persistent rootkit and messenger service pop-ups

[dbstone]

ok boss,

so. this look.bat thing is not working out I think. I've done just what you said and the icon looks like you said it would and it's named look.bat, but the report is saved as startup.txt and the report is blank. maybe it's possessed by the demon, which seems to be still alive and kicking, as I got kicked off the computer by nt authority when I scanned that file you asked by virus total. jotti said the file had already been scanned. I was able to save the results:

Jotti:
Service load:
0% 100%
File: Update.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 bf04c16a4b1e6773a99356c564ddca43
Packers detected:
-omplete scanning result of "Update.exe", received in VirusTotal at 02.22.2007, 00:20:09 (CET).


Virustotal
Antivirus Version Update Result
AntiVir 7.3.1.37 02.21.2007 TR/Dldr.Agent.13312.2
Authentium 4.93.8 02.21.2007 no virus found
Avast 4.7.936.0 02.21.2007 no virus found
AVG 386 02.21.2007 Downloader.Generic3.QDI
BitDefender 7.2 02.21.2007 Trojan.Downloader.Agent.AZE
CAT-QuickHeal 9.00 02.21.2007 no virus found
ClamAV devel-20060426 02.21.2007 no virus found
DrWeb 4.33 02.21.2007 Trojan.DownLoader.18938
eSafe 7.0.14.0 02.21.2007 Win32.Adclicker
eTrust-Vet 30.4.3417 02.21.2007 Win32/Matcash!generic
Ewido 4.0 02.21.2007 no virus found
FileAdvisor 1 02.22.2007 no virus found
Fortinet 2.85.0.0 02.21.2007 Dloader.K!tr
F-Prot 4.2.1.29 02.21.2007 no virus found
F-Secure 6.70.13030.0 02.21.2007 W32/DLoader.CAJS
Ikarus T3.1.0.31 02.21.2007 Trojan-Downloader.Agent.AZE
Kaspersky 4.0.2.24 02.21.2007 no virus found
McAfee 4968 02.21.2007 Generic Downloader.k
Microsoft 1.2204 02.21.2007 no virus found
NOD32v2 2074 02.21.2007 no virus found
Norman 5.80.02 02.21.2007 W32/DLoader.CAJS
Panda 9.0.0.4 02.21.2007 no virus found
Prevx1 V2 02.22.2007 Trojan.Updatex
Sophos 4.14.0 02.21.2007 no virus found
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.21.2007 Trojan.Adclicker
TheHacker 6.1.6.062 02.21.2007 no virus found
UNA 1.83 02.21.2007 no virus found
VBA32 3.11.2 02.21.2007 Trojan.DownLoader.18938
VirusBuster 4.3.19:9 02.21.2007 no virus found

Aditional Information
File size: 13312 bytes
MD5: bf04c16a4b1e6773a99356c564ddca43
SHA1: 0645385cf41b5b7ade8103e3f86b8722d75cfb08
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=859c77333499
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Ir a: Inicio Contactar En Español
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info

here's the other logs:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

Logfile of HijackThis v1.99.1
Scan saved at 7:19:55 PM, on 2/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

and something just stopped pc-cillin from updating and it said I had another viurs: bkdr_sdbot.gaa in file hwclock.exe. unalbe to remove or quaranteen

[amateur]

I am checking the other data, in the mean time please delete this:

C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}

Quote:

this look.bat thing is not working out I think.

OK.. Let's try this:

Please open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:

• List all minor sections(Full)
• List Empty Sections(Complete)

Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and post it here

================================

Go to Start >Run and type "Notepad" without the quotes
Copy/paste the following blue text into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.
Go to the menu at the top of the Notepad file and Save as:

• Name the file mslook.bat
• Save as Type: All files (not as a text document or it won't work)
• Select the desktop icon on the left to save it on the desktop.

Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

[dbstone]

Hi,

question: i've downloaded some critical patches from work onto a travel drive to apply at home because the new virus is preventing me from executing downloaded security patches. Can I transfer these patches from my travel drive to my computer using safe mode to prevent the files from becoming corrupted??

db

[amateur]

Are they patches for SP1? Malware and SP2 do not get along very well and it's best to wait until the system is cleaned (if possible, considering the fact that it was very badly infected with bots and RATs to begin with).

[dbstone]

Hi,

here's the log from hjt:

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

still not getting what your looking for on the notepad business. now I get a pop up window that says cannot find c:\regkey.txt file. there's a black box on my desktop as well that says

c:\windows\system32\cmd.exe. it doesn't let me copy and paste the contents.

now notepad keeps freezing when I hit save as.

[amateur]

OK. We'll do it differently. Please try to stay on line as little as possible, only to post the results here.

