Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
19 Posts
Discussion Starter #1
Hi Could you please check my HJT analysed log. I have followed the 5 steps for removing malware and I have run HJT and analysed while still in safe mode.

I have managed to remove the rogue spyware etc but I think there is still a trojan generic ATJ lurking somewhere which I think will reapear when I come to reboot normally. I 'm not sure if this is the case.
Thanks
the log follows
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Grisoft\AVG Free\avgcc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:29:20 AM, on 18/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R3 - URLSearchHook: (no name) - {C23DF1C5-BC51-D89E-5955-71AF41AA9568} - lpt.dll (file missing)
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [WinInitDll] RtlFindVal.exe
O4 - HKLM\..\Run: [ERTYDF] browsebar.exe
O4 - HKCU\..\Run: [321102] prgsys0984.exe
O4 - HKCU\..\Run: [Dest068] MNTP.exe
O4 - HKCU\..\Run: [LOPTCON] SysSupport.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119784185608
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://F:\AUTORUN\Flash\swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 69.50.168.180,85.255.112.26
O17 - HKLM\System\CCS\Services\Tcpip\..\{522E780F-89B0-42BE-A69D-55AF929DE78D}: NameServer = 69.50.168.180,85.255.112.26
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 69.50.168.180,85.255.112.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 69.50.168.180,85.255.112.26
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Premium Member
Joined
·
14,311 Posts
You must install XP SP1a (hold off on SP2 until your computer is clean). Without SP1a, you are wide open to re-infection. Once you did that, restart and run a new HijackThis scan. Post the new log here.
 

·
Registered
Joined
·
19 Posts
Discussion Starter #3
Service Thanks : service Pack 1a applied, I'm ready to try and out the trojan

Hi
Thanks for your advice, I have applied service pack 1a and gone through the steps again. in the meantime avg keeps picking up a generic trojan.

The HJT log analysed follows here
Thanks
joice

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:15:59 PM, on 24/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\WINDOWS\System32\SetupCarnival.exe

R3 - URLSearchHook: (no name) - {C23DF1C5-BC51-D89E-5955-71AF41AA9568} - lpt.dll (file missing)
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [WinInitDll] RtlFindVal.exe
O4 - HKLM\..\Run: [ERTYDF] browsebar.exe
O4 - HKCU\..\Run: [321102] prgsys0984.exe
O4 - HKCU\..\Run: [Dest068] MNTP.exe
O4 - HKCU\..\Run: [LOPTCON] SysSupport.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119784185608
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://F:\AUTORUN\Flash\swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 85.255.113.147,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{522E780F-89B0-42BE-A69D-55AF929DE78D}: NameServer = 85.255.113.147,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 85.255.113.147,85.255.112.24
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello joice,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program.

Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

R3 - URLSearchHook: (no name) - {C23DF1C5-BC51-D89E-5955-71AF41AA9568} - lpt.dll (file missing)
O4 - HKLM\..\Run: [WinInitDll] RtlFindVal.exe
O4 - HKLM\..\Run: [ERTYDF] browsebar.exe
O4 - HKCU\..\Run: [321102] prgsys0984.exe
O4 - HKCU\..\Run: [Dest068] MNTP.exe
O4 - HKCU\..\Run: [LOPTCON] SysSupport.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 85.255.113.147,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{522E780F-89B0-42BE-A69D-55AF929DE78D}: NameServer = 85.255.113.147,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CB29935-2094-48C9-A129-FACA1300043A}: NameServer = 85.255.113.147,85.255.112.24


Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis log.
 

·
Registered
Joined
·
19 Posts
Discussion Starter #5
thanx, hopefully this has done it.

Hi,
Significant thanks for the guidance and expertise, I did as instructed and here is the wareoutreport and the HJT log analysed.

I guess if I have the all clear I should run service pack 2 and investigate the firewall.

regards
Joice

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\WOINST32.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:20:17 PM, on 25/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe

O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119784185608
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37320.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://F:\AUTORUN\Flash\swflash.cab
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi joice,

As soon as we've completed the cleaning, I'll give you instructions for SP2 download. :smile:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode.(tapping F8 or F5)

Start Killbox.
Copy/paste the following entry into Killbox:

C:\WINDOWS\SYSTEM32\WOINST32.EXE

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

From Normal Mode:

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with a new HijackThis log.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
19 Posts
Discussion Starter #7
Panda scans and more trojans

Hi Reid, thanks,
I think I may have waited to long to finish this process.
There are more trojans, crazy and I guess that the wo thing was a worm.

Following here is the panda scan.
Thanks in advance.
Joice


Incident Status Location

Adware:adware/cws.searchmeup No disinfected C:\Documents and Settings\All Users\Start Menu\Spyware Remover.url
Adware:adware/azesearch No disinfected C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.url
Adware:adware/azesearch No disinfected C:\Documents and Settings\dav\Favorites\PHARMACY\Breast Enlargement.url
Adware:adware/cws.searchmeup No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Spyware Remover.url
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\desktop.html
Adware:adware/ilookup No disinfected C:\Documents and Settings\dav\Favorites\Gambling
Adware:adware/block-checker No disinfected Windows Registry
Virus:Trj/Qhost.Q Disinfected C:\WINDOWS\hosts
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\hlmicro.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\zmalq.exe
Adware:Adware/IST.ISTBar No disinfected E:\papcrack\crackit_v1.016.exe
Adware:Adware/IST.ISTBar No disinfected E:\Paparazzi_2v1_Demo[1]\crackit_v1.016.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi joice,

It's not necessarily that you waited too long, HijackThis is only one tool at our disposal that can be used to detect malware. The entries found by Panda were not evident in the HijackThis log and we can only remove what we see. :smile:

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download smitRem at http://noahdfear.geekstogo.com/click counter/click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\Documents and Settings\All Users\Start Menu\Spyware Remover.url
C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.url
C:\Documents and Settings\dav\Favorites\PHARMACY\Breast Enlargement.url
C:\WINDOWS\system32\hlmicro.exe
C:\WINDOWS\system32\zmalq.exe
E:\papcrack\crackit_v1.016.exe
E:\Paparazzi_2v1_Demo[1]\crackit_v1.016.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following folders:

C:\Documents and Settings\dav\Favorites\PHARMACY
C:\Documents and Settings\dav\Favorites\Gambling

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Normal Mode and run another online scan at Panda.

So, I'll need the logs for HijackThis, Panda ActiveScan, smitfiles.txt and Ewido.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top