Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please! Infected


  • Please log in to reply
9 replies to this topic

#1 Twixx

Twixx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 28 June 2006 - 01:21 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:20:56 AM, on 6/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\atmclk.exe
C:\WINNT\system32\dcomcfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\DOCUME~1\hanhn\LOCALS~1\Temp\Rar$EX18.734\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp103.tmp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pciqwq.exe reg_run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133754886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://intranet2.bcm.tmc.edu/litepages2002/ezlistnt.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB33060-9B36-493D-A84B-C3855FA3E341}: Domain = bcm.tmc.edu
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winhoq32 - C:\WINNT\SYSTEM32\winhoq32.dll
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:07 PM

Posted 28 June 2006 - 03:47 AM

Hey Twixx, welcome to BleepingComputer.

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
* Your Java is out of date and the older versions are being exploited by malware. It is the likely cause of your infection, so we need to get it patched up as soon as possible.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
You are using LimeWire. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use "Add/Remove Program" to remove it and any reference to LimeWire.
This is another article: http://www.cexx.org/adware.htm

Download Brute Force Uninstaller to your C:\
  • Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please continue with the instructions.
* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download Ewido anti-malware ; it is a 30 day trial version of the program.
  • Install ewido security suite
  • Ewido will automatically run at the end.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the top row of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the top will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.
* Please download ATF Cleaner by Atribune.
Do not run it yet.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINNT\SYSTEM32\winhoq32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINNT\system32\hp103.tmp
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\pciqwq.exe reg_run
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O20 - Winlogon Notify: winhoq32 - C:\WINNT\SYSTEM32\winhoq32.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on the scanner button in the top row.
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom left of the screen and click the "Save Scan Report" button.
  • Click on "Save Report As".
  • Save the report to your desktop
Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.

David

#3 Twixx

Twixx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 28 June 2006 - 01:52 PM

Thank you for the reply, it has helped in so many ways i just wanna thank you again :thumbsup: . These two processes are new and when i attempt to delete them they just reappear in my process box. Should I be concerened or will it automatically be removed as I finish your instructions?
C:\WINNT\system32\atmclk.exe
C:\WINNT\system32\dcomcfg.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:07 PM

Posted 28 June 2006 - 02:13 PM

Those too processes are malicious and will be removed by the program smitrem. I'll check for your reply a bit later,
David

#5 Twixx

Twixx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 30 June 2006 - 08:28 PM

This may sound really dumb, but is there a way to remove a password into safe mode? Im running on Windows 2000 pro and the password into safe mode is different from logging in normally. We are borrowing this computer from my moms work, so would we have to contact them or is there a way to change or remove the password into safe mode? This is my main problem

Edited by Twixx, 30 June 2006 - 08:28 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:07 PM

Posted 01 July 2006 - 04:11 AM

Is this when you log is via the administrator account or the actual user name account (eg hanhn). What happens when you try to log in with both? Do you get an unknown password for both the administrator account and the user name account?

If that doesn't work you can could try reseting the administrator account's password and see if you can log in via the administrator account in safe mode that way. At a command prompt, type "control userpasswords2" and press Enter to open the Windows 2000-style User Accounts application. In the bottom right click "reset password" and type in the new password you want and confirm it. Then reboot into safe mode and when the log in screen appears log in with the administrator and complete the rest of the instructions there for now.

David

#7 Twixx

Twixx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 02 July 2006 - 12:43 AM

Ok, ive gained access into safe mode and followed the directions. however when I reach the disk cleanup, it seems to take FOREVER. I had it from 3-8 until I decided to cancel it. Perhaps that was a wrong decision, if so ill gladly continue the process over tomorrow. In safe mode, I also could not run ewido software. after 10 min it says there was an error and it didnt open. Here is the error it saved if that is of any assistance.

Id also like to add when I attempt a panda scan on my computer, it shuts down everytime with the error window. Should I try something different?

