Tech Support Forum banner
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
hi, i'm a student doing a job training at a college in network administration...
I am currently scanning all PCs, and came accross this worm: WORM SPYBOT.B-7, as stated in the thread title. I've seen the thread where that person had the same worm, so i downloaded HijackThis... i wish i knew how to get it fixed alone, but i don't, with your help i would like to learn a few tips, but first, i need to get rid of this :D, because other students use these PCs, and they surely don't want to have to deal with these kind of problems.
anyways, back to topic, heres the HijackThis log:
-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:06:29 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVPersonal\AVGUARD.EXE
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Program Files\AVPersonal\AVWUPSRV.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\System32\hkcmd.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
D:\Program Files\AVPersonal\AVGNT.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\rose 2\Desktop\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
O4 - HKLM\..\Run: [avast!] D:\DOCUME~1\Teacher\Desktop\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] D:\DOCUME~1\Teacher\Desktop\ashmaisv.exe
O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] D:\WINDOWS\System32\ws2_32s.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVGCtrl] D:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Documents and Settings\Teacher\Desktop\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - D:\Documents and Settings\Teacher\Desktop\ashServ.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

----------------------------------------------------------------------

i haven't done the online virus scan at Panda ActiveScan, but thats because the college closes soon and i don't have time to do a full system scan, if you need it I will do so on monday.

I thank you for your help, and I will probably be posting here for a while, until i am able to resolve these problems alone hopefully.
 

·
Registered
Joined
·
6,574 Posts
No problemo.. Welcome to TSF.

If you're interested in learning how to analyze HJT logs, perhaps the TSF Academy would be of interest to you?? Details are in stickies at the topf of this forum.

OK - lets get that worm out :sayyes:


Run HJT and fix:

O4 - HKLM\..\Run: [Microsoft Winsock Wrapper] D:\WINDOWS\System32\ws2_32s.exe


Navigate and delete:

D:\WINDOWS\System32\ws2_32s.exe


Reboot the computer and re run HJT. Post the log in your next post.


Perform an online scan in Internet Explorer with Panda ActiveScan

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

I notice that you have more then one anti-virus programs on your machine. That's not a good idea!! :4-thatsba
Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Choose ONE, uninstall the rest.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
.

thx for the tip about the antiviruses :sayyes:

unfortunatly, i won't b able to put my hands on that PC until monday, since the college closes on week-ends, but i'll get to it first thing there.

Also, I will have a look at the TSF Academy ... sounds good and interesting, and usefull for my field.
thx again.
 

·
Registered
Joined
·
6,574 Posts
Hi Leo - the above instructiosn will remove the worm your complaining about. There is more work to do so please do try and return a Panda Log and fresh HJT log.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #5 ·
ok, so i'm in the lab right now, ready to follow your instructions... the only thing thats keeping me from continuing is the following:
i am working on a PC on which student's work are on, they probably do not have a backup on their work (files), so am i in any way risking that file's access by fixing (removing) that trojan?
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #6 ·
i also cannot delete the file:
D:\WINDOWS\System32\ws2_32s.exe
it might be in use, and its not in the running processes... is it?
 

·
Registered
Joined
·
6,574 Posts
Are you in Safe Mode?

If you cannot delete the file, we wil lKillBox it on the next run. Please return the logs I've asked for, and we'll move on.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #8 ·
.

can we go the KillBox way?
cause i ain't got the administrator rights to log in in safe mode.
so until i get it, i'm gunna have to go the 'killbox' way. thank you, i'm going to be at the lab in 3hrs.
thank you.
 

·
Registered
Joined
·
6,574 Posts
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

D:\WINDOWS\System32\ws2_32s.exe


I'll need the Panda log as soon as possible.
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #10 ·
!

In the middle of the Panda scan process the whole thing just shutdown, for unknow reasons, at least to me... It had nearly reached half the scan procedure, when i went down for a quick cigarete, came back up, and there, nothing was there! the internet explorer was closed and it was like i had never started the scanning.
I did shutdown the running antivirus program (antivir) b4 starting the scan.
i did delete D:\WINDOWS\System32\ws2_32s.exe successfully before the scanning though...
so i'm going to post the hijackthis log anyways.

Logfile of HijackThis v1.99.1
Scan saved at 7:16:57 AM, on 11/6/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVPersonal\AVGUARD.EXE
D:\Program Files\AVPersonal\AVWUPSRV.EXE
D:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Documents and Settings\Teacher\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://fr.autos.sympatico.msn.ca/components/ocx/exterior/Outside.cab
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - D:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - D:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - D:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
 

·
Registered
Joined
·
6,574 Posts
That is odd.

Panda shut down (which is getting common)
and the HJT log now appears clean. Even though I didn't attack other malware present in your first log.

Lets be on the safe side, though.

Using Start > Search, locate and delete:

ipconfigs.exe


Do an online scan at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top