1.) Go to Start>Run, and type msconfig and click OK
2.) If not already selected go to the General tab.
3.) Under Startup Selection select "Normal Startup - load all device drivers and services".
4.) Click Apply and then Close.
5.) When given the option, please choose to reboot the computer.
6.) Post a new HJT log here in this thread when you are done.

[dbstone]

ok. here it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:25:35 PM, on 2/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

[amateur]

Can you please rename HijackThis.exe to dbstone.exe, scan with it and post the log?

[dbstone]

Hi, well, I already had renamed it for another task you had given me to do. but I renamed it again for purity sake. right clicked on the icon and hit rename. then typed dbstone.exe in the box....hope this is what your looking for.

a weird screen came up this morning when I logged on. black screen with white type, as it looks when I'm in safe mode. said windows couldn't start and aksed me to choose how I wanted to start. wouldn't restart into normal mode at first. I was able to restart into safe mode from there and then normal mode from safe mode.....

not sure if this is meaningful, but anyway, here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 7:57:38 AM, on 2/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC7B72C-91F7-4F52-8E26-E687CD920F8C}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

[amateur]

That's odd... It doesn't look like it's been renamed:

Quote:

C:\Program Files\HijackThis\hijackthis.exe

I would also like you try this:

• Download catchme.exe ( 25kB ) to your desktop.
• Double click the catchme.exe to run it
• Open catchme.log to see results and post them here please.

[dbstone]

my system is not allowing me to open catch me. says it is not a valid win32 application .....when I try to open it from firefox download window, I get a message box saying an external application must be launched to open program. requested link: external protocol request: file:///:c:documents%20and%20settings/.......desktop/catchme.exe

sigh.

[dbstone]

i'll try it in safe mode, but it happened the other night with an winxp critical patch and I got the same thing in both places.

[amateur]

I suspect that you may be infected with the Gromozon rootkit. Your system doesn't seem to allow us to verify that. So, let's try the following tool and see what happens.

1) Download the Gromozon Rootkit Removal Tool by Prevx from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable for the duration of the fix.

3) Double click the file to run the tool.

• Click Scan to begin.
• If the tool reports that the infection has been found, allow it to clean it - if not close the tool.
• If the infection is present, there should be a log produced - let me have a copy.
• Please note: You do not need to download and install Prevx1 for the tool to work.

Let me know how you get on.

[dbstone]

Hi,

the previtz tool did not find the gromozon rootkit....

haven't been finding any spyware lately, but things are moving very slowly.

db

[amateur]

Quote:

Originally Posted by dbstone

Hi,

the previtz tool did not find the gromozon rootkit....

haven't been finding any spyware lately, but things are moving very slowly.

db

That's good news. This would be a good time to defrag and chkdisk.

Go to Start, Programs, Accessories, Command Prompt
type in the box at the cursor:
chkdsk C:

wait till it finishes, and see whether it finds any errors.
If it does, run again only this time type chkdsk c: /F
It will scan, then reboot to make the corrections.
If you get disk errors, check again every day and see if you get any more.
If you do, it will be soon time for a new Hard drive, so back up your stuff before it crashes permanently.

To open Disk Defragmenter, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter. Use Analyze to determine if your system needs to be defragmented. Please select Defragment if it does.

Let me know how it went.

[dbstone]

the defrag did find problems and fixed them. interestingly, when I asked to fix problems I got a message that volume was being used by another program. I wasn't running any other programs. to creepy.

so...."will soon be time for another hard drive"....do you mean reinstall or buy a new computer?

I could reinstall this w/e. I've saved xp sp1a, trend 2007 (without updates), shoot the messanger, adaware, and spybot to a clean jump drive. Anything else you could suggest?

Are you sure that reinstalling will get rid of all the virus'? (trend has been continuing to find them, and not letting me know. I found them in the log). The guy at dell back before the third reinstall said I had a rootkit that survived two reinstalls.

db

[amateur]

Hi,

Quote:

so...."will soon be time for another hard drive"....do you mean reinstall or buy a new computer?

This is only if you're receiving continuous errors with chkdisk, and I mean a new harddrive not a reinstall or a new computer, though a new computer would come with a new harddrive.

Quote:

I could reinstall this w/e. I've saved xp sp1a, trend 2007 (without updates), shoot the messanger, adaware, and spybot to a clean jump drive. Anything else you could suggest?

Are you sure that reinstalling will get rid of all the virus'? (trend has been continuing to find them, and not letting me know. I found them in the log). The guy at dell back before the third reinstall said I had a rootkit that survived two reinstalls.

