Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Rediredtion Pop-up


  • Please log in to reply
6 replies to this topic

#1 Guest_paulpaco_*

Guest_paulpaco_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2006 - 05:32 AM

Hi

Just recently I keep getting a pop-up that says the following:" You are about to be redirected to a new internet site. Any information you exchanged with the current site could be retransmitted to the new internet site you are about to connect with. Do you wish to continue? Sometimes I need to hit the "no" button 3 times to get rid of it. It appears sometimes when I am not actively accessing the internet, although I am on broadband and have McAffey Vshield on.

I have run Spybot, Adaware and Stinger but still get it. Any ideas?

Thanks and regards to anyone that can help.

Paul

Copy of Hijackthis log below :

Logfile of HijackThis v1.99.1
Scan saved at 10:17:44, on 18/10/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINNT\system\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\pcooper\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.co.uk/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ergonitsbs01:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [msserv] C:\WINNT\System32\lvsrev.exe
O4 - HKLM\..\Run: [useful-soft] C:\WINNT\System32\winspsrv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\System32\kernels8.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0461ab4b049425...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147879320233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://ocdemo4.webex.com/client/latest/support/ieatgpc.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba2218.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands

Posted 18 October 2006 - 06:22 AM

Hi paulpaco, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 19 October 2006 - 10:59 AM

Hi paulpaco, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Your log shows the very dangerous Troj/Bckdr-QF is present on your computer!

This worm also has backdoor functionalities. It processes the commands on the local machine giving remote users virtual control over the infected system.
It is possible that the remote attacker has added multiple backdoors and/or accounts or even rooted the computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

2. Unfortunately I see no firewall in your runing processes which probably means that you have none. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

3. Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

4. Run HijackThis, click Scan and checkmark the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [msserv] C:\WINNT\System32\lvsrev.exe
O4 - HKLM\..\Run: [useful-soft] C:\WINNT\System32\winspsrv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\System32\kernels8.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system\ctfmon.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0461ab4b049425...ip/RdxIE601.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/gba2218.exe


Do you know what this is?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ergonitsbs01:80

If not checkmark the entry as well.

O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h

Spyware Nuker was a "spyware removal program" by TrekBlue and previously found to be of dubious repute. Beware there are very good alternatives. If you want to keep it make sure you have the latest version. If you don't checkmark the entry.

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Download ATF Cleaner by Atribune. Do not run it yet.

6. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

7. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

8. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folder in bold if listed:

C:\Program Files\Spyware Nuker<< If you agreed!

.......... and files in bold if listed:

C:\WINNT\System32\lvsrev.exe
C:\WINNT\System32\winspsrv.exe
C:\WINNT\System32\kernels8.exe
C:\WINNT\system\ctfmon.exe<< Don't delete the legit ctfmon.exe in the system32-folder.

Let me know if you had problems with this step.

9. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

10. Reboot to go back into Normal mode.

11. Perform an onlinescan with Panda: (please use this scanner instead of any other scanner!) Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report together with the Smitfraud report and a fresh HijackThis log.

#4 Guest_paulpaco_*

Guest_paulpaco_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2006 - 08:24 AM

Falu

Thanks very much for your help. I have followed your guidence and the output is below. I could not see the entry for kernels8.exe in the hijackthis log. The ergonitsbs01:80 I know about and its OK. :thumbsup:

So the o/p in the order you requested:

