|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-08-2005, 02:18 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 16
OS: xp
|
plz help me to get rid of dload.exe
hiya!
im trying to get rid of this virus for about a week. in the beginning there was 2 of them one is called dload.exe and the other one was prvdi.exe (seems as though i have got ridden of this one for now though) i tried ad-aware,spyboot,norton but nothing helped it is coming back after a few hours/minutes. what bothers me the most about dload.exe is that sometimes it wakes up and starts eating my RAM more than 60% of it. sometimes it sits there quiet though just like now when i did hujackthis test, maybe thats why it didnt show it, norton however does. its location is WINDOWS\system32\dload.exe heres what hujackthis showed: -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 11:19:25, on 8.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\PROGRA~1\PopOops\PopOops.exe E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\WINDOWS\System32\cisvc.exe E:\Program Files\Norton AntiVirus\navapsvc.exe E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe E:\WINDOWS\System32\sdpasvc.exe E:\WINDOWS\System32\tcpsvcs.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\KaZaa SLSK Emule\eMule0.30e\emule.exe C:\KaZaa SLSK Emule\Soulseek\slsk.exe E:\WINDOWS\System32\cidaemon.exe E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Documents and Settings\Eldar\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tartu.stv.ee/modules.php?name=gb R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tartu.stv.ee/modules.php?name=gb O1 - Hosts: 127.0.0.3 x.full-tgp.net O1 - Hosts: 127.0.0.3 counter.sexmaniack.com O1 - Hosts: 127.0.0.3 autoescrowpay.com O1 - Hosts: 127.0.0.3 www.autoescrowpay.com O1 - Hosts: 127.0.0.3 www.awmdabest.com O1 - Hosts: 127.0.0.3 www.sexfiles.nu O1 - Hosts: 127.0.0.3 awmdabest.com O1 - Hosts: 127.0.0.3 sexfiles.nu O1 - Hosts: 127.0.0.3 allforadult.com O1 - Hosts: 127.0.0.3 www.allforadult.com O1 - Hosts: 127.0.0.3 www.iframe.biz O1 - Hosts: 127.0.0.3 iframe.biz O1 - Hosts: 127.0.0.3 www.newiframe.biz O1 - Hosts: 127.0.0.3 newiframe.biz O1 - Hosts: 127.0.0.3 www.vesbiz.biz O1 - Hosts: 127.0.0.3 vesbiz.biz O1 - Hosts: 127.0.0.3 www.pizdato.biz O1 - Hosts: 127.0.0.3 pizdato.biz O1 - Hosts: 127.0.0.3 www.aaasexypics.com O1 - Hosts: 127.0.0.3 aaasexypics.com O1 - Hosts: 127.0.0.3 www.virgin-tgp.net O1 - Hosts: 127.0.0.3 virgin-tgp.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PopOops] E:\PROGRA~1\PopOops\PopOops.exe O4 - HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in New &Window (PopOops) - E:\WINDOWS\Web\PopOops.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: 206.161.125.149 (HKLM) O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C: oo.mht!http://195.225.177.13/100006/online.chm::/on-line.exe O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.160.98/affiliates/acc00...::/acc0000.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098522362359 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - E:\WINDOWS\System32\sdpasvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe looking forward to any advice! cheers! |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-08-2005, 05:16 AM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hi Eldar and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p I appreciate your patience during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". |
|
|
|
|
04-08-2005, 09:32 AM
|
#3 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hi Eldar,
