Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Think I've Caught A Cold!


  • This topic is locked This topic is locked
2 replies to this topic

#1 robsamui

robsamui

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 31 January 2007 - 02:14 AM

I am sure I have an infection - in the last week there are some very odd things happening.

First of all - WinXP Pro - SP2 - IE6 - dial-up modem connection - Symantic Anti Virus and Zone Alarm pro running.

Suddenly, winlogon.exe has been trying to access the internet on port 135. I have now added a manual block in and out on that port. Today, Tea Timer told me that a winlogon modifier had been added - urqqqpo.dll - and although I found and renamed that dll and removed it from all registry entries, it is still running. I've checked, but winlogon.exe is where it should be in the system32 folder and there is no other copy of it anywhere.

(As I'm writing this - offline - Zone Alarm is telling me that svchost.exe is trying to access the internet - destination 89.188.16.18.) In fact, there are 4 sets of svchost running in the task manager - is this normal?

Odd programs keep trying to access the internet. Task Manager shows me that I have svchost running a network service, but I have no network connections - I'm on a standalone laptop on a dial-up modem. (Ending this network process works, but it re-appears again within minutes.) And yesterday Windows Explorer was trying to send e-mail!

Added to this, IE6 keeps freezing. After 10 or 15 minutes, any URL I enter or link I click just snaps to a PAGE NOT FOUND default without even trying to access the internet. If I reboot, it's OK again for another 15 mins before it freezes again.Switching off Zone Alarm makes no difference - it's still frozen up until I reboot.

I have included my HJT log in the hope that someone can help me out here ... (it seems to be happily short compared to others that I've seen here!!)

Thanks in advance,

Rob




Logfile of HijackThis v1.99.1
Scan saved at 2:02:41 PM, on 1/31/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\Hcontrol.exe
D:\AVG6\avgamsvr.exe
D:\ZoneAlarm\zlclient.exe
C:\WINDOWS\ATKOSD.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system\dllhost.exe
D:\WS_FTP Pro\ftpsched.exe
C:\WINDOWS\TEMP\svchost.exe
C:\WINDOWS\TEMP\wuauclt.exe
D:\HistorySweep\HSSvc.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
D:\online-timer\olmtr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\bunker\Desktop\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - d:\InternetDownAcceler\idaiehlp.dll
O2 - BHO: (no name) - {B22CE870-2D05-4FDA-99EE-7A101875189A} - C:\WINDOWS\system32\urqqqpo.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\Hcontrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [freeonlinemeter] D:\online-timer\config\flink
O4 - Startup: TeaTimer.exe.lnk = D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Free Online-meter.lnk = D:\online-timer\olmtr.exe
O8 - Extra context menu item: Download ALL with IDA - d:\InternetDownAcceler\idaieall.htm
O8 - Extra context menu item: Download with IDA - d:\InternetDownAcceler\idaie.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - d:\InternetDownAcceler\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - d:\InternetDownAcceler\ida.exe
O20 - Winlogon Notify: urqqqpo - C:\WINDOWS\SYSTEM32\urqqqpo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG6\avgamsvr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - D:\WS_FTP Pro\ftpsched.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:13 PM

Posted 31 January 2007 - 11:11 PM

Hello rob,

We can definitely help you, but first you need to help us.
The first step in this process is to apply Service Pack 1a for Windows XP.

Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click HERE. Apply the update, reboot, and post a fresh Hijack This log.

Install all critical updates except Service Pack 2.
Some hijacks interfere with the installation of Service Pack 2, so please wait until your computer is clean before installing it.

Edited by SifuMike, 31 January 2007 - 11:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:13 PM

Posted 04 February 2007 - 02:58 PM

Since your are being helped here http://www.bleepingcomputer.com/forums/t/80237/cant-get-rid-of-fake-wuaucltexe-and-svchostexe/
, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users