Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyfalcon, Browser Hijack And Various Other Scanned Items


  • This topic is locked This topic is locked
16 replies to this topic

#1 gruden

gruden

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 16 May 2006 - 06:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:25:15 PM, on 5/16/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\csrss.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Winamp\Winampa.exe
C:\winnt\rundll.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 216.65.3.76 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\System32\hp6C8E.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ExplorerTask] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [windows] C:\winnt\svchost.exe
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe
O4 - HKLM\..\Run: [Microsoft .NET Configurator] msnconfig.exe
O4 - HKLM\..\Run: [WinUpdate] C:\Program Files\My App\mirc.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\SYSTEM32\syshost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NetFix] C:\winnt\system32\netfix.exe
O4 - HKLM\..\RunServices: [win_32 config_loader] win32_config.exe
O4 - HKLM\..\RunServices: [Microsoft .NET Configurator] msnconfig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: ComcastHSI - {3912CA90-A388-4B76-9E36-E5877BFE9201} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {52DE5D47-D1BB-4544-BDCD-96B0BB7E04FA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AFF71593-7382-4119-83BA-41EFCF8C3CFE} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125348290075
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: csrss - Unknown owner - C:\WINNT\csrss.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 17 May 2006 - 06:36 AM

Hello,

This is a nasty log :thumbsup:

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Don't use it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
O1 - Hosts: 216.65.3.76 auto.search.msn.com
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\System32\hp6C8E.tmp
O4 - HKLM\..\Run: [ExplorerTask] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [windows] C:\winnt\svchost.exe
O4 - HKLM\..\Run: [Microsoft .NET Configurator] msnconfig.exe
O4 - HKLM\..\Run: [WinUpdate] C:\Program Files\My App\mirc.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\SYSTEM32\syshost.exe
O4 - HKLM\..\Run: [NetFix] C:\winnt\system32\netfix.exe
O4 - HKLM\..\RunServices: [win_32 config_loader] win32_config.exe
O4 - HKLM\..\RunServices: [Microsoft .NET Configurator] msnconfig.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: csrss - Unknown owner - C:\WINNT\csrss.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

Be careful here! Make sure you delete the ones present in that folder and not anywhere else!!

C:\WINNT\csrss.exe <== don't try to delete it from your system32-folder, because that one is legit
C:\winnt\rundll.exe
C:\WINNT\Fonts\explorer.exe <== don't try to delete explorer.exe present in your Winnt-folder!
C:\winnt\svchost.exe <== don't try to delete it from your System32-folder!
C:\Program Files\My App\mirc.exe
C:\WINNT\SYSTEM32\syshost.exe <== watch the spelling! Don't try to delete the legit svchost.exe present there!

*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service PipeCmd Service
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; I need that log afterwards.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply along with a new HijackThis Log,
the contents of rapport.txt which is present on your Homedrive (C:\ in most cases) by using Add Reply.

Edited by miekiemoes, 17 May 2006 - 06:37 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 May 2006 - 04:34 PM

The computer did away with the irritating pop-ups and stopped taking over the internet, but it appears to have lots of viruses (27) and infected objects (52). We use AVG anti-virus. Is it possible the spyware/malware disabled the anti-virus?

Here (below) are the 3 scan/logs as instructed:
1.Kaspersky Scan (27 Viruses, 52 infected objects)
2. The new HijackThis log
3. The SmitfraudFix Log




Kaspersky scan:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, May 17, 2006 5:05:31 PM
Operating System: Microsoft Windows 2000 Professional, (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/05/2006
Kaspersky Anti-Virus database records: 194535
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 83024
Number of viruses found: 27
Number of infected objects: 52
Number of suspicious objects: 0
Duration of the scan process: 03:45:02

