Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Help - win32 Trojan Help - win32 Trojan
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 04-25-2007, 10:14 AM   #1 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Exclamation Help - win32 Trojan
Hi Bob . . . . .
Here's another opportunity for you to excell at your chosen "Profession".
I think this machine has been infected with the Win32ask virus. Here's the HJT log. Please help if you can.
J. Ross

Logfile of HijackThis v1.99.1
Scan saved at 12:05:20 PM, on 4/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\vwsrv.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\v7.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\System32\vwsrv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 10:29 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,747
OS: 2000 Pro; XP Pro; XP Home


Hi again -

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\System32\vwsrv.exe

  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply..

---------------------------------------------------------------------------------------------


Create an uninstall list:
  • Open HiJackThis
  • Click on the button " Open the Misc Tools section"
  • Click on the Box that says "Open Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 12:05 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Can't get SmitFraudFix. When I try to download it gets to 99% and quits. When I try to copy from my thumb drive, it deletes the program from the drive. But here is the HJT Uninstall list and the results from VirusTotal.

Thanks for all you do

---------------
HJT Uninstall List

2003 United Guaranty's Tax Analysis
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Advanced Networking Pack for Windows XP
Agere Systems AC'97 Modem
ATI Control Panel
ATI Display Driver
BlackBerry Desktop Software 4.0
BlackBerry Desktop Software 4.0
Broadcom Gigabit Integrated Controller
CBA DirectLynk
Citrix ICA Web Client
Diagnostics for Windows
DirectX 9 Hotfix - KB839643
D-Link AirPlus G Wireless Adapter
Easy CD & DVD Creator 6
eCombiner
FileNET Panagon Viewer 3.2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HP Integrated Wireless LAN W400-W500 Driver
HP Mobile Printing
hp psc 1200 series
Insight Management Agent
InterActual Player
Internet Explorer Security Plugin 2006
Internet Security Add-On
InterVideo WinDVD
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.1_05
Java Web Start
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
LockPoint Web Client 2.1
Macromedia Shockwave Player
MarketerPro 15.6.0 Release
MarketerPro 15.7.0 Release
MarketerPro 15.8.0 Release
MarketerPro Backup
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Access 2000 Runtime
Microsoft Data Access Components KB870669
Microsoft Office Live Meeting
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
O2Micro MemoryCardBus Windows Driver
OnDemand5
pdfFactory
PhotoParade Player
Pro Client
Public Messenger ver 2.03
Remote Diagnostics Enabling Agent
Remote Services Driver
SBA 2.2 Remote System
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
SoundMAX
Spybot - Search & Destroy 1.3
Symantec pcAnywhere
Synaptics Pointing Device Driver
TCNLink For Windows 7.0 SP2 Custom
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows Safety Alert
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB897715
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485

----------------------------------

STATUS: FINISHEDComplete scanning result of "vwsrv.exe", received in VirusTotal at 04.25.2007, 19:28:18 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.26.0 04.25.2007 no virus found
AntiVir 7.4.0.15 04.25.2007 TR/Dldr.Sisdot
Authentium 4.93.8 04.24.2007 no virus found
Avast 4.7.981.0 04.25.2007 no virus found
AVG 7.5.0.464 04.25.2007 Downloader.Agent.KJC
BitDefender 7.2 04.25.2007 no virus found
CAT-QuickHeal 9.00 04.25.2007 TrojanDownloader.Agent.bnc
ClamAV devel-20070416 04.25.2007 Trojan.Downloader-5648
DrWeb 4.33 04.25.2007 BACKDOOR.Trojan
eSafe 7.0.15.0 04.25.2007 Win32.Agent.bnc
eTrust-Vet 30.7.3594 04.25.2007 no virus found
Ewido 4.0 04.25.2007 Downloader.Agent.bnc
FileAdvisor 1 04.25.2007 No threat detected
Fortinet 2.85.0.0 04.25.2007 W32/Agent.BNC!tr.dldr
F-Prot 4.3.2.48 04.24.2007 no virus found
F-Secure 6.70.13030.0 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
Ikarus T3.1.1.5 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
Kaspersky 4.0.2.24 04.25.2007 Trojan-Downloader.Win32.Agent.bnc
McAfee 5017 04.25.2007 no virus found
Microsoft 1.2405 04.25.2007 no virus found
NOD32v2 2218 04.25.2007 no virus found
Norman 5.80.02 04.25.2007 W32/Malware.PLI
Panda 9.0.0.4 04.25.2007 Adware/DriveCleaner
Prevx1 V2 04.25.2007 Polynomial.Code.Exploit
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 VIPRE.Suspicious
Symantec 10 04.25.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.25.2007 no virus found
VirusBuster 4.3.7:9 04.25.2007 no virus found
Webwasher-Gateway 6.0.1 04.25.2007 Trojan.Dldr.Sisdot