Panda Scan


Incident Status Location

Spyware:Cookie/7search Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@7search[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@adultfriendfinder[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@adviva[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@anm.co[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@c.goclick[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@clickbank[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@findwhat[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\pcooper\Cookies\pcooper@overture[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\pcooper\Desktop\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\pcooper\Desktop\SmitfraudFix\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\pcooper\Desktop\Smitfraudfix1\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\pcooper\Desktop\Smitfraudfix1\SmitfraudFix.zip[SmitfraudFix/swsc.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\pcooper\My Documents\anitvrus and anitspyware stuff\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\pcooper\My Documents\anitvrus and anitspyware stuff\smitRem.exe[smitRem/Process.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe[wfalls.exe][BSAVEINST.EXE]
Adware:Adware/SpySheriff Not disinfected C:\lo-1261453213.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Roguescanfix\Process.exe
Adware:adware/adsmart Not disinfected C:\t.inx
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Virus:Trj/Qhost.EX Disinfected C:\WINNT\system32\drivers\etc\hosts.20060822-170747.backup
Virus:Trj/Qhost.EX Disinfected C:\WINNT\system32\drivers\etc\hosts.20060823-095615.backup
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINNT\system32\f3PSSavr.scr
Adware:Adware/SecurityError Not disinfected C:\WINNT\system32\ldFF7473
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\Process.exe
Adware:Adware/SpySheriff Not disinfected C:\WINNT\system32\slx.exet
Possible Virus. Not disinfected C:\WINNT\system32\swsc.exe
Adware:Adware/Startpage.AVF Not disinfected C:\WINNT\system32\winspsrv.exe


Smitfraud Report

SmitFraudFix v2.113

Scan done at 11:05:35.06, Wed 25/10/2006
Run from C:\Documents and Settings\pcooper\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{203B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\bre.dll Deleted
C:\WINNT\system32\bre32.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 14:02:44, on 25/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\pcooper\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.co.uk/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ergonitsbs01:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147879320233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161180601855
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://ocdemo4.webex.com/client/latest/support/ieatgpc.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Thanks again

regards

Paul

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:35 PM

Posted 25 October 2006 - 02:54 PM

Hi paulpaco, :thumbsup:

Thanks very much for your help.


You're very welcome.

1. Unfortunately I still don't see a firewall. Please remember it's your first defense against malware. See my previous post for good but free programmes and a manual.

It's best to print/save these instructions since you're going into safe mode and will not be able then to read these instructions.

2. I assume you still have Hidden files disabled (which means that you can view all files). Reboot into safe mode and using Windows Explorer, please delete the following folder in bold if listed:

C:\WINNT\system32\ldFF7473

.... and files in bold if listed:

C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe
C:\lo-1261453213.exe
C:\t.inx
C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.15.inf
C:\WINNT\system32\f3PSSavr.scr
C:\WINNT\system32\Process.exe
C:\WINNT\system32\slx.exe
C:\WINNT\system32\slx.exet
C:\WINNT\system32\swsc.exe
C:\WINNT\system32\winspsrv.exe

Let me know if you had problems with this step.

3. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

Then please restart your system into Normal Windows.

4. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report along with a fresh HijackThis log and let me know how things are running now.

#6 Guest_paulpaco_*

Guest_paulpaco_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2006 - 07:09 AM

Falu

Thanks for your continuing support. I have completed the tasks in your instructions and the o/p is listed below. I have a network of 3 computers with a firewall attached to the router although as you say there is no firewall actually on this box.

I deleted most of the files you listed, but the following files were not found:
C:\WINNT\Downloaed Program Files\f3initialsetup1.0.0.15.inf
C:\WINNTsystem32\six.exe
C:\WINNTsystem32\six.exet

swsc.exe was also in C:\Documents and Settings\pcooper\Desktop\Smitfraudfix but I didn't delete that. Should I have done?

The o/p logs from Kapersky and HJT are below

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 12:52:12 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235083
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 37220
Number of viruses found: 8
Number of infected objects: 16 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:46:55