Infected Object Name / Virus Name / Last Action
C:\temp\pqremove.com/QRV.KRN.BAK Infected: Trojan.BAT.FormatC skipped
C:\temp\pqremove.com/QRV.KRN Infected: Trojan.BAT.FormatC skipped
C:\temp\pqremove.com ZIP: infected - 2 skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED/SOPHIE~2.DOC Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Mail MS Internet Mail: infected - 2 skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED/SOPHIE~2.DOC Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx Mail MS Internet Mail: infected - 2 skipped
C:\WINDOWS\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINDOWS\rconnect.conf Infected: Backdoor.IRC.Microb.b skipped
C:\WINDOWS\rconnect.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.312b skipped
C:\WINDOWS\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.582 skipped
C:\WINNT\system32\drivers\wmpcore.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINNT\system32\setup_71453.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\WINNT\system32\sys32.exe Infected: Trojan-Dropper.Win32.VB.am skipped
C:\WINNT\system32\ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\WINNT\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\system32\pstor.exe Infected: not-a-virus:PSWTool.Win32.GetPass.d skipped
C:\WINNT\system32\taskmngr.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.507 skipped
C:\WINNT\system32\win\firedaemon.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.3826 skipped
C:\WINNT\system32\win\svchosts.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 skipped
C:\WINNT\system32\win\winupdate.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINNT\system32\netfix.exe Infected: Trojan.Win32.VB.og skipped
C:\WINNT\system32\winupdate.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINNT\system32\ocxdll_exe.vir Infected: not-a-virus:Client-IRC.Win32.mIRC.507 skipped
C:\WINNT\Fonts\mcon.dll Infected: Backdoor.IRC.Zcrew skipped
C:\WINNT\Fonts\msfnt32i.exe Infected: DoS.Win32.Nenet skipped
C:\WINNT\Fonts\nvnav32g.exe Infected: Flooder.Win32.WarPing skipped
C:\WINNT\Fonts\STDE9.exe/data0004 Infected: Backdoor.IRC.Zcrew skipped
C:\WINNT\Fonts\STDE9.exe/data0005 Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINNT\Fonts\STDE9.exe/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
C:\WINNT\Fonts\STDE9.exe/data0010 Infected: Backdoor.IRC.Zcrew skipped
C:\WINNT\Fonts\STDE9.exe/data0012 Infected: Backdoor.IRC.Zcrew skipped
C:\WINNT\Fonts\STDE9.exe/data0013 Infected: DoS.Win32.Nenet skipped
C:\WINNT\Fonts\STDE9.exe/data0018 Infected: Backdoor.IRC.Zapchast skipped
C:\WINNT\Fonts\STDE9.exe/data0019 Infected: Flooder.Win32.WarPing skipped
C:\WINNT\Fonts\STDE9.exe/data0020 Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\Fonts\STDE9.exe/data0021 Infected: Net-Worm.Win32.Randon.r skipped
C:\WINNT\Fonts\STDE9.exe/data0023 Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\WINNT\Fonts\STDE9.exe/data0024 Infected: Backdoor.IRC.Zcrew skipped
C:\WINNT\Fonts\STDE9.exe Astrum: infected - 12 skipped
C:\WINNT\csrss.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\WINNT\ntsyscore\abc2.dll Infected: Backdoor.IRC.Cloner.v skipped
C:\WINNT\ntsyscore\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\ntsyscore\remote.ini Infected: Backdoor.IRC.Cloner.v skipped
C:\WINNT\rundll.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.24 skipped
C:\Documents and Settings\Virginia Duyn\Local Settings\Temporary Internet Files\Content.IE5\8PTYG62Q\p[1].exe Infected: Trojan-Downloader.Win32.Zlob.jl skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx/[From blt01@optonline.net][Date Tue, 01 Mar 2005 14:19:41 -0500]/UNNAMED/ps.doc.exe Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx/[From blt01@optonline.net][Date Tue, 01 Mar 2005 14:19:41 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx Mail MS Outlook 5: infected - 2 skipped

Scan process completed.

-------------------------------------------
The new HijackThis Log:
-------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:12:23 PM, on 5/17/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Winamp\Winampa.exe
C:\winnt\rundll.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: ComcastHSI - {3912CA90-A388-4B76-9E36-E5877BFE9201} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {52DE5D47-D1BB-4544-BDCD-96B0BB7E04FA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AFF71593-7382-4119-83BA-41EFCF8C3CFE} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125348290075
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

-----------------------------------------
SmitfraudFix Log:
-----------------------------------------



SmitFraudFix v2.44


Scan done at 12:22:57.96, Wed 05/17/2006
Run from C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\appmagr.dll Deleted
C:\WINNT\system32\ld????.tmp Deleted
C:\WINNT\system32\ot.ico Deleted
C:\WINNT\system32\regperf.exe Deleted
C:\WINNT\system32\simpole.tlb Deleted
C:\WINNT\system32\stdole3.tlb Deleted
C:\WINNT\system32\1024\ Deleted
C:\DOCUME~1\VIRGIN~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 17 May 2006 - 05:02 PM

Hello,

I see now with what you are really dealing as well and it doesn't look good at all. :thumbsup:
Your system is still terribly infected. You are backdoored. It got installed through security exploits... because your windows is unpatched.
This allows attackers to remotely control your machine and install more and more backdoors and other types of malware. Your system is severely compromised.
Problem with these backdoors is - you never know what it already damaged, because it is also infecting system files, or where it is still hiding from scanners - so actually you can never trust this system for 100% again even if we clean this up.
It is my responsability to tell you this, and it is better to perform a format and reinstall.
Also take a look here:
http://www.dslreports.com/faq/10063

The choice is yours ofcourse... and if you decide not to perform the format and reinstall, but want to clean up manually, I will still help you, but I can't guarantee afterwards that your system will be ever clean, even if scanners tell you you are clean.
And i can't guarantee you that the damage it already caused can be repairable.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 May 2006 - 09:17 AM

Hello, :thumbsup:

I have given it some thought and would like to try to clean it up manually.

