Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Issues And Hjt Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 darienk

darienk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 07 April 2006 - 03:56 PM

Hi,

I was wondering if someone would be kind enough to help me cleanse my system after a virus/malware infestation. I have followed the steps exactly as listed in the preparation guide before running HJT and posting. The only problem was Ad Aware...it froze during the deep scan C: drive process under Windows and under Safe Mode. It detects some registry keys, but I am unable to find a work around.

I also ran F-Secure Blacklight and deleted several .exe files present in that tool.

System Behavior:

Mostly limited to Internet Explorer. I did find that the system clock changed at one point and that's what generated my suspicion of a virus. Internet Explorer stalls; crashes on occasion; hangs; and redirects legitimate links to ebay searches, anti-spam sites, sex sites, viagra sites, term paper sites, and various other junk sites that are not the sites I'm supposed to be navigating too.

Symantec Virus found the following 2 days ago during a scan:

Virus Name Virus Type Action Taken Original Location

Bloodhound.Exploit.61 File Quarantined C:\Documents and Settings\Snowwhite\Local Settings\Temporary Internet Files\Content.IE5\M9SJI1A5\

Trojan Horse File Quarantined C:\System Volume Information\_restore{02A626FD-949A-4718-B008-E191B3ACCE13}\RP136\

Trojan.Favadd File Quarantined C:\System Volume Information\_restore{02A626FD-949A-4718-B008-E191B3ACCE13}\RP136\

Trojan Horse File Left alone in Quarantine C:\WINDOWS\system32\

Trojan.Favadd File Left alone in Quarantine C:\WINDOWS\system32\

Trojan Horse File Quarantined C:\WINDOWS\system32\

Trojan.Favadd File Quarantined C:\WINDOWS\system32\

Bloodhound.Exploit.61 File Left alone in Quarantine C:\Documents and Settings\Snowwhite\Local Settings\Temporary Internet Files\Content.IE5\M9SJI1A5\


Logfile of HijackThis v1.99.1
Scan saved at 12:10:45 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Reflection\rnnfserv.exe
c:\Program Files\ITvpnclient-403D\cvpnd.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\symantec_client_firewall_v5_1\NISUM.EXE
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\symantec_client_firewall_v5_1\SymPxSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\symantec_client_firewall_v5_1\NISSERV.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.exe
C:\Program Files\Sun\StarOffice 8\program\soffice.BIN
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Snowwhite\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R3 - URLSearchHook: (no name) - {ACF3F9D1-164F-4C42-BAA9-FF0DAB23C740} - br0ken.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [scanSYS] srbho.exe
O4 - HKLM\..\Run: [lpt] SetupExeDll.exe
O4 - HKLM\..\Run: [dmlkk.exe] C:\WINDOWS\system32\dmlkk.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cnftips] media64.exe
O4 - HKCU\..\Run: [qwe] sysmon12.exe
O4 - HKCU\..\Run: [keybdll] AliceSD.exe
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Sun Microsystems Next Gen VPN.lnk = C:\Program Files\ITvpnclient-403D\vpngui.exe
O4 - Global Startup: XPNeuter.lnk = C:\WINDOWS\system32\wscript.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spdf: C:\Program Files\Internet Explorer\PLUGINS\npUnseal.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144251007500
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA25EE3A-530B-4494-AA8A-AA52557E37B6} (LinkedIn Signature Control) - https://www.linkedin.com/cab/LinkedInSignatureControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E070C92-5194-4AF5-9BA0-D7812086AE99}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{69B1116D-0657-4511-957C-90230B131701}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{8152672B-A9CD-4F23-805A-9F2C060B0BF7}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAEB2617-6D98-4779-8444-9C34A80F54C1}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CS2\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.115.59,85.255.112.126
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\ITvpnclient-403D\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\symantec_client_firewall_v5_1\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\symantec_client_firewall_v5_1\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\symantec_client_firewall_v5_1\SymPxSvc.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:02 AM

Posted 08 April 2006 - 07:38 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R3 - URLSearchHook: (no name) - {ACF3F9D1-164F-4C42-BAA9-FF0DAB23C740} - br0ken.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {1A1DAC8C-074D-440F-8707-7009A672D7D1} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [scanSYS] srbho.exe
O4 - HKLM\..\Run: [lpt] SetupExeDll.exe
O4 - HKLM\..\Run: [dmlkk.exe] C:\WINDOWS\system32\dmlkk.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKCU\..\Run: [cnftips] media64.exe
O4 - HKCU\..\Run: [qwe] sysmon12.exe
O4 - HKCU\..\Run: [keybdll] AliceSD.exe
O4 - Global Startup: XPNeuter.lnk = C:\WINDOWS\system32\wscript.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E070C92-5194-4AF5-9BA0-D7812086AE99}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{69B1116D-0657-4511-957C-90230B131701}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{8152672B-A9CD-4F23-805A-9F2C060B0BF7}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAEB2617-6D98-4779-8444-9C34A80F54C1}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.114.196,85.255.112.149
O17 - HKLM\System\CS2\Services\Tcpip\..\{376BCCFF-91E2-4EA0-B39C-FCFF220BD994}: NameServer = 85.255.115.59,85.255.112.126


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:02 AM

Posted 15 April 2006 - 11:15 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users