//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00426DD6 01:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
Module Date: 06/16/2006 09:39:05
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172
Exception Date: 07/01/2006 23:03:23

Registers:
EAX:0012E32C
EBX:01290A58
ECX:0012E344
EDX:1EF50001
ESI:77E3B7C8
EDI:01413004
CS:EIP:001B:00426DD6
SS:ESP:0023:0012E1F8 EBP:0012E38C
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
00426DD6 0012E38C 000135B1 0012E3B8 00000000 01290A58 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 000305BC 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E3C159 000205D6 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E3B811 0012E488 000205D6 00000005 00000000 014402C4 0001:0002A811 C:\WINNT\system32\USER32.dll

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
00426DD6 0012E38C 000135B1 0012E3B8 00000000 01290A58 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 000305BC 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E3C159 000205D6 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E3B811 0012E488 000205D6 00000005 00000000 014402C4 UnpackDDElParam+56

Loaded Modules:
Base Size Module
00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77F80000 07C000 5.00.2195.7006 C:\WINNT\system32\ntdll.dll
690A0000 00B000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL
7C570000 0B3000 5.00.2195.7006 C:\WINNT\system32\KERNEL32.DLL
10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll
70A70000 066000 6.00.2800.1740 C:\WINNT\system32\SHLWAPI.dll
7C2D0000 065000 5.00.2195.7038 C:\WINNT\system32\ADVAPI32.dll
77D30000 078000 5.00.2195.7020 C:\WINNT\system32\RPCRT4.dll
77F40000 03C000 5.00.2195.7069 C:\WINNT\system32\GDI32.dll
77E10000 069000 5.00.2195.7032 C:\WINNT\system32\USER32.dll
78000000 045000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll
75030000 014000 5.00.2195.6601 C:\WINNT\system32\WS2_32.dll
75020000 008000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL
77570000 030000 5.00.2161.0001 C:\WINNT\system32\WINMM.dll
7CF30000 245000 5.00.3900.7071 C:\WINNT\system32\SHELL32.dll
71710000 084000 5.81.4916.0400 C:\WINNT\system32\COMCTL32.dll
6B2C0000 005000 5.00.2180.0001 C:\WINNT\system32\MSIMG32.dll
76B30000 03E000 5.00.3700.6693 C:\WINNT\system32\comdlg32.dll
7CE20000 0EF000 5.00.2195.7059 C:\WINNT\system32\ole32.dll
75050000 008000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.dll
77340000 013000 5.00.2195.6602 C:\WINNT\system32\iphlpapi.dll
77520000 005000 5.00.2134.0001 C:\WINNT\system32\ICMP.DLL
77320000 017000 5.00.2181.0001 C:\WINNT\system32\MPRAPI.DLL
75150000 010000 5.00.2195.6944 C:\WINNT\system32\SAMLIB.DLL
7CDC0000 053000 5.00.2195.7038 C:\WINNT\system32\NETAPI32.DLL
77980000 024000 5.00.2195.7003 C:\WINNT\system32\DNSAPI.dll
751C0000 006000 5.00.2134.0001 C:\WINNT\system32\NETRAP.dll
77BF0000 011000 5.00.2195.6666 C:\WINNT\system32\NTDSAPI.dll
77950000 02B000 5.00.2195.7017 C:\WINNT\system32\WLDAP32.DLL
7C340000 00F000 5.00.2195.6695 C:\WINNT\system32\SECUR32.DLL
779B0000 09B000 2.40.4522.0000 C:\WINNT\system32\OLEAUT32.DLL
773B0000 02F000 5.00.2195.6601 C:\WINNT\system32\ACTIVEDS.DLL
77380000 023000 5.00.2195.6993 C:\WINNT\system32\ADSLDPC.DLL
77830000 00E000 5.00.2168.0001 C:\WINNT\system32\RTUTILS.DLL
77880000 08E000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL
7C0F0000 064000 5.00.2195.7002 C:\WINNT\system32\USERENV.DLL
774E0000 034000 5.00.2195.6920 C:\WINNT\system32\RASAPI32.DLL
774C0000 011000 5.00.2195.6824 C:\WINNT\system32\rasman.dll
77530000 022000 5.00.2195.6664 C:\WINNT\system32\TAPI32.dll
77360000 019000 5.00.2195.6685 C:\WINNT\system32\DHCPCSVC.DLL
77820000 007000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll
759B0000 006000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL
7C950000 08F000 2000.02.3529.0000 C:\WINNT\system32\CLBCATQ.DLL
77840000 03E000 5.00.2195.6705 C:\WINNT\system32\cscui.dll
770C0000 023000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL
72A00000 02D000 5.00.2195.6613 C:\WINNT\system32\DBGHELP.DLL