Aditional Information
File size: 7168 bytes
MD5: d763131fd9b2d02faeab6d39e5232bf4
SHA1: afc6ef942132e1df1314260a819e0ea3d9e655f0
packers: PECOMPACT
Bit9 info: http://fileadvisor.bit9.com/services...ab6d39e5232bf4
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=c4e389519880
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 01:01 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
I restarted in safe mode and was able to run SmitFraudFix scan. Here is the log.
------------
SmitFraudFix v2.171

Scan done at 14:55:34.02, Wed 04/25/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\Uninstall.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1

C:\DOCUME~1\David\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyLocked\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-25-2007, 07:00 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,747
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
OK, John, here we go....

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

--------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • We'll use this later.

    ---------------------------------------------------------------------------------------------

    Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

    Quote:
    @echo off
    sc stop vwservice
    sc delete vwservice
    exit
    Double click FixServices.bat. A window will open and close. This is normal.

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.

    ---------------------------------------------------------------------------------------------

    Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

    O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Internet Security\isadd.dll (file missing)
    O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
    O4 - HKLM\..\Run: [VaCtrls] v7
    O4 - Global Startup: Uninstall.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


    Close HijackThis now.

    ---------------------------------------------------------------------------------------------

    Go to My Computer->Tools->Folder Options->View tab:
    * Under the Hidden files and folders heading, select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Also make sure there is no checkmark beside Hide file extensions for known file types
    * Click Yes to confirm and then click OK.


    Delete the following if they exist:

    C:\WINDOWS\System32\v7.exe
    C:\WINDOWS\System32\vwsrv.exe
    C:\Program Files\Common Files\WinAntiVirus Pro 2007

    ---------------------------------------------------------------------------------------------

    Double-click smitfraudfix.exe to start the tool.
    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    ---------------------------------------------------------------------------------------------

    Clean out your Temporary Internet files.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall" or something similar
Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, it is Java 2 Runtime Environment Standard Edition v1.3.1_02, and Java 2 Runtime Environment, SE v1.4.1_05
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.
  • After the install is complete, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------------------------------------------------------------------------------------

Spybot Search and Destroy is outdated. Uninstall version 1.3, then do this:

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot.

---------------------------------------------------------------------------------------------

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
DSS logs (main.txt and extra.txt0
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-26-2007, 09:57 AM   #6 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Okay! I'm up to the point where I have just run AVG Antivirus and saved the log. I rebooted into normal mode and tried to run Smitfraudfix. It was instantly deleted. Can I run option 3 of Smitfraudfix in safe mode or do you want to skip this step?

I'm posting the Rapport.txt from the earlier scan that was done in safe mode, as well as the AVG log and a current HJT log for you.

John
-----------------

_SmitFraudFix v2.171

Scan done at 10:03:33.09, Thu 04/26/2007
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ceca6f2b-247b-4ece-9b7a-d0135c8036fc}"="chitosan"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\David\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\SpyLocked\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32160FDB-D72F-49BC-A042-336B927E3B01}: DhcpNameServer=68.213.22.2 205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7CF1C02A-27C6-427F-A2C2-8370A924ED6D}: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.144.23


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

_____________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:09 AM 4/26/2007

+ Scan result:



C:\Program Files\Common Files\Companion Wizard\WapCHK.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061747.exe -> Adware.SpyLocked : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP452\A0061665.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061695.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061729.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP453\A0061754.exe -> Downloader.Agent.bnc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060003.dll -> Downloader.Zlob.ato : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060007.exe -> Downloader.Zlob.atx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP428\A0060010.exe -> Downloader.Zlob.atx : Cleaned with backup (quarantined).
C:\QUARANTINE\winupd_KB21542167.exe.Vir -> Logger.Bancos.aam : Cleaned with backup (quarantined).
C:\Documents and Settings\David\Application Data\winantiviruspro2007freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9790085-D7CA-457D-BE2F-0E01BBF5A18A}\RP427\A0059963.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\QUARANTINE\winupd_KB00016252.exe.Vir -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svehost.exe -> Trojan.Agent.kq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\888111253.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winupd_KB68791722.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\QUARANTINE\botm[1].exe.Vir -> Worm.Limar : Cleaned with backup (quarantined).
C:\QUARANTINE\module.exe.Vir -> Worm.Limar : Cleaned with backup (quarantined).