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. **Note** This will remove all entries in the "Trusted Zone" Download the newest version of CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Run an online scan at Trend Micro or RAV Antivirus. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Live Update -this is not Symantec Live Update Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tartu.stv.ee/modules.php?name=gb R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0000_ho quickmetasearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://tartu.stv.ee/modules.php?name=gb O1 - Hosts: 127.0.0.3 counter.sexmaniack.com O1 - Hosts: 127.0.0.3 autoescrowpay.com O1 - Hosts: 127.0.0.3 www.autoescrowpay.com O1 - Hosts: 127.0.0.3 www.awmdabest.com O1 - Hosts: 127.0.0.3 www.sexfiles.nu O1 - Hosts: 127.0.0.3 awmdabest.com O1 - Hosts: 127.0.0.3 sexfiles.nu O1 - Hosts: 127.0.0.3 allforadult.com O1 - Hosts: 127.0.0.3 www.allforadult.com O1 - Hosts: 127.0.0.3 www.iframe.biz O1 - Hosts: 127.0.0.3 iframe.biz O1 - Hosts: 127.0.0.3 www.newiframe.biz O1 - Hosts: 127.0.0.3 newiframe.biz O1 - Hosts: 127.0.0.3 www.vesbiz.biz O1 - Hosts: 127.0.0.3 vesbiz.biz O1 - Hosts: 127.0.0.3 www.pizdato.biz O1 - Hosts: 127.0.0.3 pizdato.biz O1 - Hosts: 127.0.0.3 www.aaasexypics.com O1 - Hosts: 127.0.0.3 aaasexypics.com O1 - Hosts: 127.0.0.3 www.virgin-tgp.net O1 - Hosts: 127.0.0.3 virgin-tgp.net O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O15 - Trusted IP range: 206.161.125.149 O15 - Trusted IP range: 206.161.125.149 (HKLM) O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C: oo.mht!http://195.225.177.13/100006/online.chm::/on-line.exe O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.160.98/affiliates/acc0...m::/acc0000.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\LiveUpdate Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Please post a fresh Hijack This log so that we can check if your system is clean. It is very important that you get all of the critical updates for your Operating System and Internet Explorer. I notice your XP and your browser are not up to date and this makes you susceptible to attacks by Trojans and viruses. After we verify that your system is clean, please go to Microsoft and download all the critical updates to help prevent possible re-infection. Note: I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. |
|
|
|
|
04-08-2005, 01:37 PM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 16
OS: xp
|
dear mr. Ried
thank you so much for your time! :) i did everything just like you've said, followed all the instructions. when i was online scanning @ trend micro it found 2 "Uncleanable" infected files: TROJ SMALL.UP - local setting\temp\prvdi.exe and TROJ DLOADER.BK in windows\system32\dload.exe actions taken: "couldnt access prvdi.exe/deleted dload.exe" this is my fresh log --------------------------- Logfile of HijackThis v1.99.1 Scan saved at 22:29:35, on 8.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe E:\PROGRA~1\PopOops\PopOops.exe E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\WINDOWS\System32\cisvc.exe E:\Program Files\Norton AntiVirus\navapsvc.exe E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe E:\WINDOWS\System32\sdpasvc.exe E:\WINDOWS\System32\tcpsvcs.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\System32\wuauclt.exe E:\Documents and Settings\Eldar\Desktop\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PopOops] E:\PROGRA~1\PopOops\PopOops.exe O4 - HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in New &Window (PopOops) - E:\WINDOWS\Web\PopOops.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098522362359 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - E:\WINDOWS\System32\sdpasvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe waiting for further instructions ;) |
|
|
|
|
04-08-2005, 01:40 PM
|
#5 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hi Eldar,
Thank you for the new log and information. This is still under the review of expert analysts and I will be back with the fix as soon as possible. 
|
|
|
|
|
04-08-2005, 07:39 PM
|
#8 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hello again,
Please be sure the following instructions are still in effect: Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. In Windows XP's search feature, click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): E:\WINDOWS\System32\sdpasvc.exe E:\WINDOWS\System32\tcpsvcs.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot and run new HijackThis scan, post it in this thread along with the TDS-3 and Startdreck logs. |
|
|
|
|
04-09-2005, 05:03 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 16
OS: xp
|
hiya! me again, thx a bunch for your time and help!