Also Id like to add my HijackThis log as of now
Logfile of HijackThis v1.99.1
Scan saved at 12:54:04 AM, on 7/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1133754886\ee\AOLSoftware.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Documents and Settings\hanhn\Local Settings\Application Data\18666005.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133754886\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [18666005.exe] C:\WINNT\system32\18666005.exe
O4 - HKLM\..\Run: [LanzarT2006] "C:\DOCUME~1\hanhn\LOCALS~1\Temp\{66C001FB-434F-47BC-B272-3C16B39219E0}\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\..\..\T2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [18666005.exe] C:\Documents and Settings\hanhn\Local Settings\Application Data\18666005.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Documents and Settings\hanhn\Local Settings\Application Data\18666005.exe I manually deleted this file in safe mode, and it popped back up. Should I be concerned about this?

Edited by Twixx, 02 July 2006 - 12:54 AM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:07 PM

Posted 02 July 2006 - 03:57 AM

Hey Twixx,

It looks like we are going to have to dig deeper to uncover all this malware. Just note, your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#9 Twixx

Twixx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 02 July 2006 - 03:04 PM

Here is the panda scan log, it finally worked.

Incident Status Location

Adware:adware/afaenhance Not disinfected c:\winnt\system\QBUninstaller.exe
Adware:adware/bookedspace Not disinfected c:\winnt\cfgmgr52.ini
Potentially unwanted tool:application/bestoffer Not disinfected c:\winnt\smdat32a.sys
Adware:adware/addestroyer Not disinfected c:\documents and settings\all users\application data\AdDestroyer
Adware:adware/virtualbouncer Not disinfected c:\documents and settings\all users\application data\VBouncer
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch
Adware:adware/pacimedia Not disinfected Windows Registry
Adware:adware/ezula Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\FunWebProducts
Adware:adware/elitebar Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[.xiti.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\7l9nk7v3.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.peel.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.statcounter.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\hanhn\Application Data\Mozilla\Firefox\Profiles\x28e3ebt.Andrew\cookies.txt[.mediaplex.com/]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\hanhn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-62ec7c41.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\hanhn\Cookies\hanhn@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\hanhn\Cookies\hanhn@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\hanhn\Cookies\hanhn@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hanhn\Cookies\hanhn@belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\hanhn\Cookies\hanhn@doubleclick[1].txt


ill post again the problem combofix is encountering. Everytime I run it, after fixing supplementary, it leaves my desktop blank. Is it a good idea to turn off other windows or processes such as AIM?

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:07 PM

Posted 03 July 2006 - 12:57 PM

Heya Twixx,
Not sure about the ewido error at all, but let's leave that for now.

Please delete the following files/folders:

c:\winnt\system\QBUninstaller.exe
c:\winnt\cfgmgr52.ini
c:\winnt\smdat32a.sys
c:\documents and settings\all users\application data\AdDestroyer <--folder
c:\documents and settings\all users\application data\VBouncer <--folder

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\MyWebSearch]

[-HKEY_LOCAL_MACHINE\software\FunWebProducts ]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
I want you to try and run Combofix again, it might be a idea to end all unnecessary running processes before hand. However, note that it is perfectly normal for the desktop to disappear, and you might just have to wait that little bit longer as it can take quite a long time.

Please try again with the combofix and post its log and a new Hijackthis log.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users