::Report end

-------------------------

Note: Internet Explorer was open when I ran this HJT scan.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:49 AM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\ie_updater.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\clcl6.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
jross1943 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-26-2007, 10:09 AM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,747
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Hold off on the online scan for now....these instructions supercede any previous....

We'll take another route. Some other nasties have reared their head. Might be best to keep the machine disconnected from the network and internet, and transport tools from a clean machine.

Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Download this file:

http://downloads.malwareremoval.com/Nel/FixP.zip

extract and double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

---------------------------------------------------------------------------------------------


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\System32\clcl6.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------


Delete the following if they exist:

C:\WINDOWS\System32\clcl6.exe

---------------------------------------------------------------------------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum in your next reply.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:
  2. Double click on ComboFix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HJT log.

So, I need logs from:

SDFix
ComboFix
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
Last edited by tetonbob : 04-26-2007 at 10:11 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-26-2007, 01:34 PM   #8 (permalink)
Registered User
 
Join Date: Jan 2007
Location: Southeast
Posts: 70
OS: XP/sp2


Re: Help - win32 Trojan
Okay! So far so good . . .

Per your instructions:
I've disconnected the infected machine from the Internet.
Here are the logs you requested. I noticed that combofix also created a quarantine log so I attached it also.

John
------------

SDFix: Version 1.79

Run by David - Thu 04/26/2007 - 14:42:13.08

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NDnet1
Runtime

ImagePath:
\??\C:\WINDOWS\System32\ksys.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

NDnet1 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\7_exception.nls - Deleted
C:\WINDOWS\system32\ksys.sys - Deleted
C:\WINDOWS\system32\rpcc.exe - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Remaining Files:
---------------
C:\WINDOWS\system32\ksys.sys Found
C:\WINDOWS\system32\rpcc.exe Found
C:\WINDOWS\system32\RunOnce2.t__ Found
C:\WINDOWS\system32\RunOnce2.tm_ Found

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\InterActual\InterActual Player\iti8.tmp
C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem10.inf
C:\WINDOWS\LastGood.Tmp\INF\oem10.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem11.inf
C:\WINDOWS\LastGood.Tmp\INF\oem11.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem12.inf
C:\WINDOWS\LastGood.Tmp\INF\oem12.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem13.inf
C:\WINDOWS\LastGood.Tmp\INF\oem13.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem14.inf
C:\WINDOWS\LastGood.Tmp\INF\oem14.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem15.inf
C:\WINDOWS\LastGood.Tmp\INF\oem15.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem16.inf
C:\WINDOWS\LastGood.Tmp\INF\oem16.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem17.inf
C:\WINDOWS\LastGood.Tmp\INF\oem17.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem18.inf
C:\WINDOWS\LastGood.Tmp\INF\oem18.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem19.inf
C:\WINDOWS\LastGood.Tmp\INF\oem19.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem2.inf
C:\WINDOWS\LastGood.Tmp\INF\oem2.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem8.inf
C:\WINDOWS\LastGood.Tmp\INF\oem8.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem9.inf
C:\WINDOWS\LastGood.Tmp\INF\oem9.PNF

Finished
--------------------
Combofix log

"David" - 07-04-26 14:54:47 Service Pack 1
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\David\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\888111253.exe
C:\WINDOWS\system32\winupd_KB12931930.exe
C:\WINDOWS\system32\winupd_KB89914297.exe
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\rpcc.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\NDnet1
-------\Runtime
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-26 to 2007-04-26 ))))))))))))))))))))))))))))))))))


