Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Infected Pc


  • Please log in to reply
12 replies to this topic

#1 jatinkul

jatinkul

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 17 February 2007 - 05:57 PM

Hi,
My fathers machine has got infected and the Zone Alarm keeps on giving warnings. I am accessing the machine from remote and I can see a red icon in the task bar saying "Your pc is infected". The Task Manager was disabled, which I managed to enable from the registry. I ran the HijackThis and following is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:00 PM, on 2/17/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\Explorer.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\sm56hlpr.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\kernels88.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\WINNT\System32\dlh9jkd1q2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\dlh9jkd1q6.exe
C:\WINNT\System32\dlh9jkd1q7.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINNT\system32\notepad.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://81.201.104.136/bscwrap.php?mandant=...&q=/?url=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Shell Browser Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINNT\System32\browsemu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System] C:\WINNT\System32\kernels88.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O16 - DPF: {33331111-1111-1111-1111-611111193423 codeBase=http://www.www2.p0rt2.com/files/777.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429 codeBase=http://www.www2.p0rt2.com/files/_ipsec_.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-615111193427 codeBase=http://www.www2.p0rt2.com/files/epl224bf2.cab id=e} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428 codeBase=http://www.www2.p0rt2.com/files/proto125.cab id=i} -
O16 - DPF: {CT classid=clsid:33331111-1111-1111-1111-615111193427 codeBase=http://www.www2.p0rt2.com/files/epl224bf2.cab id=e} -
O20 - Winlogon Notify: flballoon - C:\WINNT\SYSTEM32\flwzx.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


I could see some processes in the Task Manager like "hlm....." which seemed to be suspicious, also the kernel88.exe seems to be suspicious, I can also see some entry above like 1111... which also points to be something messy . Can you please help?

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 17 February 2007 - 06:52 PM

Welcome to BC jatinkul :thumbsup:

You first need to do the following on the infected machine:

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop,then copy and paste the contents of the results file Report.txt into your next reply,along with a new Hijackthis log.
Posted Image
Posted Image

#3 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 February 2007 - 04:36 AM

Hi,
Thanks very much for the prompt reply. It did work and deleted and many of the suspicious files, but it seems something is still left behind without cure. The SDFix report is as follows:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\syst.exe - Deleted
C:\WINNT\system32\dlh9jkd1q8.exe - Deleted
C:\WINNT\system32\dlh9jkd1q2.exe - Deleted
C:\WINNT\system32\dlh9jkd1q6.exe - Deleted
C:\WINNT\system32\dlh9jkd1q7.exe - Deleted
C:\WINNT\system32\kernels88.exe - Deleted

ADS Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------
C:\WINNT\system32\rsvp32_2.dll Found - LSP!

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\COMMAND.COM
C:\WINNT\system32\divx.dll
C:\WINNT\system32\srvswc2.dll
C:\arcldr.exe
C:\arcsetup.exe
C:\CONFIG.SYS

Add/Remove Programs List:

GhostSurf 2005 Platinum
HijackThis 1.99.1
Microsoft Internet Explorer 6
Mozilla Firefox (1.5)
Adobe Flash Player 9 ActiveX
Motorola SM56 Modem uninstall
WinZip
Yahoo! Messenger
ZoneAlarm
LogMeIn
Frontech USB PC Camera
McAfee VirusScan Enterprise
TuneUp Utilities 2006
MSN Messenger 7.0

Finished
=============================================
In the Remaining files section (above) it mentions "rsvp32_2.dll Found - LSP!", does it mean that it couldnt cure it.
=============================================
I ran HijackThis after following the above procedure and the log details are:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:46 PM, on 2/18/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\WINNT\Explorer.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\sm56hlpr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\loadqm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://81.201.104.136/bscwrap.php?mandant=...&q=/?url=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Shell Browser Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINNT\System32\browsemu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system\ctfmon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O16 - DPF: {33331111-1111-1111-1111-611111193423 codeBase=http://www.www2.p0rt2.com/files/777.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429 codeBase=http://www.www2.p0rt2.com/files/_ipsec_.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-615111193427 codeBase=http://www.www2.p0rt2.com/files/epl224bf2.cab id=e} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428 codeBase=http://www.www2.p0rt2.com/files/proto125.cab id=i} -
O16 - DPF: {CT classid=clsid:33331111-1111-1111-1111-615111193427 codeBase=http://www.www2.p0rt2.com/files/epl224bf2.cab id=e} -
O20 - Winlogon Notify: flballoon - C:\WINNT\SYSTEM32\flwzx.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
==========================================
Looking at the above log I can see entries such as "O16 - DPF: {33331111....." & "O20 - Winlogon Notify: flballoon - C:\WINNT\SYSTEM32\flwzx.dll" which I am not sure, are normal entries.

Can you look into this please.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 19 February 2007 - 05:24 AM

Warning:
The following trojan is at present on your machine:
Goldun.Fam [Trojan].

Goldun.Fam is a family of Trojan horse programs that steals users' information entered for authentication on e-gold online web forms.
Goldun trojans may be packaged with the Savage.b MyDoom spambot installer, the SSA-Keylogger installer and/or Haxdoor.
Goldun trojans sometimes use rootkit (cloaking) technology as well.
Some variants are known to block access to antivirus sites.

If your computer was used for online banking or has credit card information on it,all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one.
If not,an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

****************************

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINNT\SYSTEM32\flwzx.dll
Then press the red button with the white cross.
It will then provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "'C:\WINNT\system32\rsvp32_2.dll' " into the remove box using the >> button.
Press the finish button.
Then reboot.

****************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: Shell Browser Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINNT\System32\browsemu.dll
O16 - DPF: {33331111-1111-1111-1111-611111193423 codeBase=http://www.www2.p0rt2.com/files/777.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429 codeBase=http://www.www2.p0rt2.com/files/_ipsec_.cab id=i} -
O16 - DPF: {33331111-1111-1111-1111-615111193427 codeBase=http://www.www2.p0rt2.com/files/epl224bf2.cab id=e} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428 codeBase=http://www.www2.p0rt2.com/files/proto125.cab id=i} -
O20 - Winlogon Notify: flballoon - C:\WINNT\SYSTEM32\flwzx.dll


Find and delete:
C:\WINNT\System32\browsemu.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

**************************

Please download Sophos Anti-Rootkit,and save it on your desktop.
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter.
7. This should open the log from the rootkit scan.
Post this log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

Reboot,post the AVG Anti Spyware report,the sarscan.log,and a new Hijackthis log into your next reply.

Edited by RichieUK, 19 February 2007 - 05:26 AM.

Posted Image
Posted Image

#5 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 February 2007 - 08:17 AM

Thanks again. I am really impressed by the quick & to-the-point response.
I missed a point last time, that the red icon in the task bar (saying your pc is infected) had vanished.
I remember not having seen the Folder Options in the windows explorer, but I have now figured out a way to enable it, reading on some forums.
I will perform the steps mentioned & get back with the results.

#6 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 23 February 2007 - 11:58 AM

I performed the steps mentioned by you except the AVG scan and the Sophos Anti-Rootkit scan. I am posting the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:16 PM, on 2/23/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\Explorer.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\sm56hlpr.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\loadqm.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINNT\system32\notepad.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://81.201.104.136/bscwrap.php?mandant=...&q=/?url=%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system\ctfmon.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


As far as I see, it seems good to me. I would also like to mention here that the process ctfmon.exe has been disabled in ZoneAlalrm due to some virus issues (this was done by the person who had come for some software installation).
Do you still recommend running Avg & Sophos Anti-Rootkit?

I have also come across some softwares such as Spyware Blaster, Spyware Doctor, SpySweeper.. Would you recommend their usage?
Thanks again.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 23 February 2007 - 01:08 PM

Can you run AVG Anti Spyware in Safe Mode by following the instructions above please.
Post the report when you've finished.
Posted Image
Posted Image

#8 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 24 February 2007 - 02:20 PM

Attached is the log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:13:46 AM 2/25/2007

+ Scan result:


HKLM\SOFTWARE\ErrorSafe -> Adware.ErrorSafe : Cleaned with backup (quarantined).
HKLM\SOFTWARE\ErrorSafe\ErrorSafe -> Adware.ErrorSafe : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MH948XMK\mk[1].exe -> Backdoor.Agent.akp : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MH948XMK\mk[2].exe -> Backdoor.Agent.akp : Cleaned with backup (quarantined).
C:\Documents and Settings\LogMeInRemoteUser\Local Settings\Temporary Internet Files\Content.IE5\MH948XMK\mk[1].exe -> Backdoor.Agent.akp : Cleaned with backup (quarantined).
C:\WINNT\mk.exe -> Backdoor.Agent.akp : Cleaned with backup (quarantined).
C:\WINNT\system32\flwzx.dll -> Backdoor.Agent.akp : Cleaned with backup (quarantined).
C:\WINNT\system32\divx.dll -> Downloader.PassAlert.o : Cleaned with backup (quarantined).
C:\WINNT\system\ctfmon.exe -> Downloader.PassAlert.v : Cleaned with backup (quarantined).
C:\WINNT\system32\vbsys.dll_old -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\WINNT\system32\vbsys2.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\Documents and Settings\NITIN1\Application Data\errorsafenewreleaseinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Program Files\LogMeIn\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined).
C:\WINNT\system32\rsvp32_2.dll3f2tj -> Proxy.Agent.ly : Cleaned with backup (quarantined).
C:\WINNT\system32\777.exe -> Proxy.Cimuz.cl : Cleaned with backup (quarantined).
C:\Documents and Settings\NITIN1\Cookies\nitin1@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\NITIN1\Cookies\nitin1@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\WINNT\Downloaded Program Files\start.INF -> Trojan.Dagonit.inf : Cleaned with backup (quarantined).
C:\WINNT\internt.exe -> Trojan.LipGame.bl : Cleaned with backup (quarantined).
C:\3456346345643.exe -> Worm.Zhelatin.n : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kernels88.exe -> Worm.Zhelatin.n : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/syst.exe -> Worm.Zhelatin.n : Cleaned with backup (quarantined).

::Report end

I had thought that the machine is clean now, but....
What do you recommend now?

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 24 February 2007 - 02:30 PM

Download\install and scan with Counterspy 2.0 Beta:
http://www.sunbelt-software.com/counterspy-beta-download.cfm
Skip 'Activation' during install.
Wait while 'Automatic updates' have finished.
Click the 'Scan now' button.
Remove\delete everything Counterspy detects.
Post a report when its finished.
Also post a new HJThis log please,let me know how the pc is running now please.
Posted Image
Posted Image

#10 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 04 March 2007 - 08:32 AM

Unfortunately could'nt install the CounterSpy as the machine does not have SP3, however AVG AntiSpyware did not detect any spyware. Here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:05:56 PM, on 3/4/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\sm56hlpr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\loadqm.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://81.201.104.136/bscwrap.php?mandant=...&q=/?url=%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

What do you suggest now?

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 04 March 2007 - 08:37 AM

Well your log is clean,hows the machine running now please.
Posted Image
Posted Image

#12 jatinkul

jatinkul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 05 March 2007 - 07:35 AM

Machine seems to be running fine & their is no sign of anything unusual.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 05 March 2007 - 07:53 AM

If all's ok,please do the following:

You should now go to Windows Update and install any available critical/high priority updates.
Read through the info found here,to help you prevent any possible future infections.
How did I get infected? by Grinler:
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users