I understand the possibility of it not being 100%, and I appreciate your help very much.

I await your instructions.

Thx

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 19 May 2006 - 09:45 AM

Ok, then my advise is to temporary uninstall AVG (since it doesn't find everything related) and to install Kaspersky:

Download and install Kaspersky from here: http://www.kaspersky.com/trials?chapter=146481750

Reboot after installing.

This is a trial for 30 days.

Install Kaspersky and update it. (Click Update now in the left panel)
After being updated, Reboot into safe mode!
Click 'Scan my computer'
Let it perform a full scan and let it delete/disinfect everything it is finding.

Reboot afterwards

Post a new hijackthislog after reboot.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 May 2006 - 11:32 AM

Hi again,

I tried to download the Kaspersky trial and it prompted with a message that the service packet is not indtalled windows 2000 service pack 3 or higher is required. I clicked ok, then the set-up wizard said installation interupted prematurely because of an error.

??? Not sure what to do from here.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 19 May 2006 - 11:56 AM

True, Kaspersky requires at least a patched windows, and in your case it's unpatched. Uninstall Kaspersky and reboot.

Try NOD32 instead:
http://www.eset.com/

Edited by miekiemoes, 19 May 2006 - 11:57 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 May 2006 - 01:32 PM

OK done utilizing NOD32. :thumbsup:

I await your analysis...

Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:34 PM, on 5/19/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Winamp\Winampa.exe
C:\winnt\rundll.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: ComcastHSI - {3912CA90-A388-4B76-9E36-E5877BFE9201} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {52DE5D47-D1BB-4544-BDCD-96B0BB7E04FA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AFF71593-7382-4119-83BA-41EFCF8C3CFE} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125348290075
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 19 May 2006 - 01:38 PM

Hmm, I still see the rundll.exe present and running here. :thumbsup:

Check and fix next entries in hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe


Perform this step again (I already asked you previously, but it looks like you forgot that step..)

*Go to start >run and type: services.msc and click OK
Scroll down in that list until you find the service PipeCmd Service
Doubleclick on it. In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.


Then, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\winnt\rundll.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot, perform another online scan with Kaspersky and post the log, so I can see what NOD32 was able to delete/flag and what not.

Also post a new hijackthislog in your next reply together with the Kasperskylog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 May 2006 - 06:00 PM

Hello,

OK now that is done here are the two new logs:

1. Kasperksy
2. HiJackThis

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, May 19, 2006 6:41:39 PM
Operating System: Microsoft Windows 2000 Professional, (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 19/05/2006
Kaspersky Anti-Virus database records: 195056
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 85726
Number of viruses found: 15
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 03:25:58

Infected Object Name / Virus Name / Last Action
C:\temp\pqremove.com/QRV.KRN.BAK Infected: Trojan.BAT.FormatC skipped
C:\temp\pqremove.com/QRV.KRN Infected: Trojan.BAT.FormatC skipped
C:\temp\pqremove.com ZIP: infected - 2 skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED/SOPHIE~2.DOC Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Mail MS Internet Mail: infected - 2 skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED/SOPHIE~2.DOC Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx/[From "Duyn, Virginia" <VDuyn@feldinc.com>][Date Tue, 10 Aug 1999 09:58:58 -0400]/UNNAMED Infected: Virus.MSWord.Melissa skipped
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx Mail MS Internet Mail: infected - 2 skipped
C:\WINDOWS\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINDOWS\rconnect.conf Infected: Backdoor.IRC.Microb.b skipped
C:\WINDOWS\rconnect.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.312b skipped
C:\WINDOWS\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.582 skipped
C:\WINNT\system32\drivers\wmpcore.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINNT\system32\setup_71453.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\WINNT\system32\sys32.exe Infected: Trojan-Dropper.Win32.VB.am skipped
C:\WINNT\system32\ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\WINNT\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\WINNT\system32\pstor.exe Infected: not-a-virus:PSWTool.Win32.GetPass.d skipped
C:\WINNT\system32\win\svchosts.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 skipped
C:\WINNT\system32\netfix.exe Infected: Trojan.Win32.VB.og skipped
C:\WINNT\csrss.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\WINNT\ntsyscore\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\Documents and Settings\Virginia Duyn\Local Settings\Temporary Internet Files\Content.IE5\8PTYG62Q\p[1].exe Infected: Trojan-Downloader.Win32.Zlob.jl skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx/[From blt01@optonline.net][Date Tue, 01 Mar 2005 14:19:41 -0500]/UNNAMED/ps.doc.exe Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx/[From blt01@optonline.net][Date Tue, 01 Mar 2005 14:19:41 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx Mail MS Outlook 5: infected - 2 skipped

