|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
01-23-2005, 06:58 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2005
Posts: 2
OS: Windows XP
|
eXact.downloader (Trojan.downloader)
Hello Tech Support officers,
I scanned and found eXact.downloader (Trojan.downloader). Could you advise how I can get rid of it? I ran HiJactThis and attached the scan log and staruplist log below. Please kindly help me. Sincerely, Chuck Logfile of HijackThis v1.99.0 Scan saved at 6:52:14 PM, on 1/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\devldr32.exe C:\DOCUMENTS AND SETTINGS\CHUCK\DESKTOP\KillBox-1.exe C:\Documents and Settings\Chuck\Desktop\HijackThis.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Norton AntiVirus\OPScan.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.ca R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.ca R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.ca R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra 'Tools' menuitem: Chinese - {0D5C2EA0-EDCD-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: (no name) - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra 'Tools' menuitem: TranStar Help - {676AB8E0-F5A6-11D3-86A5-0088CC224026} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk (file missing) O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra 'Tools' menuitem: English - {C2EDD5E0-EB64-11D3-B4D2-0088CC231035} - C:\PROGRA~1\TRANST~1\APPLIC~1\TransIE.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.ebay.co.uk O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:...b/mgaxctrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096073988734 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe The Log of staruplist is prepared below: StartupList report, 1/23/2005, 6:44:19 PM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Chuck\Desktop\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\devldr32.exe C:\DOCUMENTS AND SETTINGS\CHUCK\DESKTOP\KillBox-1.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Chuck\Desktop\HijackThis.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName PaperPort PTD = C:\Program Files\Scansoft\PaperPort\pptd40nt.exe nwiz = nwiz.exe /install MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = C:\WINDOWS\inf\unregmp2.exe /HideWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install [{94de52c8-2d59-4f1b-883e-79663d2d9a8c}] StubPath = rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps C:\Program Files\LingoCom\Lingoware.exe\ -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Task Scheduler jobs: Norton AntiVirus - Scan my computer - Chuck.job Norton AntiVirus - Scan my computer.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.DLL CODEBASE = http://go.microsoft.com/fwlink/?link...38&clcid=0x409 [MSSecurityAdvisor Class] InProcServer32 = C:\WINDOWS\System32\mssecadv.dll CODEBASE = http://download.microsoft.com/downlo...?1080975018781 [IEPlayInterface Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\iaieplay.dll CODEBASE = http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll [Symantec AntiVirus scanner] InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll CODEBASE = http://security.symantec.com/sscv6/S...in/AvSniff.cab [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB [Office Update Installation Engine] InProcServer32 = C:\WINDOWS\opuc.dll CODEBASE = http://office.microsoft.com/officeup...ntent/opuc.cab [Microsoft Office Template Downloader] InProcServer32 = C:\WINDOWS\Downloaded Program Files\msotd.dll CODEBASE = http://office.microsoft.com/ca/Templ...lery/msotd.cab [Autodesk MapGuide ActiveX Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MgAxCtrl.dll CODEBASE = http://gisweb3.city.vancouver.bc.ca:...b/mgaxctrl.cab [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://v5.windowsupdate.microsoft.co...?1096073988734 [Symantec RuFSI Utility Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll CODEBASE = http://security.symantec.com/sscv6/S.../bin/cabsa.cab [{7A32634B-029C-4836-A023-528983982A49}] CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab [InstallShield International Setup Player] InProcServer32 = c:\windows\downlo~1\isetup.dll CODEBASE = http://www.installengine.com/engine/isetup.cab [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.co...7653.647337963 [DoomCln Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoomCln.dll CODEBASE = http://www.microsoft.com/security/controls/DoomCln.CAB [SassCln Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB [{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}] [{D27CDB6E-AE6D-11CF-0000-000000000000}] CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [Microsoft Office Tools on the Web Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL CODEBASE = http://dgl.microsoft.com/downloads/outc.cab [MSN Chat Control 4.5] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx CODEBASE = http://chat.msn.com/bin/msnchat45.cab -------------------------------------------------- Enumerating Windows NT/2000/XP services Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Brother Popup Suspend service for Resource manager: "C:\WINDOWS\system32\Brmfrmps.exe" -service (autostart) BrSplService: C:\WINDOWS\System32\brsvc01a.exe (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart) Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart) Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.EXE (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart) Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart) Norton Unerase Protection: C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (autostart) NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart) PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) SAVScan: C:\Program Files\Norton AntiVirus\SAVScan.exe (autostart) ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart) symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart) SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart) SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 15,491 bytes Report generated in 0.172 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
|
     
|
|
01-23-2005, 08:36 PM
|
#2 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Hi and welcome to TSF. Please don't post startup logs we do not request. Thx...
===== Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
 GO BIG BLUE!! |
|
|
|
|
01-24-2005, 12:52 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2005
Posts: 2
OS: Windows XP
|
TDS-3 Scanned Result
Hello TSF officer,
Thank you for your reply. I followed the instruction and attached Full Scan Test result below: 23:15:58 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 23:15:58 [Init] Started 23-01-05 23:15:58 Pacific Standard Time (UTC: 8), Internet Time @1344.42 23:15:58 [Init] Loading TDS-3 Systems ... 23:15:58 [Init] Token successfully adjusted. 23:15:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 23:15:59 [Init] • Plugins : OK. Loaded 13 23:15:59 [Init] • Exec Protection : Not Installed 23:15:59 [Init] WARNING: Your Radius.TD3 database needs to be updated! 23:15:59 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 23:15:59 [Init] Licensed users can use the Update facility from the TDS menu 23:15:59 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 23:16:13 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 23:16:13 [Init] • Systems Initialised [45047 references - 21116 primaries/11792 traces/12139 variants/other] 23:16:13 [Init] Radius Systems loaded. <Databases updated 23-01-2005> 23:16:13 [Init] TDS-3 Ready. <Chuck@192.168.1.100, 127.0.0.1 - Canada> 23:16:13 [Tip Of The Day] If you are trying to delete an executable file, but are denied access, the file is in use - probably running in memory. Use the Process List Kill function to kill the process from memory - you'll then be able to delete the file. 23:16:13 [TDS] Good evening Chuck. 23:16:22 [Mutex Memory Scan] Started... 23:16:23 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:16:23 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 23:16:50 [CRC32] Started - verifying 29 files ... 23:17:02 [CRC32] Test finished. 23:19:10 [Memory Scan] Memory scan started, please wait a moment ... 23:19:13 [Memory Scan] Memory scan complete. 23:19:13 [Mutex Memory Scan] Started... 23:19:15 [Mutex Memory Scan] Finished (no trojan mutexes found). 23:19:15 [Trace Scan] Started... 23:19:27 [Trace Scan] Finished. 23:19:27 [ServiceScan] Scanning for services and drivers ... 23:19:35 [ServiceScan] Scanned 319 services and drivers. 23:19:35 [File Scan] Scanning in A:\ ... 23:19:36 [File Scan] Scanned 0 files: 0 alarms in 1.140625 seconds (Avg 1. files/sec) 23:19:36 [File Scan] Scanning in C:\ ... 00:42:28 [File Scan] Scanned 141186 files: 9 alarms in -81427.42 seconds (Avg -.73 files/sec) 00:42:28 [File Scan] Scanning in D:\ ... 00:42:48 [File Scan] Scanned 42 files: 9 alarms in 19.42212 seconds (Avg 3.16 files/sec) 00:42:48 [File Scan] Scanning in E:\ ... 00:42:48 [File Scan] Scanned 0 files: 9 alarms in 0 seconds (Avg -1.#IND files/sec) 00:42:48 [File Scan] Scanning in F:\ ... 00:42:48 [File Scan] Scanned 0 files: 9 alarms in 7.788086E-02 seconds (Avg 1. files/sec) 00:42:48 [Scan] Finished. 00:45:12 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt The followings are what I found from the Alarms: Scan Control Dumped @ 00:50:40 24-01-05 Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\en4ol1h31.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\guard.tmp Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\l64q0gh5e64.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\mv4ul9h91.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\mv6ol9j31.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\mvjsl9171.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\o666lgjs16o6.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\p04ulah91d4.dll Positive identification (DLL): Adware.Look2Me.u (dll) File: c:\windows\system32\wkstream.dll Thank you for your help. Please advise what I should do next. Sincerely, BCChuck |
|
|
|
|
01-24-2005, 07:29 AM
|
#4 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):
c:\windows\system32\en4ol1h31.dll c:\windows\system32\guard.tmp c:\windows\system32\l64q0gh5e64.dll c:\windows\system32\mv4ul9h91.dll c:\windows\system32\mv6ol9j31.dll c:\windows\system32\mvjsl9171.dll c:\windows\system32\o666lgjs16o6.dll c:\windows\system32\p04ulah91d4.dll c:\windows\system32\wkstream.dll =================== Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat http://www.greyknight17.com/spy/notify.bat Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection.
__________________
GO BIG BLUE!! |
|
|
|
|
| Thread Tools | |
|
|
