Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Infostealer & Hacktool Viruses


  • This topic is locked This topic is locked
6 replies to this topic

#1 qoh_addict

qoh_addict

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 21 April 2007 - 11:09 AM

I followed the 8 instructions that were in the "Preparation Guide", but I still get windows that pop up and Norton AntiVirus CE 7 catches "Infostealer", "Hacktool", and "Hacktool.nuker" virii. I need to ask for some help from the experts.

Thank you for your time.

---------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:52:08 AM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\NavNT\vptray.exe
F:\Program Files\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\NavNT\rtvscan.exe
F:\Program Files\UPHClean\uphclean.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\conime.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\explorer.exe
F:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.adxgate.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.sxload.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123390435559
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - F:\WINDOWS\system32\npkcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:48 PM

Posted 24 April 2007 - 08:19 AM

Hi,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 qoh_addict

qoh_addict
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 24 April 2007 - 08:32 PM

I kinda jumped the gun a bit, and, after some research on your forums, I used the following tools in the following order

1. Vundo - Kept hanging - deleted the log
2. Combofix - Still had problems - deleted the log
3. SuperAntiSpyware - seemed to do the trick

----------

SUPERAntiSpyware Scan Log
Generated 04/23/2007 at 03:01 AM

Application Version : 3.6.1000

Core Rules Database Version : 3222
Trace Rules Database Version: 1233

Scan type : Complete Scan
Total Scan Time : 06:31:47

Memory items scanned : 299
Memory threats detected : 0
Registry items scanned : 5540
Registry threats detected : 20
File items scanned : 243370
File threats detected : 6

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{0A5E591C-CDC1-449E-BA40-EB44E681D462}
HKCR\CLSID\{0A5E591C-CDC1-449E-BA40-EB44E681D462}
HKCR\CLSID\{0A5E591C-CDC1-449E-BA40-EB44E681D462}\InprocServer32
HKCR\CLSID\{0A5E591C-CDC1-449E-BA40-EB44E681D462}\InprocServer32#ThreadingModel
F:\WINDOWS\SYSTEM32\GEBCY.DLL
HKLM\Software\Classes\CLSID\{4C910668-D51F-41DF-9EEE-03BA08057148}
HKCR\CLSID\{4C910668-D51F-41DF-9EEE-03BA08057148}
HKCR\CLSID\{4C910668-D51F-41DF-9EEE-03BA08057148}\InprocServer32
HKCR\CLSID\{4C910668-D51F-41DF-9EEE-03BA08057148}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{AEF1E179-93F6-4A9C-B195-EC9932C93CB0}
HKCR\CLSID\{AEF1E179-93F6-4A9C-B195-EC9932C93CB0}
HKCR\CLSID\{AEF1E179-93F6-4A9C-B195-EC9932C93CB0}\InprocServer32
HKCR\CLSID\{AEF1E179-93F6-4A9C-B195-EC9932C93CB0}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{AF9EA153-65A9-45E4-9D24-DCFD2B0B7A10}
HKCR\CLSID\{AF9EA153-65A9-45E4-9D24-DCFD2B0B7A10}
HKCR\CLSID\{AF9EA153-65A9-45E4-9D24-DCFD2B0B7A10}\InprocServer32
HKCR\CLSID\{AF9EA153-65A9-45E4-9D24-DCFD2B0B7A10}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{C7159F04-070D-4D47-AB1D-EAF00E7D3094}
HKCR\CLSID\{C7159F04-070D-4D47-AB1D-EAF00E7D3094}
HKCR\CLSID\{C7159F04-070D-4D47-AB1D-EAF00E7D3094}\InprocServer32
HKCR\CLSID\{C7159F04-070D-4D47-AB1D-EAF00E7D3094}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
F:\Documents and Settings\Noriko\Cookies\noriko@cpvfeed[2].txt

Adware.ClickSpring/Yazzle
F:\QOOBOX\QUARANTINE\F\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR
F:\QOOBOX\QUARANTINE\F\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Trojan.Downloader-Gen/LIB
F:\QOOBOX\QUARANTINE\F\WINDOWS\SYSTEM32\AFMXVOLF.DLL.VIR

Adware.Vundo Variant
F:\QOOBOX\QUARANTINE\F\WINDOWS\SYSTEM32\EFCYAWT.DLL.VIR

----------

4. Deleted several items using HijackThis

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.adxgate.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.snipenet.net
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.sxload.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123390435559
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - F:\WINDOWS\system32\npkcsvc.exe


After this point, the only thing odd was the following in IE7:

Posted Image

I was sort of suspicious, so I rebooted and did full system scans using

5. Ad-Aware - No problems found
6. Spybot Search & Destroy - No problems found - Enabled IE helper
7. Norton AV CE 7 - No viruses found

The Gmail icon went back to normal, there were no popups, and NAV CE didn't pop up saying it just quarantined anything.

I also deleted the following file

F:\WINDOWS\system32\npkcsvc.exe

Finally, I ran

8. TweakNow RegCleaner Std - deleted registry entries related to npkcsvc.exe

The current HijackThis Log

----------

Logfile of HijackThis v1.99.1
Scan saved at 5:28:59 PM, on 04/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\NavNT\vptray.exe
F:\Program Files\ZoneAlarm\zlclient.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NavNT\defwatch.exe
F:\Program Files\NavNT\rtvscan.exe
F:\Program Files\UPHClean\uphclean.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------

Nothing seems broken at the moment. Do you think there's anything else I should do?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:48 PM

Posted 25 April 2007 - 02:48 AM

Looking good.

The "odd" thing in your Internet Explorer is not "odd" at all. The icon you see there is because you have/had Superantispyware installed. I guess it monitors secure sites - https.

How are things now?

By the way, npkcsvc.exe was legit though. It's related with INCA Internet.
Also, is it possible you delete the mdm.exe, related with the Windows Machine Debug Manager previously? Because I see this item is also missing from your log:
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)

Never delete files that *look suspicious.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 qoh_addict

qoh_addict
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 25 April 2007 - 11:38 AM

Things seem to be running smoothly.

I read on a couple forums that npkcsvc.exe was a trojan or something so I took it out. I suppose it's related to Ragnarok Online, but I tried playing it the other day and it ran okay. It's no big deal though. I can always uninstall then reinstall RO if it's a necessary component.

I'm really not sure why mdm.exe is missing. I don't ever remember deleting it before...

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:48 PM

Posted 25 April 2007 - 01:26 PM

Don't believe anything that is written on the internet ;)

Anyway, good to hear things are ok again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:48 PM

Posted 29 April 2007 - 05:26 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users