heres what i received: TDS-3 2:29:22 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 12:29:22 [Init] Started 09-04-05 12:29:22 FLE Standard Time (UTC: -2), Internet Time @478,73 12:29:22 [Init] Loading TDS-3 Systems ... 12:29:22 [Init] Token successfully adjusted. 12:29:22 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 12:29:23 [Init] • Plugins : OK. Loaded 13 12:29:23 [Init] • Exec Protection : Not Installed 12:29:23 [Init] WARNING: Your Radius.TD3 database needs to be updated! 12:29:23 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 (NOTE! i did upgrade though) 12:29:23 [Init] Licensed users can use the Update facility from the TDS menu 12:29:23 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 12:29:36 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 12:29:36 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 12:29:36 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 12:29:36 [Init] TDS-3 Ready. <Eldar@85.196.198.11, 127.0.0.1 - Estonia> 12:29:36 [Tip Of The Day] For a summary of what a button or feature of TDS-3 does, hover the mouse cursor over it to get tooltip information. 12:29:36 [TDS] Good afternoon Eldar. Why don't you ever take me out for lunch? 12:29:46 [Mutex Memory Scan] Started... 12:29:51 [Mutex Memory Scan] Finished (no trojan mutexes found). 12:29:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 12:30:03 [CRC32] Started - verifying 29 files ... 12:30:12 [CRC32] Test finished. 12:33:55 [Memory Scan] Memory scan started, please wait a moment ... 12:33:57 [Memory Scan] Memory scan complete. 12:33:57 [Mutex Memory Scan] Started... 12:34:01 [Mutex Memory Scan] Finished (no trojan mutexes found). 12:34:01 [Trace Scan] Started... 12:34:30 [Trace Scan] Finished. 12:34:30 [ServiceScan] Scanning for services and drivers ... 12:34:44 [ServiceScan] Scanned 298 services and drivers. 12:34:44 [File Scan] Scanning in A:\ ... 12:34:45 [File Scan] Scanned 0 files: 2 alarms in 1,074219 seconds (Avg 1, files/sec) 12:34:45 [File Scan] Scanning in C:\ ... 12:44:04 [File Scan] Scanned 13455 files: 2 alarms in 559,2656 seconds (Avg 25,06 files/sec) 12:44:04 [File Scan] Scanning in D:\ ... 12:48:37 [File Scan] Scanned 6655 files: 2 alarms in 272,9141 seconds (Avg 25,38 files/sec) 12:48:37 [File Scan] Scanning in E:\ ... 13:25:17 [File Scan] Scanned 19983 files: 5 alarms in 2199,551 seconds (Avg 10,09 files/sec) 13:25:17 [File Scan] Scanning in F:\ ... 13:25:17 [File Scan] Scanned 0 files: 5 alarms in 1,171875E-02 seconds (Avg 1, files/sec) 13:25:17 [File Scan] Scanning in G:\ ... 13:25:17 [File Scan] Scanned 0 files: 5 alarms in 0 seconds (Avg -1,#IND files/sec) 13:25:17 [File Scan] Scanning in H:\ ... 13:25:17 [File Scan] Scanned 0 files: 5 alarms in 0 seconds (Avg -1,#IND files/sec) 13:25:17 [Scan] Finished. 13:32:22 [Text Dump] Saved to E:\Program Files\TDS3\scandump.txt TDS-3 results: Scan Control Dumped @ 13:32:22 09-04-05 File Trace: Default trojan filename: Suspicious File: E:\WINDOWS\toolbar.exe File Trace: Default trojan filename: Suspicious File: E:\WINDOWS\mstasks1.exe Suspicious Filename: Dual extensions File: e:\documents and settings\eldar\desktop\xvid-1.1[codec-download.de].exe Positive identification (embedded in file): TrojanDownloader.Win32.Delf.dg File: e:\documents and settings\eldar\local settings\temp\prvdi.exe Trojan Client\EditServer found: DDoS.RAT.SDBot Control (Utility) File: e:\windows\system32\sdsrvctl.exe StartDreck StartDreck (build 2.1.7 public stable) - 2005-04-09 @ 13:39:15 (GMT +02:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as Eldar at EE-3WI4EUUK3BUO »Registry »Run Keys »Current User »Run *TransTask= *Tweak-XP= *ctfmon.exe=E:\WINDOWS\System32\ctfmon.exe *MsnMsgr="E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background *Windows Service=E:\WINDOWS\System32\prvdi.exe »RunOnce +ApprovedByRegRun2 »Default User »Run »RunOnce »Local Machine »Run *ccApp="E:\Program Files\Common Files\Symantec Shared\ccApp.exe" *SSC_UserPrompt=E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe *Symantec NetDriver Monitor=E:\PROGRA~1\SYMNET~1\SNDMon.exe *NeroFilterCheck=E:\WINDOWS\system32\NeroCheck.exe *PopOops=E:\PROGRA~1\PopOops\PopOops.exe *iKeyWorks=E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe *Zone Labs Client="E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" *Windows Service=E:\WINDOWS\System32\prvdi.exe +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce +ApprovedByRegRun2 »RunServices »RunServicesOnce +ApprovedByRegRun2 »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="E:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=E:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="E:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="E:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=E:\WINDOWS\inf\unregmp2.exe /HideWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Remove.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection E:\WINDOWS\INF\wmp10.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=E:\Program Files\Spybot - Search & Destroy\SDHelper.dll *Jccatch.IeCatch2.1/{A5366673-E8CA-11D3-9CD9-0090271D075B} `InprocServer32=E:\PROGRA~1\FlashGet\jccatch.dll »Internet Explorer »Current User *Local Page=E:\WINDOWS\System32\blank.htm *Search Bar= *Search Page=http://ie.search.msn.com *Start Page=about:blank *SearchAssistant= +SearchUrl *provider= »Default User »Local Machine *Default_Page_URL=http://www.msn.com *Default_Search_URL=http://ie.search.msn.com *Local Page=%SystemRoot%\system32\blank.htm *Search Bar= *Search Page=http://ie.search.msn.com *Start Page=about:blank *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=E:\WINDOWS\System32\msvcrta.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=E:\WINDOWS\System32\stobject.dll *UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1} `InprocServer32=E:\WINDOWS\System32\upnpui.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=Explorer.exe *Userinit=E:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *E:\Documents and Settings\Eldar\Start Menu\Programs\Startup\desktop.ini »Default User *E:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *E:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=Explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect *C:\msdos.sys *C:\config.sys *E:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *E:\WINDOWS\System32\autoexec.nt *E:\WINDOWS\winstart.bat *E:\WINDOWS\hosts `127.0.0.3 n-glx.s-redirect.com `127.0.0.3 x.full-tgp.net `127.0.0.3 counter.sexmaniack.com `127.0.0.3 autoescrowpay.com `127.0.0.3 www.autoescrowpay.com `127.0.0.3 www.awmdabest.com `127.0.0.3 www.sexfiles.nu `127.0.0.3 awmdabest.com `127.0.0.3 sexfiles.nu `127.0.0.3 allforadult.com `127.0.0.3 www.allforadult.com `127.0.0.3 www.iframe.biz `127.0.0.3 iframe.biz `127.0.0.3 www.newiframe.biz `127.0.0.3 newiframe.biz `127.0.0.3 www.vesbiz.biz `127.0.0.3 vesbiz.biz `127.0.0.3 www.pizdato.biz `127.0.0.3 pizdato.biz `127.0.0.3 www.aaasexypics.com `127.0.0.3 aaasexypics.com `127.0.0.3 www.virgin-tgp.net `127.0.0.3 virgin-tgp.net *E:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost `64.91.255.87 www.dcsresearch.com »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *E:\WINDOWS\System32\win.com *E:\WINDOWS\explorer.exe »%PATH% Companion Files +E:\WINDOWS\System32\notepad.exe *E:\WINDOWS\NOTEPAD.EXE +E:\WINDOWS\System32\shutdown.exe *E:\WINDOWS\shutdown.exe +E:\WINDOWS\System32\taskman.exe *E:\WINDOWS\TASKMAN.EXE +E:\WINDOWS\System32\winhlp32.exe *E:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +460=\SystemRoot\System32\smss.exe +524=\??\E:\WINDOWS\system32\csrss.exe +548=\??\E:\WINDOWS\system32\winlogon.exe +592=E:\WINDOWS\system32\services.exe +604=E:\WINDOWS\system32\lsass.exe +764=E:\WINDOWS\system32\svchost.exe +816=E:\WINDOWS\System32\svchost.exe +900=E:\WINDOWS\System32\svchost.exe +932=E:\WINDOWS\System32\svchost.exe +1244=E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe +1260=E:\WINDOWS\Explorer.EXE +1292=E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe +1340=E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe +1556=E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe +1600=E:\Program Files\Common Files\Symantec Shared\ccApp.exe +1632=E:\PROGRA~1\PopOops\PopOops.exe +1660=E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe +1668=E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe +1684=E:\WINDOWS\System32\ctfmon.exe +1708=E:\Program Files\MSN Messenger\MsnMsgr.Exe +496=E:\WINDOWS\System32\cisvc.exe +712=E:\Program Files\Norton AntiVirus\navapsvc.exe +800=E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe +1112=E:\WINDOWS\System32\sdpasvc.exe +1144=E:\WINDOWS\System32\tcpsvcs.exe +948=E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe +1252=E:\WINDOWS\System32\wdfmgr.exe +1456=E:\WINDOWS\system32\ZoneLabs\vsmon.exe +2280=E:\WINDOWS\System32\cidaemon.exe +1268=E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe +2276=E:\Program Files\Internet Explorer\iexplore.exe +3108=E:\Program Files\FlashGet\flashget.exe +3272=E:\Documents and Settings\Eldar\Desktop\StartDreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User HijackThis Logfile of HijackThis v1.99.1 Scan saved at 14:04:39, on 9.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\PROGRA~1\PopOops\PopOops.exe E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\System32\prvdi.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\WINDOWS\System32\cisvc.exe E:\Program Files\Norton AntiVirus\navapsvc.exe E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe E:\WINDOWS\System32\tcpsvcs.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\System32\cidaemon.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Documents and Settings\Eldar\Desktop\hijackthis\HijackThis.exe O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PopOops] E:\PROGRA~1\PopOops\PopOops.exe O4 - HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in New &Window (PopOops) - E:\WINDOWS\Web\PopOops.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098522362359 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Unknown owner - E:\WINDOWS\System32\sdpasvc.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe |
|
|
|
|
04-10-2005, 05:31 PM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hi Eldar,
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run Hoster again. Choose the 'Restore Original Hosts' button and press OK. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): E:\WINDOWS\toolbar.exe E:\WINDOWS\mstasks1.exe e:\documents and settings\eldar\desktop\xvid-1.1[codec-download.de].exe e:\documents and settings\eldar\local settings\temp\prvdi.exe e:\windows\system32\sdsrvctl.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O4 - HKCU\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. E:\WINDOWS\toolbar.exe E:\WINDOWS\mstasks1.exe e:\documents and settings\eldar\desktop\xvid-1.1[codec-download.de].exe e:\windows\system32\sdsrvctl.exe E:\WINDOWS\System32\prvdi.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode Run new HijackThis scan, post it in this thread. Run another scan with TDS-3. Post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. |
|
|
|
|
04-11-2005, 03:29 AM
|
#12 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 16
OS: xp
|
ok here we go:
Logfile of HijackThis v1.99.1 Scan saved at 12:29:45, on 11.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\PROGRA~1\PopOops\PopOops.exe E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\WINDOWS\System32\ctfmon.exe E:\WINDOWS\System32\cisvc.exe E:\Program Files\Norton AntiVirus\navapsvc.exe E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe E:\WINDOWS\System32\tcpsvcs.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\System32\cidaemon.exe E:\Program Files\Winamp\winamp.exe E:\Program Files\Internet Explorer\iexplore.exe E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe E:\WINDOWS\System32\dload.exe E:\Documents and Settings\Eldar\Desktop\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PopOops] E:\PROGRA~1\PopOops\PopOops.exe O4 - HKLM\..\Run: [iKeyWorks] E:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in New &Window (PopOops) - E:\WINDOWS\Web\PopOops.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098522362359 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SDPAUMS server service (SDPASVC) - Unknown owner - E:\WINDOWS\System32\sdpasvc.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe TDS-3 Results: 11:28:29 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 11:28:29 [Init] Started 11-04-05 11:28:29 FLE Standard Time (UTC: -2), Internet Time @436,45 11:28:29 [Init] Loading TDS-3 Systems ... 11:28:29 [Init] Token successfully adjusted. 11:28:29 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 11:28:30 [Init] • Plugins : OK. Loaded 13 11:28:30 [Init] • Exec Protection : Not Installed 11:28:30 [Init] WARNING: Your Radius.TD3 database needs to be updated! 11:28:30 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 11:28:30 [Init] Licensed users can use the Update facility from the TDS menu 11:28:30 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 11:28:46 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 11:28:46 [Init] • Systems Initialised [51728 references - 26260 primaries/13254 traces/12214 variants/other] 11:28:46 [Init] Radius Systems loaded. <Databases updated 09-04-2005> 11:28:46 [Init] TDS-3 Ready. <Eldar@85.196.198.11, 127.0.0.1 - Estonia> 11:28:46 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system to detect NTFS Streams! You can even remove trojans when found in a stream, without damaging the parent file. See the help file for more information. 11:28:46 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry 11:28:46 [TDS] Good morning Eldar. 11:28:58 [Mutex Memory Scan] Started... 11:29:01 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:29:01 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 11:29:13 [CRC32] Started - verifying 29 files ... 11:29:25 [CRC32] Test finished. 11:32:39 [Memory Scan] Memory scan started, please wait a moment ... 11:32:41 [Memory Scan] Memory scan complete. 11:32:41 [Mutex Memory Scan] Started... 11:32:42 [Mutex Memory Scan] Finished (no trojan mutexes found). 11:32:42 [Trace Scan] Started... 11:33:20 [Trace Scan] Finished. 11:33:20 [ServiceScan] Scanning for services and drivers ... 11:33:36 [ServiceScan] Scanned 298 services and drivers. 11:33:36 [File Scan] Scanning in A:\ ... 11:33:38 [File Scan] Scanned 0 files: 0 alarms in 1,082031 seconds (Avg 1, files/sec) 11:33:38 [File Scan] Scanning in C:\ ... 11:44:54 [File Scan] Scanned 13446 files: 0 alarms in 676,6523 seconds (Avg 20,87 files/sec) 11:44:54 [File Scan] Scanning in D:\ ... 11:50:12 [File Scan] Scanned 6655 files: 0 alarms in 317,2969 seconds (Avg 21,97 files/sec) 11:50:12 [File Scan] Scanning in E:\ ... 12:23:49 [Text Dump] Saved to E:\Program Files\TDS3\scandump.txt --------------------------------------------------- Scan Control Dumped @ 12:28:05 11-04-05 Positive identification: TrojanDownloader.Win32.Delf.dg File: e:\windows\system32\dload.exe Positive identification (embedded in file): TrojanDownloader.Win32.Delf.dg File: e:\windows\system32\prvdi.exe Positive identification: TrojanDropper.Win32.Small.rd File: e:\windows\system32\prvdi.exe |
|
|
|
|
04-11-2005, 08:06 AM
|
#14 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Thanks for the visual aid
 . Sometimes these are stubborn--but we'll get it! As before, I am currently reviewing your log, and this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p. If another Analyst responds, please follow their instructions. |
|
|
|
|
04-12-2005, 05:53 AM
|
#15 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,916
OS: WinXP and Vista
|
Hi Eldar,
Let’s try this again: Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe E:\WINDOWS\System32\dload.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe O4 - HKCU\..\Run: [Windows Service] E:\WINDOWS\System32\prvdi.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. E:\DOCUME~1\Eldar\LOCALS~1\Temp\prvdi.exe E:\WINDOWS\System32\dload.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode. We'll need to dig deeper to find the core file here. Please do the following: Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file *Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log. Download and unzip http://castlecops.com/zx/Zupe/Find%20It%20NT-2K-XP.zip Double-click on find.bat inside the folder to run it. It should run for a while, then open a text document. Please copy and paste the contents of that document here. Sownload Silent Runners.vbs", revision 34, http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. So I'll need these logs in your next post: Mwave FindItNT SilentRunners HijackThis |
|
|
|
