kickboxadonkey

I'm running Windows XP Service Pack 2, and use McAfee Internet Security Suite 8 for protection. My current browser is IE 7, at time of the attack it was IE6. All of the available updates, for Windows and McAfee, are currently installed.



Unfortunately for me I was logged on as administrator when this occurred. While using a popular internet search engine, I clicked on a link to a web page and the screen instantly froze/locked up on a blank screen where a pop up (not McAfee), emerged telling me thatI was just sent a virus.
In a panic, I then tried to shut off my pc but it could not be shut down,
even using task manager and holding the power button for a minute. So I pulled the power by unplugging it. Rebooted a few minutes later, it started fine, loaded the desktop. Just as I began to think it might've been a hoax of some sort. I then set it to lockdown and started a virus scan and McAfee immediately detected the presence of a trojan virus known as Exploit_CodeBase.chm. It found five instances of it, all of which were located in TemporaryInternetFiles\Content.IE5 files. They were then quarantined and an attempt to clean was made but they could not be cleaned. So they were deleted. Upon the completion of the first scan I ran another. This time the scan detected the presence of the Ad Clicker_DY trojan along with a system restore point. Both were deleted to complete the cleaning process.



After that I opened Personal Firewall to see what info I could gather from it, which was in tight setting, at the time of the attack. Only to find that the current event log was missing/erased. When I opened the Internet Applications listing I saw three new additions, all of which were granted
full access to the www. One was "run dll as an app", the other 2 appeared to be "generically named" programs, one being vfkgaaa.exe. I blocked all 3 of them and tried to locate them using explorer.exe but they couldn't be found. When I went back to it, both of them said the program no longer exists. So I deleted the application rules for them. Then I opened Privacy Service and found that the event log quit it's logging process about 15-20 minutes before McAfee first detected the E_CB.chm Trojan.



Following day, I booted to Safe Mode and ran 2 scans which turned up nothing. So I went to control panel and opened up admin, tools. When I opened the Applications heading, a window popped up. Basically, stating
that a major error had occured and couldn't be viewed. Under both Security and System headings, I discovered they quit logging at the time of the attack. I then went to Services to look at the settings for the
C:\Windows\System32\ files and found the properties couldn't be opened because they were either damaged or missing. Most troubling to me was the IPSEC service. It took several days before everything began logging
events and System 32 properies could be viewed or changed again. I opened up my downloaded programs folder and found that, under properties, all of them were also damaged or missing one or more files. The number of files
were only marked by an asterisk, so I have no idea which ones.


My pc seemed to function properly for awhile after this occurred and it wasn't until recently that I've noticed issues coming with a greater frequency. Most troubling was the fact that my pc has unknowingly been running 24/7 for months now without my knowledge. I recently discovered that , at some point, after the date of attack. Every time I was turning off my computer by clicking Shut Down on the start menu or using task manager, I wasn't. My computer would automatically go into sleep mode, not shut down. Once I made this discovery, I tried to restart from both the start menu and task manager, neither of which would work when clicked on. So I tried
holding the power button down for a minute and it still wouldn't shut off. I had to pull the power in order to get it to turn off.

Here's a brief listing of a few others;




1. Hung apps galore, many times followed by either a Dr. Watson Degger or post-mortem window, which then also end up as hung apps.


2. This really puzzles me, temporary internet files located in the same place as those that were deleted, from the attack, are still active. I noticed this while moving downloaded internet zip files to a different
location. Yet, by searching, they can't even be located using explorer.exe. I can only view and delete them from toolbar options in the IE7 browser.


3. This one really bothers me. I've noticed that for several months McAfee Personal Firewall has constantly been getting pinged or attempts are made to connect to ports on my pc by remote programs. When traced most of
the time they are coming from Asian sources, blocking one results in another IP address from the same location. This is a 24hour occurrence and happens even if I haven't surfed the web for a day or two. I recently noticed that when I moved some word files to another drive. When
I open certain .doc files, containing sensitive info, a hidden window .tmp file automatically opens up next to it. It features the same name as the .doc, yet, when opened they have been encoded to Japanese.


4. I was on Napster recently and tried to sample some music, when I did a window popped up stating that the service was only available to those in the United States. Puzzling because, I assure you, I've been a
resident since the day I was born and have never stepped outside of the U.S.


5. IPConfig cannot be opened for viewing by MS-Dos. It sure as **** used to but hasn't since the attack. This is uneasing given the fact that #4 occurred.


6. Everytime I open explorer.exe to search for anything. A MSI Installer window pops up trying to install something. I have to repeatedly hit the cancel button, in rapid succession, 4 or more times before it
stops.


7. For about a month after the attack. Occasionally, the system tray icon will be Red and the all are enabled. But When I'd open up the Security Center, one or more are listed as being disabled at that time. This also happens
vice versa. It even, although rarely, would be in the disabled mode and couldn't be enabled through the security
center or the tray icon. Thankfully, this hasn't happenend in several months.


8. One more thing that occurs that troubles me about the Internet Applications list in Personal Firewall. Some of statuses of listed apps are changed without my knowledge. I'd set it to blocked or outbound only to later return and see them listed as granted full access to the internet. Same thing with system settings, I will check them and find that their is a check next to an item, usually it's the "allow restricted users to change settings"
option, That is something I would NEVER have checked as an option, by my own accord.


9. Some of the settings in C:\WINDOWS\SYSTEM32\ files do the same thing as #7. Several of them are missing files. IPSEC service and Service.exe are listed as belonging to an unknown owner.

10. Sometimes I'll delete things in my C:\ drive and recycle bin, only to go back and find that after doing that. It actually increased and took up more memory.


There's a boatload more but my hands are cramping from typing. Please, if anyone can help me get rid of this thing, I'd really appreciate it.



Logfile of HijackThis v1.99.1
Scan saved at 06:11:26 AM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase9602.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: IEFilter - {F452D46E-95EF-4345-8D9C-DA71D9561BBD} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Glaswegian

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.

Since it has been a few days since you first posted, please follow these instructions if you still need assistance.

Download ComboScan to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - minimised > ComboScan.txt and maximised > Supplementary.txt.
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt back in this thread (do not attach it).
5. Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\ComboScan\Supplementary.txt
   

3. Click Upload.

Thank you for your patience.

__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs