Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just Got Infected From Packetnews.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 hsdpcrepair

hsdpcrepair

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 27 July 2006 - 01:02 PM

Just got infected from packetnews.com. (DO NOT GOTO THAT SITE UNLESS U WANT A VIRUS!) I cannot get rid of this stuff and my spybot tea timer is going nuts! Please help!

Ewido found: Downloader.Qoologic.bj, Adware.PurityScan [Cannot delete or quarentine]
Norton found: pre.exe, pre[1].exe, Nodeipproc.dll [Delete Successful]
Spybot Tea Timer found: UserInit, Shell [keeps blocking]
Adaware + Ewido found: rawri.exe, Downloader.Dyfuca.ey, Downloader.VB.Bo, Adware.NetNucleus.

Logfile of HijackThis v1.99.1
Scan saved at 1:00:52 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
G:\mIRC\mirc.exe
C:\Documents and Settings\HSD\Local Settings\Temporary Internet Files\Content.IE5\K9A3OTMN\VundoFix[1].exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HSD\LOCALS~1\Temp\Rar$EX00.547\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rawri.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cvevsbk.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\scanregw.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thu 07/27/2006
Running from: C:\FindQool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names
C:\WINDOWS\SYSTEM32\DMONWV.DLL
C:\WINDOWS\UNWN.EXE

MD5 Check....
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\gouqt.dat
C:\WINDOWS\system32\cvevsbk.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\CVEVSBK.EXE
C:\WINDOWS\SYSTEM32\GOUQT.DAT
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\TXROO.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
07/27/2006 12:31 PM 127,488 txroo.exe
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"aikfht"="C:\\WINDOWS\\system32\\bqgniv.exe reg_run"
HKCU
"wfrgj"="C:\\WINDOWS\\system32\\bqgniv.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\rawri.exe
userinit REG_SZ C:\WINDOWS\system32\userinit.exe,cvevsbk.exe
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 17/05/2006


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:51:46 PM 7/27/2006

+ Scan result:



C:\WINDOWS\system32\nsd370.dll -> Adware.Ezula : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\mirar.exe -> Adware.NetNucleus : Cleaned with backup (quarantined).
C:\WINDOWS\system32\scanregw.dl$ -> Adware.PurityScan : Cleaned with backup (quarantined).
[1024] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[1196] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[1324] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[1460] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[392] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[440] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[452] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[624] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[644] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[732] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[792] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[856] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[928] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
[988] C:\WINDOWS\system32\scanregw.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\webhdll.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\whInstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\WINDOWS\pss\txroo.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__b_q_g_n_i_v_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__h_x_f_n_y_e_v_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__r_a_w_r_i_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gouqt.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1004] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[128] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1676] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1804] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1828] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[1948] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3080] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3352] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[3360] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[336] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
[344] C:\WINDOWS\system32\hxfnyev.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).


::Report end

Edited by hsdpcrepair, 27 July 2006 - 01:53 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 PM

Posted 28 July 2006 - 06:34 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
It looks like you are taking the right steps.

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run from a temp directory.
  • Download and run the HijackThis autoinstall program
  • Please choose the default location of C:\Program Files as the destination.
  • Run the program only from that location from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.
Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 PM

Posted 15 August 2006 - 08:27 AM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users