2007-04-26 14:52 24,064 --a------ C:\WINDOWS\system32\winupd_KB65919063.exe
2007-04-26 14:47 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-26 14:46 7,296 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-04-26 14:46 11,776 --a------ C:\WINDOWS\system32\winupd_KB58620628.exe
2007-04-26 14:33 20,061 --a------ C:\WINDOWS\system32\winupd_KB69412836.exe
2007-04-26 14:27 20,061 --a------ C:\WINDOWS\system32\winupd_KB08494134.exe
2007-04-26 14:22 20,061 --a------ C:\WINDOWS\system32\winupd_KB26431806.exe
2007-04-26 14:10 20,061 --a------ C:\WINDOWS\system32\winupd_KB56829756.exe
2007-04-26 14:05 20,061 --a------ C:\WINDOWS\system32\winupd_KB59303473.exe
2007-04-26 13:59 20,061 --a------ C:\WINDOWS\system32\winupd_KB70645686.exe
2007-04-26 13:53 20,061 --a------ C:\WINDOWS\system32\winupd_KB08471726.exe
2007-04-26 13:36 20,061 --a------ C:\WINDOWS\system32\winupd_KB90069443.exe
2007-04-26 13:31 20,061 --a------ C:\WINDOWS\system32\winupd_KB90004561.exe
2007-04-26 13:19 20,061 --a------ C:\WINDOWS\system32\winupd_KB44318973.exe
2007-04-26 13:14 20,061 --a------ C:\WINDOWS\system32\winupd_KB78434668.exe
2007-04-26 13:08 20,061 --a------ C:\WINDOWS\system32\winupd_KB85131081.exe
2007-04-26 13:02 20,061 --a------ C:\WINDOWS\system32\winupd_KB17264537.exe
2007-04-26 12:57 20,061 --a------ C:\WINDOWS\system32\winupd_KB89378022.exe
2007-04-26 12:51 20,061 --a------ C:\WINDOWS\system32\winupd_KB77786317.exe
2007-04-26 12:39 20,061 --a------ C:\WINDOWS\system32\winupd_KB98221393.exe
2007-04-26 12:34 20,061 --a------ C:\WINDOWS\system32\winupd_KB81204801.exe
2007-04-26 12:28 20,061 --a------ C:\WINDOWS\system32\winupd_KB72117528.exe
2007-04-26 12:22 20,061 --a------ C:\WINDOWS\system32\winupd_KB18003240.exe
2007-04-26 12:16 20,061 --a------ C:\WINDOWS\system32\winupd_KB11901888.exe
2007-04-26 12:11 20,061 --a------ C:\WINDOWS\system32\winupd_KB92021998.exe
2007-04-26 12:05 20,061 --a------ C:\WINDOWS\system32\winupd_KB40754700.exe
2007-04-26 11:53 20,061 --a------ C:\WINDOWS\system32\winupd_KB56869449.exe
2007-04-26 11:47 20,061 --a------ C:\WINDOWS\system32\winupd_KB94184285.exe
2007-04-26 09:49 2,637 --a------ C:\WINDOWS\system32\winupd_KB04080293.exe
2007-04-26 09:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-26 09:17 974,914 --a------ C:\WINDOWS\system32\RC48E140.DLL
2007-04-26 09:17 77,824 --a------ C:\WINDOWS\system32\RCPRINT.dll
2007-04-26 09:17 69,632 --a------ C:\WINDOWS\system32\TIFmtA.dll
2007-04-26 09:17 61,440 --a------ C:\WINDOWS\system32\TrackID.dll
2007-04-26 09:17 61,440 --a------ C:\WINDOWS\system32\rdrvlog.dll
2007-04-26 09:17 57,344 --a------ C:\WINDOWS\system32\rdrvinf.dll
2007-04-26 09:17 53,248 --a------ C:\WINDOWS\system32\RICDB32.dll
2007-04-26 09:17 49,152 --a------ C:\WINDOWS\system32\TIBase64.dll
2007-04-26 09:17 37,376 --a------ C:\WINDOWS\system32\MFRICRES.dll
2007-04-26 09:17 32,768 --a------ C:\WINDOWS\system32\rc4mon.dll
2007-04-26 09:17 32,768 --a------ C:\WINDOWS\system32\RC00C140.dll
2007-04-26 09:17 27,136 --a------ C:\WINDOWS\system32\RCINST.dll
2007-04-26 09:17 262,364 --a------ C:\WINDOWS\system32\rpcsecl.dll
2007-04-26 09:17 221,184 --a------ C:\WINDOWS\system32\RICJC32.dll
2007-04-26 09:17 167,936 --a------ C:\WINDOWS\system32\JCUI.exe
2007-04-26 09:17 126,976 --a------ C:\WINDOWS\system32\Rc4manNT.dll
2007-04-26 09:17 1,236,992 --a------ C:\WINDOWS\system32\MP450dat.dll
2007-04-26 09:17 <DIR> d--h----- C:\_rpcs
2007-04-25 14:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-25 14:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-25 14:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-25 14:55 2,552 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-25 12:00 <DIR> d-------- C:\Program Files\Hijack This
2007-04-08 20:58 <DIR> d-------- C:\DOCUME~1\David\APPLIC~1\MSN6


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-26 14:47 -------- d--h----- C:\Program Files\windowsupdate
2007-03-23 09:59 -------- d-------- C:\DOCUME~1\David\APPLIC~1\winantivirus pro 2007


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"888111253.exe"="C:\\WINDOWS\\System32\\888111253.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-Link\\AIRPLU~1\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"in