Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amaena/blackworm Infection - Please Help!


  • This topic is locked This topic is locked
5 replies to this topic

#1 creeper1

creeper1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 20 March 2006 - 03:50 PM

Hello!

I just scanned my computer with six different spyware removal tools but still Amaena/Blackworm infection windows keep popping up. I also read your forum guideliness biu without success. Please analyse my Hijackthis log. Thank you very much!

Samo Granda

Logfile of HijackThis v1.99.1
Scan saved at 21:48:59, on 20.3.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ewido\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Virusi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B3C6E49-41D7-47C8-BE4F-771EC620D71C}: NameServer = 213.143.65.11,213.143.65.12
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\ir20l5fm1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 27 March 2006 - 10:32 AM

Hello and welcome to the forum. Sorry about the wait, let me assure you the volunteers are doing their best. CastleCops says this:
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\ir20l5fm1.dll
is: Winlogon Notify MS-DOS Emulation, Nls, OemStartMenuData, OfficeUpdate,
OptimalLayout, policies, Reinstall, Reliability X random named dll in the System32 folder Variant of Adware.Look2Me

So we will remove it first and see how you are running. As far as any blackworm infection, SifuMike has kindly posted tools that you can use to remove it if it is there in this link.
http://www.bleepingcomputer.com/forums/ind...showtopic=46546

Please follow the directions carefully if you wish to be successful.

Thanks to Atribune and any others who helped with this fix

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Post the two logs bolded above and I'll see if there is anything else to do. Please include your comments.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 creeper1

creeper1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 27 March 2006 - 12:19 PM

Thank you very much! It seems that annoying popups had gone! Nevertheless I'm sending you the two required logs. Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 19:03:41, on 27.3.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Virusi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1\bin\npjpi141.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B3C6E49-41D7-47C8-BE4F-771EC620D71C}: NameServer = 213.143.65.11,213.143.65.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 27.3.2006 19:12:01

Infected! C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002320.dll
Infected! C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002321.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002320.dll
C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002320.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002321.dll
C:\System Volume Information\_restore{82BE2191-B471-4851-A996-402B6F1FB96F}\RP68\A0002321.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 27 March 2006 - 12:47 PM

Thanks for returning the information. Since that is a nasty infection and you have the tool, let's make a quick check:

1) I have no objections to your calling the HJT folder "Virusi" but keep in mind HJT needs its own folder and store nothing else in it. I also do not know D:\ is a drive that HJT need to be on. If D:\ is not a drive, please move HJT to C:\

2) I see ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = G.?AVCW

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) (next step is optional, if you clear Prefetch yourself, skip it, if not read the link and proceed)
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

5) If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

6) C:\Program Files\Java\j2re1.4.1\ <<< is outdated and a security issue, please see this link: http://forums.spybot.info/showthread.php?t=2559

Restart the computer and post the ewido scan report and a new HJT log for a final look, please include any comments you have.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 creeper1

creeper1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 28 March 2006 - 12:23 PM

Just did all you proposed. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 19:19:50, on 28.3.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\msiexec.exe
C:\HiJackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B3C6E49-41D7-47C8-BE4F-771EC620D71C}: NameServer = 213.143.65.11,213.143.65.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:54:24, 28.3.2006
+ Report-Checksum: 5C0B011B

+ Scan result:

C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Samo\Local Settings\Temp\Cookies\samo@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\Temp\Cookies\samo@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\samo@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\samo@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\samo@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\samo@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CPQFS5IJ\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup


::Report End

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 28 March 2006 - 01:04 PM

Hello Samo, good job :thumbsup: the trojan is gone, your HJT log is clean and ewido was able to clean everything it found. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you own it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Safe surfing...Phil :flowers:

Thanks...pskelley
BleepingComputer
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users