Infected Object Name / Virus Name / Last Action
C:\CV Catalog\catalog.wci\00000002.ps1 Object is locked skipped
C:\CV Catalog\catalog.wci\00000002.ps2 Object is locked skipped
C:\CV Catalog\catalog.wci\00010003.ci Object is locked skipped
C:\CV Catalog\catalog.wci\cicat.fid Object is locked skipped
C:\CV Catalog\catalog.wci\cicat.hsh Object is locked skipped
C:\CV Catalog\catalog.wci\CiCL0001.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiP10000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiP20000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiPT0000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiSL0001.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiSP0000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiST0000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\CiVP0000.000 Object is locked skipped
C:\CV Catalog\catalog.wci\INDEX.000 Object is locked skipped
C:\CV Catalog\catalog.wci\propstor.bk1 Object is locked skipped
C:\CV Catalog\catalog.wci\propstor.bk2 Object is locked skipped
C:\Documents and Settings\atrim.ERGONIT\Local Settings\Application Data\Microsoft\Outlook\Outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/24 Mar 2004 09:18 from mark@recruit121.com:Forum notify/Message.zip/vgtlwkte.exe Infected: Email-Worm.Win32.Bagle.n skipped
C:\Documents and Settings\atrim.ERGONIT\Local Settings\Application Data\Microsoft\Outlook\Outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/24 Mar 2004 09:18 from mark@recruit121.com:Forum notify/Message.zip Infected: Email-Worm.Win32.Bagle.n skipped
C:\Documents and Settings\atrim.ERGONIT\Local Settings\Application Data\Microsoft\Outlook\Outlook.ost Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\pcooper\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pcooper\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pcooper\Desktop\Smitfraudfix1\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\pcooper\Desktop\Smitfraudfix1\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\pcooper\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pcooper\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pcooper\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pcooper\Local Settings\History\History.IE5\MSHist012006102620061027\index.dat Object is locked skipped
C:\Documents and Settings\pcooper\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe/wfalls.exe/BSAVEINST.EXE/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe/wfalls.exe/BSAVEINST.EXE/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe/wfalls.exe/BSAVEINST.EXE/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe/wfalls.exe/BSAVEINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe/wfalls.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe ZIP: infected - 5 skipped
C:\Documents and Settings\pcooper\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\pcooper\ntuser.dat.LOG Object is locked skipped
C:\spin.old.exe Infected: not-virus:BadJoke.Win32.Train skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\CSC\00000002 Object is locked skipped
C:\WINNT\CSC\00000003 Object is locked skipped
C:\WINNT\CSC\d1\00000048 Object is locked skipped
C:\WINNT\CSC\d1\000000D0 Object is locked skipped
C:\WINNT\CSC\d2\00000011 Object is locked skipped
C:\WINNT\CSC\d3\00000012 Object is locked skipped
C:\WINNT\CSC\d4\0000001B Object is locked skipped
C:\WINNT\CSC\d4\000000D3 Object is locked skipped
C:\WINNT\CSC\d4\800001F3 Object is locked skipped
C:\WINNT\CSC\d8\0000009F Object is locked skipped
C:\WINNT\CSC\d8\000000AF Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx.b skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{817753DC-93F6-4107-B13B-0B1F1179EB3A}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\IExplore.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\divx.dll Infected: Trojan-Downloader.Win32.PassAlert.v skipped
C:\WINNT\system32\slx.exet Infected: Trojan-Downloader.Win32.Tibs.hz skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 12:53:53, on 26/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\pcooper\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.co.uk/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ergonitsbs01:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147879320233
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161180601855
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://ocdemo4.webex.com/client/latest/support/ieatgpc.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

thanks and regards

Paul

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands

Posted 27 October 2006 - 02:15 PM

Hi paulpaco, :thumbsup:

Thanks for your continuing support.


You're very welcome.

1.

I deleted most of the files you listed, but the following files were not found:
C:\WINNTsystem32\six.exe
C:\WINNTsystem32\six.exet


Maybe it's just a typo but you should have looked for: C:\WINNTsystem32\slx.exe and C:\WINNTsystem32\slx.exet. But it still shows in the kaspersky report so I will instruct to delete it again.

2.

swsc.exe was also in C:\Documents and Settings\pcooper\Desktop\Smitfraudfix but I didn't delete that. Should I have done?


Yes you may though it's harmless since it has been put in there by the Smitfraud-tool.

3. Download KillBox from here: KillBox

Unzip the folder to your desktop.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Documents and Settings\atrim.ERGONIT\Local Settings\Application Data\Microsoft\Outlook\Outlook.ost
C:\Documents and Settings\pcooper\My Documents\My Pictures\wfallsfree.exe
C:\spin.old.exe
C:\WINNT\Downloaded Program Files\ieatgpc.dll
C:\WINNT\system32\divx.dll
C:\WINNTsystem32\six.exe
C:\WINNT\system32\slx.exet


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

4. Run one more Kaspersky scan and post the kaspersky report to check for any leftovers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users