Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virusbursters And Many Others


  • Please log in to reply
4 replies to this topic

#1 kingdavies

kingdavies

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 02 December 2006 - 01:39 PM

My computer has been infected with virusbursters and many other spyware as indicated in the title. I have followed the guide on how to remove virusbursters run the automated SmitFraudFix and removed everything found. As well as that I also had ipwins.exe swiftfraud toolbar888, and a trojan called yazzle something. I have also run VundoFix and found about 5 infected dlls all of which have been fixed and have run a usual anti-spyware scan (spybot search and destroy) as well as an anti virus scan (AVG free edition). Everything seems to be ok at the moment just wanted to make sure I had got everything.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 18:18:17, on 02/12/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\msdtc.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\tcpsvcs.exe
H:\Program Files\VertrigoServ\apache\bin\apache.exe
H:\Program Files\VertrigoServ\mysql\bin\mysqld.exe
H:\Program Files\RealVNC\VNC4\WinVNC4.exe
H:\Program Files\VertrigoServ\apache\bin\apache.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\Dfssvc.exe
H:\WINDOWS\system32\ntfrs.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\Program Files\Common Files\{8015320E-081F-2057-0802-04092805002c}\Update.exe
H:\WINDOWS\system32\ctfmon.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\alg.exe
H:\WINDOWS\system32\wbem\wmiprvse.exe
H:\WINDOWS\system32\wbem\wmiprvse.exe
H:\Documents and Settings\Administrator.SERVER01\Desktop\hijackthis\HijackThis.exe
H:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - H:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] H:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyclosoftware.org
O17 - HKLM\Software\..\Telephony: DomainName = cyclosoftware.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6A6D14-348D-41B4-A3E4-6D99F4184B6A}: NameServer = 192.168.1.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9620BAD-A91F-4A40-8982-2CB3AE289689}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyclosoftware.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A6A6D14-348D-41B4-A3E4-6D99F4184B6A}: NameServer = 192.168.1.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - H:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Vertrigo_Apache - Unknown owner - H:\Program Files\VertrigoServ\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Vertrigo_MySQL - Unknown owner - H:\Program Files\VertrigoServ\mysql\bin\mysqld.exe" Vertrigo_MySQL (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - H:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Please help!
thanks
Kingdavies

P.S Some programs wont work (combofix) as I am running Windows Server 2003

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:06 AM

Posted 02 December 2006 - 02:26 PM

Hi kingdavies, :flowers:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:06 AM

Posted 02 December 2006 - 05:51 PM

Hi kingdavies, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Unfortunately I see no firewall in your runing processes which probably means that you have none. I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

2. Go to your Hijackthis folder present in your Program Files and rename Hijackthis.exe to Analyse.exe and than reboot.
After reboot, run Analyse.exe (which is hijackthis of course) and post the log it creates in your next reply.

3. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 10). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 5.0 Update 10
Please post a fresh HijackThis log.

#4 kingdavies

kingdavies
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 02 December 2006 - 06:12 PM

In response to your first point, there is no real need for me to have a third party firewall installed, which will take up system resources, when I am behind a Cisco hardware firewall and no ports are forwarded to the machine, but for extra security measure I already have the windows firewall enabled which combined with the Cisco router should be more than enough.

Java was installed back in the old days when I used to use this computer as my main machine, now that it is just a file server and intranet server there is no need for it to be installed so I have just uninstalled it for good.

Here is the new log file:
Logfile of HijackThis v1.99.1
Scan saved at 23:08:11, on 02/12/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\tcpsvcs.exe
H:\Program Files\VertrigoServ\apache\bin\apache.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\VertrigoServ\mysql\bin\mysqld.exe
H:\Program Files\VertrigoServ\apache\bin\apache.exe
H:\Program Files\RealVNC\VNC4\WinVNC4.exe
H:\WINDOWS\system32\Dfssvc.exe
H:\WINDOWS\system32\ntfrs.exe
H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
H:\WINDOWS\system32\RunDLL32.exe
H:\Program Files\Common Files\{8015320E-081F-2057-0802-04092805002c}\Update.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\removal\hijackthis\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AE0F864-493E-4FB8-9CD9-0EDDAF177EDA} - H:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {0E048C95-3D2A-9C43-A01C-05D66D30AF26} - H:\WINDOWS\system32\lknghth.dll
O2 - BHO: (no name) - {25324237-4611-4B8F-8ACF-46095BB3CF2E} - H:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - H:\WINDOWS\system32\qoyvqxai.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - H:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {70B9D5DE-1B8E-21AF-7DC0-083BD02B1700} - H:\WINDOWS\system32\eyoazb.dll
O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - H:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] H:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [AVG7_CC] H:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyclosoftware.org
O17 - HKLM\Software\..\Telephony: DomainName = cyclosoftware.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6A6D14-348D-41B4-A3E4-6D99F4184B6A}: NameServer = 192.168.1.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9620BAD-A91F-4A40-8982-2CB3AE289689}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyclosoftware.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A6A6D14-348D-41B4-A3E4-6D99F4184B6A}: NameServer = 192.168.1.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - H:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - H:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: pmnlk - H:\WINDOWS\system32\pmnlk.dll
O20 - Winlogon Notify: WBSrv - H:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Vertrigo_Apache - Unknown owner - H:\Program Files\VertrigoServ\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Vertrigo_MySQL - Unknown owner - H:\Program Files\VertrigoServ\mysql\bin\mysqld.exe" Vertrigo_MySQL (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - H:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:06 AM

Posted 03 December 2006 - 08:04 AM

Hi kingdavies, :thumbsup:

1. Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Next download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please post the C:\vundofix.txt along with the Smitfraud report and a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users