Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winstall.exe + Ann.exe


  • This topic is locked This topic is locked
43 replies to this topic

#1 draven

draven

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 10 September 2006 - 04:25 PM

Hello,

For the past two days ive been trying to get rid of two peices of spyware located in C: drive, they are : -

1. ann.exe

2. winstall.exe

Everytime i connect to the internet in the taskbar their is a little round red icon with a white x in it and its saying "your computer is infected" and then both .exe listed above try to get through my firewall.

I have used Ad-aware, SmitfraudFix and Ewido and still have the problem, more info in this post http://www.bleepingcomputer.com/forums/t/64873/your-computer-is-infecting/

Here is my HijackThis log : -


Logfile of HijackThis v1.99.1
Scan saved at 22:16:21, on 10/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\ntsystem.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\winstall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\ann.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [dmdnw.exe] C:\WINDOWS\System32\dmdnw.exe
O4 - HKLM\..\Run: [jbawq.exe] C:\WINDOWS\System32\jbawq.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\System32\idemlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Win32 Classes -
O17 - HKLM\System\CCS\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4256B8-B4C0-4059-848E-014B63589AC6}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D894D57-74BE-464B-9B6A-489F1C516E5E}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDA7E1E-100D-41BB-812B-C5FB4DDF1A52}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D8897F-1E89-468B-8341-90A5C36CD5E2}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5C81B48-5B97-4293-8865-513D82239D34}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by draven, 11 September 2006 - 08:47 AM.


BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 12 September 2006 - 07:40 AM

Welcome to Bleeping Computer, draven.

I am currently analysing your log and post back a fix for you ASAP. Thanks :thumbsup:
Posted ImagePosted Image

Olivier

#3 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 12 September 2006 - 09:33 AM

Hi draven,

* You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

* We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here
Apply the update, reboot, and post a fresh Hijack This log.
Posted ImagePosted Image

Olivier

#4 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 13 September 2006 - 11:40 AM

Hello Stonangel,

Thanks for your relpys.

Which anti-virus is best out of the four?,

Also know should i run the anti-virus first or download the service pack?

thanks

#5 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 14 September 2006 - 03:32 AM

Hi draven,

I would suggest to first download and run Antivir then apply the Service Pack 1a.
Posted ImagePosted Image

Olivier

#6 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 14 September 2006 - 08:35 AM

Hey Stonangel,

Is there a direct link to download Service Pack 1a?

Edited by draven, 14 September 2006 - 08:35 AM.


#7 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 14 September 2006 - 08:48 AM

Hi draven,

You can find it here:
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
Posted ImagePosted Image

Olivier

#8 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 14 September 2006 - 08:51 AM

Is Antivir the best anti-virus out of the four?

#9 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 14 September 2006 - 09:26 AM

It's just a suggestion...

You can choose :thumbsup:
Posted ImagePosted Image

Olivier

#10 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 16 September 2006 - 09:57 AM

Hey,

With the Service Pack 1a, it says it includes internet explorer 6 1a, if i update windows will my internet options stay the same?

#11 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 16 September 2006 - 01:18 PM

I ran AVG, it deleted winstall.exe and ann.exe and other 36 files after an hour scan.

Reset my computer and connected to the internet and they came back again. The spyware and anti-virus software i used picks them up and they still come back.

What else can i do to get rid of them?

thanks

#12 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 16 September 2006 - 01:40 PM

Hi draven,

Could you post back a fresh hijackthis log, please.
Posted ImagePosted Image

Olivier

#13 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 16 September 2006 - 04:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:10:22, on 16/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\ann.exe
C:\winstall.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [dmdnw.exe] C:\WINDOWS\System32\dmdnw.exe
O4 - HKLM\..\Run: [jbawq.exe] C:\WINDOWS\System32\jbawq.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\System32\idemlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: Win32 Classes -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158429433242
O17 - HKLM\System\CCS\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4256B8-B4C0-4059-848E-014B63589AC6}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D894D57-74BE-464B-9B6A-489F1C516E5E}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDA7E1E-100D-41BB-812B-C5FB4DDF1A52}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3D8897F-1E89-468B-8341-90A5C36CD5E2}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5C81B48-5B97-4293-8865-513D82239D34}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O17 - HKLM\System\CS2\Services\Tcpip\..\{00189302-1B99-42F4-9AE0-5EC67C4B3F44}: NameServer = 85.255.114.43,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.43 85.255.112.165
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#14 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:23 PM

Posted 17 September 2006 - 03:33 AM

Hi draven,

* Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

Posted ImagePosted Image

Olivier

#15 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:01:23 PM

Posted 17 September 2006 - 05:32 AM

Hello,

I dont see how updating windows will help delete these trojan horses off my computer. They have been on here for a week.

Ive tried anti-spyware - ewido and AVG both made by the same company and they qurantined/deleted them off and they came back, and other removal tools.

I havent used a program called Killbox yet - will that work?

Edited by draven, 17 September 2006 - 05:34 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users