tools when they are appropriately used, a hacker could take advantage of them in order to carry out malicious actions.

Psshutdown.A is a program that allows to shut down or restart the computer. It is very similar to the Unix command shutdown.

Psshutdown.A is not a risk if the user runs it consciously, but it is also used by several worms and Trojans with malicious intentions. Restarting the computer would turn into losing the unsaved information.

Visible Symptoms

Psshutdown.A is difficult to recognize, as it does not show any messages or warnings that indicate it has reached the computer.


With regards to the above info, i recommend that this file is removed aswell.

here is the next stage

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present.

files...

C:\WINDOWS\System32\PSSDNSVC.EXE

===============

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]

===============

Post back a new log, and let me know how everything goes.
Mat2



Posted Image

#12 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 25 January 2006 - 09:42 AM

ps

To track this topic click on the Options button on your original post. A drop down menu will appear, then select Tract this topic.
Mat2



Posted Image

#13 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 25 January 2006 - 09:08 PM

Hi Mat2,

Unfortunately it did not work.. :-((

1. I did remove Psshutdown

2. I downloaded and ran ATF-Cleaner as described

I restarted

3. I ran a Spybot scan which came out clean

4. I ran an Adaware scan: When the deep scan reached the system restore files my resident BitDefender popped up informing me that it had blocked a virus at
Datei c:\system volume information\_restore{fe8f75f4-d9fe-489d-a451-aab27e43f235}\rp83\a0007158.exe
infiziert mit Trojan.Downloader.Adload.K.
Adaware froze and I had to stop the scan.

This probably means that one or more of the system restore points are bad and infected. Is there a way to get rid of that?


5. For good measure and because of what happend under 4. I ran another scan with Bitdefender and low and behold it found exactly the same things as before in the temp folders, even though I thought we just cleaned the temp folders with the ATF.


Here is the log of the BitDefender scan:

//-----------------------------------------------------------------
//
// Product: BitDefender 9 Internet Security
// Version: 9.0
//
// Erstellt am: 26/01/2006 01:53:00
//
//-----------------------------------------------------------------


Statistik

Pfad : C:\
Ordner : 2009
Dateien : 176849
Archive : 728
Komprimierte Dateien : 24657
Erkannte Viren : 4
Infizierte Dateien : 8
Warnungen : 0
Verdächtige Dateien : 0
Desinfizierte Dateien : 0
Gelöschte Dateien : 4
Kopierte Dateien : 0
Verschobene Dateien : 0
Umbenannte Dateien : 0
I/O Fehler : 27
Prüfzeit : 00:44:37
Prüfgeschwindigkeit (Dateien/Sekunde) : 66

Virusdefinitionen : 267854
Scan Plug-Ins : 15
Archiv Plug-Ins : 42
Archiv Plug-Ins : 4
E-Mail Plug-Ins : 6
System Plug-Ins : 5

Prüf-Optionen

Erkennung
[X] Boot-Sektoren prüfen
[X] Archive prüfen
[X] Komprimierte Dateien prüfen
[X] E-Mails prüfen

Dateimaske
[ ] Programme
[X] Alle Dateien
[ ] Benutzerdefinierte Erweiterungen:
[ ] Ausgeschlossene Erweiterungen: ;

Aktion

Infizierte Objekte
[ ] Ignorieren
[X] Desinfizieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[ ] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Zweite Aktion
[ ] Ignorieren
[ ] Löschen
[ ] In die Quarantäne kopieren
[X] In die Quarantäne verschieben
[ ] Umbenennen
[ ] Benutzer abfragen

Prüf-Optionen
[X] Warnungen aktiviert
[X] Heuristik aktiviert
[ ] Alle Dateien im Bericht anzeigen
[X] Berichtsdatei: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1138236779.log


Zusammenfassung:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0011 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0012 Gelöscht
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe Update fehlgeschlagen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RE9Q2MFO\tsinstall_4_0_4_0_b4[1].exe=>wise0013 Entdeckt: Application.Targetsavers.B
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Infiziert mit: Trojan.Downloader.Tsupdate.N
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Desinfizieren fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0010 Verschieben fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Infiziert mit: Trojan.Downloader.TSUpdate.P
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0011 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Infiziert mit: Trojan.Downloader.TSUpdate.L
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0012 Gelöscht
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe Update fehlgeschlagen
C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe=>wise0013 Entdeckt: Application.Targetsavers.B


Here is the latest HijackThis scan, which despite the above looks pretty clean to me:

Logfile of HijackThis v1.99.1
Scan saved at 02:39:53, on 26.01.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137155701134
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} -
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Any idea why the infection came back yet again???

Thank you so much!!

#14 Margarete

Margarete
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:52 PM

Posted 25 January 2006 - 09:30 PM

Quick update:

Out of curiosity I ran the ATF-Cleaner again and then

I scanned the relevant directories with BitTorrent again.
(This time without restart or any other scans in between)

The results were exactly the same as above and BitTorrent found exactly what is shown in the log above.....

:-(((

I just realized that the BitDefender log is in German. Basically it shows that all the files mentioned in the summary at the end are baddies. The Program tried first to either to delete or move them which mostly failed. Here a quick translation:

Infiziert mit = infectet with
Desinfizieren fehlgeschlagen = desinfection failed
Verschieben fehlgeschlagen = moving failed
Gelöscht = deleted
Update fehlgeschlagen = update failed

Hope this helps.

Edited by Margarete, 25 January 2006 - 09:35 PM.


#15 Mat2

Mat2

    Malware Fighter


  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Derbyshire, UK
  • Local time:03:52 AM

Posted 26 January 2006 - 04:37 AM

Hi

Thanks for the new logs and the translation. Looking the the bitdefender log it seams to we need to use a different virus scanning program, alot of the infections bitdefender does not clean. Also there is a way to clean out all the restoe points, which will need to do later. :thumbsup:

=============

Disable TeaTimer:

Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable TeaTimer:
  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again.

Also

Disable Ewido:

Please disable Ewido, as it may interfere with the fix.

To disable Ewido:

From the system tray:
  • Right-click the system tray icon and uncheck real time protection.

    or From within Ewido -
  • Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

Once your log is clean you can re-enable Ewido.

===============

Next job goto Symantec Online Virus scanner

Under the Virus Detection Press Start . Let it clean out anything it finds, Please can you tell me anything it finds.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} -

O23 - Service: PsShutdown (PsShutdownSvc) - Unknown owner - C:\WINDOWS\System32\PSSDNSVC.EXE (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.
Mat2



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users