Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:trojano-3295, Ms06-0001 Wmf Exploit


  • Please log in to reply
1 reply to this topic

#1 parrotplay

parrotplay

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 22 March 2006 - 11:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:51:32 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home-pogop.jsp?si...5bvwCmb3ogAAKDw.
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: http://www.pogo.com/home/home-pogop - {3037FC09-62A6-4446-AA30-BB9DB0CD9B65} - http://www.pogo.com/home/home-pogop.jsp?si...7U0ICmb30QAAKDw. (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: http://www.pogo.com/home/home-pogop - {3037FC09-62A6-4446-AA30-BB9DB0CD9B65} - http://www.pogo.com/home/home-pogop.jsp?si...7U0ICmb30QAAKDw. (file missing) (HKCU)
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.4.34/cana...nasta-en_US.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.5.4.27/draw...poker-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.5.3.37/gin/gin-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.4.34/lott...ottso-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.5.4.27/mlsl...slots-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.5.2.26/flin...inger-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.5.3.37/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.5.0.45/hots...k-ob-assets.cab
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/applet-6.5.4.27/spad...ades2-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.5.4.27/sque...chies-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.5.3.37/hold...oldem-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.4.27/peaks/peaks-en_US.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.5.4.27/jumb...umbee-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.5.3.37/turb...rbo21-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.3.37/memo...ories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.5.3.37/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.5.4.34/whac...kdown-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/worl...class-en_US.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39701819-D560-43BA-896B-68CA17DD209E}: NameServer = 209.244.0.3 209.244.0.4
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I have never had any Trojans or similar and do not know what to do. I found Win32:Trojano-3295 and MS06-0001 WMF Exploit listed in my XP Event Viewer, under AnitVirus. My AntiVirus, Spybot, Adaware, AVAST AntiVirus, ZoneAlarm Firewall, Stinger, did not catch these or alert me. I happened upon them looking in the Event Viewer for anything out of the ordinary, as the Windows Picture and Fax Viewer disappeared from my system. I have searched these files in Windows and have not been able to bring a thing up on them. I also do not know if these are active nasties, or dormant ones. How do ya know?
I did all the prelims you asked, ran the scans, etc..nothing again. I just found these on 3-21-06, did a Windows and Microsoft update, as it had been a month...and do not know why the previous updates I have done did not give me that one for the Exploit..but I did search and download it when I did the last updates. I have Dial-up...takes almost well over an hour to do the update...my AntiVirus took over 3 hours to run a complete scan. I am pretty frustrated..and tired...looking for the solution, then decided to contact you, as I know you will give me whatever information is available and help me get my 'puter happy again. I was even told I would have to take it in, try to save files, wipe out my hard drive, reinstall XP. I hope that is not the case. I hope you can shed some light on this little mystery for me...and help me just get it done...am ready to just get on to the next problem lol...Thank you so much...BC ROCKS!!!
L. Miller/parrotplay :thumbsup:

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:51 PM

Posted 28 March 2006 - 05:10 PM

Hello parrotplay and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Let's try a different scanner and see what it shows us. Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users