Scan process completed.


------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:49:45 PM, on 5/19/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
-------------------------------------------------------------
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: ComcastHSI - {3912CA90-A388-4B76-9E36-E5877BFE9201} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {52DE5D47-D1BB-4544-BDCD-96B0BB7E04FA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AFF71593-7382-4119-83BA-41EFCF8C3CFE} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125348290075
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 19 May 2006 - 06:30 PM

Ok, this is starting to look a bit better...
The rundll.exe is not present anymore.

Check and fix next entry in hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [rundll] C:\winnt\rundll.exe


Reboot into safe mode again!!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files in safe mode:

C:\WINDOWS\psexec.exe
C:\WINDOWS\rconnect.conf
C:\WINDOWS\rconnect.exe
C:\WINDOWS\mirc32.exe
C:\WINNT\system32\drivers\wmpcore.exe
C:\WINNT\system32\i
C:\WINNT\system32\setup_71453.exe
C:\WINNT\system32\sys32.exe
C:\WINNT\system32\ncp.exe
C:\WINNT\system32\psexec.exe
C:\WINNT\system32\pstor.exe
C:\WINNT\system32\win\svchosts.exe <== this one is present in a SUBfolder called win in your system32-folder, don't try to delete the svchost.exe present in your system32-folder!!
C:\WINNT\system32\netfix.exe
C:\WINNT\csrss.exe <== don't try to delete csrss.exe present in your system32 folder, because that one is legit!
C:\WINNT\ntsyscore\psexec.exe
C:\Documents and Settings\Virginia Duyn\Desktop\E-mail Back-Ups\Sue Lemmons.dbx <== I recommend you delete this backup or at least delete that mail, the mail is with subject UNNAMED, [From blt01@optonline.net]
C:\temp <== empty the entire contents of this folder

Delete next mail from your Outlook express present in your inbox:
UNNAMED with the attachement SOPHIE~2.DOC (don't open that attachement!!!)

Then delete everything in the 'deleted items' mailbox!

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Restore your websettings: Go to start > controlpanel > Internetoptions > Tab Programs.
Click: "Restore Websettings"

Reboot back to normal mode and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 May 2006 - 10:29 AM

Hello,

I completed the instructions, when I got to the deleted items mailbox I was unadle to locate the unnamed email with the attachment SOPHIE-2.DOC. So I deleted the inbox.dbx in the back-up as well as the current outlook express. Not sure if that did what you wanted it to do, still have the back-ups and outlookexpress thinks it is starting out with a new user (not a problem with that for us).

Also, I was never promted for Delete all offline content in IE, so I chose work offline and deleted cookies & files again. I don't think that did anything, but thought it was worth a try anyway.

I gratefully await your instructions.

Here is the new hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:54 AM, on 5/20/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\ZONELABS\minilog.exe
C:\WINNT\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Virginia Duyn\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: ComcastHSI - {3912CA90-A388-4B76-9E36-E5877BFE9201} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {52DE5D47-D1BB-4544-BDCD-96B0BB7E04FA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {AFF71593-7382-4119-83BA-41EFCF8C3CFE} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125348290075
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TrueVector Basic Logging Client (minilog) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\minilog.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:29 AM

Posted 20 May 2006 - 10:33 AM

This log looks clean again. :thumbsup:

Concerning your NOD32 - keep in mind, this is only a trial and will expire after 30 days, so once expired, you can choose, or you buy it, or you uninstall it and reinstall AVG again.

I also strongly recommend you update your Windows! Because without the necessary updates, your system will stay vulnerable and will get reinfected again.

Let me know in your next reply how things are running now. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 gruden

gruden
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 May 2006 - 10:58 AM

OK

I will update windows.

Two quick questions:

1. When I go online with IE, the home page did not come up, I had to hit refresh is that a problem?

2. Is the e-mail with SOPHIE-2.DOC now gone?

Thank you for all your help.

I will send an update later on progress.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users