I suggested that you reformat and reinstall waaayyyyy back in the beginning. I don't mean a reinstall only as it will not solve the problems if you have/had rootkits. If you have just reinstalled in the past, that may have been the reason why your system was never cleaned. To be sure that nothing remains you will have to make sure that everything is wiped clean/overwritten. So, you need to erase everything on the harddisk first. You could get a program that can do that like Killdisk or Heidi's Eraser and use it. After that, reformat the disc so the new allocation tables are installed, and then reinstall the operating system. You'll need to backup your documents, pictures, etc. before you do that. All other appplications which you may have installed will also have to be reinstalled, all your drivers will have to be updated. Here is a good link to Guide for Reformatting XP.

If you have any further questions about reformatting and re-installing XP, you would receive better help at the XP Forum since they are more qualified at it than I am .

[dbstone]

Hi,

well, i thought that hard drives were the computer and the rest of the stuff is monitors and speakers, etc. I also thought that reformatting and reinstalling are the same thing. shows what I know.

so. can a virus ruin a hard drive to the point that you need a new one? I guess if I had understood that I would have opted for reformatting and reinstalling waaayy back when we started.

Is there any more we can do to get rid of this virus? are there antiviral programs I might purchase to remove it?

db

[amateur]

Hi,

There may be many reasons why a hard drive/hard disk may fail, not necessarily caused by malware. A damaged sector *may* be an earlier warning sign that your hard drive is about to fail. If you have 1 damaged sector, it may not be all that bad. If you have many damaged sectors, that's a sign.

Quote:

Is there any more we can do to get rid of this virus? are there antiviral programs I might purchase to remove it?

In your post #34, you say that you haven't been finding any spyware lately, but things are moving very slowly. Then in post #36, you say that "trend has been continuing to find them, and not letting me know. I found them in the log". Your last HijackThis log was clean, except one entry which we'll deal with now.

Please print these instructions for access at all times.

Backup your Registry...
Click Start>Run. Type Regedit and press Enter. The registry editor opens.
On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"~CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=-
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad.

Make sure that all windows are closed. including this one.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

=====================================

Update AVG Anti Spyware to the latest definitions.

=====================================

Download Gmer

=====================================

Boot into Safe Mode

=====================================

From Safe Mode run Ccleaner first to cut down on the scanning time. Please also delete everything inside the Quarantine folder of the Trend Micro prior to scanning with AVG AS.

=====================================

Next, run AVG Anti Spyware and save the report.

=====================================

Then,

• physically disconnect from internet and close running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double click gmer.exe
• Let the gmer.sys driver load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
• If no warning....
• Click "Rootkit" tab and click "Scan"
• Once done, click "Copy"
• Open Notepad and hit "ctrl+v" to paste the log.
• Reconnect to the internet and post the log back to this thread please.

=====================================

Reboot into Normal Mode

=====================================

We need to make an online virus scan as well. This may take some time (about 1/2 hr) so please choose a quiet time to do it.

Perform an online scan using Internet Explorer with Panda ActiveScan

• Click on located at the bottom of the page.
• A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
• Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click and post back the contents please.

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

====================================

Post the results from Gmer, AVG Anti Spyware, Panda Online scan and a fresh HijackThis log please and let's see how things are now.

[dbstone]

Hi,

Hmmm...the bit about trend finding "them" sounds weird out of context. I was referring to virus'. adaware and my other antispyware programs have not found spyware, but trend continues to find more virus'. that must be what's slowing down my computer.

anyway. the last time I tried to view your response, I was not able to access techsupport forum. I got a message that page wasn't responding, then my taskbar turned tan (like how it looks in safe mode), then I was kicked off the internet. I ran the chkdsk and fix dsk program again and it found more problems. it had only been one day and I hadn't used my systme but to try to resolve these problems. I haven't been online since because I'm now worried about losing my harddrive entirely.

I don't think I'd be able to carry through with your most recent instructions. i'm responding from work and haven't turned on my computer since the other day.

I think my best option right now is to reformat and reinstall. I think, from looking over the instructions you sent me that that's what I've been doing all along....deleting the old partition and installing a new one.

I must have gotten re-infected either from trying to download updates after reinstalling or from copying my old copy of trend antivirus (perhaps that file itself is infected?). So, I'm going to wait and reinstall (and reformat) again when I get a copy of sp2 from microsoft. they said it will take 4-6 weeks. I may purchase a new antiviral program since my copy of trend may also be corrupt.

I very much appreciate all of your help here and sticking through this even though your best judgement was that I should reformat and reinstall. I take full responsibility for my decision to try to fight the virus instead. When I finally get this situation fixed, I'll be back to contribute something for all your hard work.

By the same token, I think that some action should be taken against the folks at x-cleaner, or whoever it was that sent me that original e-mail to update that was where all these problems stemmed from. It seems as though all the time and expense I've spent trying to recover from this assault should not go without some kind of corrective action. Is there any regulatory agency your aware of where I can report this problem?? I still have the original e-mail from x-cleaner.

db