35 replies to this topic

[Micah_6:8]

Sorry, but I've had to share the equipment with the rest of the family.

"Golum" is definitely something you do NOT want on your machine. It's been several months since I've even seen it in a log (I wonder why it never was in yours? ).

The rest of the log looks good.

I'm waiting on a second opinion on something in the log, so please check back tomorrow (Wednesday) as there may be a small amout of "cleanup" (a file of two to delete) to perform.

Items you may wish to consider to harden your defenses against future infections:

Read "How did I get infected in the first place?" here:

http://boards.cexx.o...topic.php?t=957

Download IE-Spyad here:

https://netfiles.uiu...ww/resource.htm

IE-Spyad puts over 4000 known malicious web sites into IE's "restricted zone" to help prevent you from getting infected.

Check your browser settings here:

http://browsercheck....s.com/index.php

A series of "tests" (and suggested fixes) to help tweak IE's settings to help prevent infections when surfing the web.

Follow safe Internet practices:

1. Keep your virus definitions up to date, and scan your system regularly.

2. Don't open email, or download attachments from unrecognized email addresses.

3. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW! Many virii, worms, and trojans infect a persons system then immeadiately spread themselves to the people in the infected persons addressbook via email attachments.

4. Be careful downloading files from the Internet. Scan all downloaded files with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE unzipping, and scan all unzipped files BEFORE USING THEM.

5. Keep your Windows and IE current with all the latest patches and updates.

[day2day]

Don't apologize, not long ago I was having to share a computer with three other people, so I completely relate and sympathize with you. I thank you that you have been able to share your time with me during my need. As to golum not showing itself in the log......I understand that it would have to have a command or reference to itself in order to activate, but it almost seemed as if it were manifesting itself as or through the d3dj.dll. I say that because of deleting the folder and then the reference to d3dj.dll in the 020 line of HJT being removed. And then after deleting the d3dj.dll file in safe mode, it "becomes" golum in the recycle bin in normal mode. Maybe my ignorance is shining through as a lighthouse right now and I'm making no sense whatsoever, but it's sounding logical to myself. Ha! I'll check back tomorrow at lunch and then again in the evening for any updates. Take your time as I am very thankful for all that you have done and the time you have taken with me so far. It's great to see people who freely give their time and expertise to help those of us who are in need. I thank you and thank God for people such as you. Until tomorrow. God bless you, Jim

[Micah_6:8]

OK, the "verdict is in", and we do have the "guilty" service.

This was the "bad boy":

Service Name: SysManager
Display Name: Microsofot x386 System Monitor
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\system32\system32.exe" -netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Please make a copy of the following file:

c:\windows\system32\system32.exe

Put it in one folder, zip it, attach it to an email and send it here. Please put the words "system32.exe" in the "subject line" of the email.

Then you can delete it, and you should ge "good to go".

Happy holidays!!!!

[day2day]

Uhhhh, I can't find that file anywhere on my system. I searched for all files named system32 and the only name for system32 that came up was the one folder. I rebooted into safe mode and searched from there as well as booting into safe mode with command prompt and looking in that directory. Also tried deleting the file from command prompt on the off chance that it was there, but not listed. No luck. Jim

Edited by day2day, 24 November 2004 - 12:12 PM.

[Micah_6:8]

If you were showing hidden files when looking, then I guess it's gone.

Thanks a bunch for trying.

[day2day]

I guess it is gone. I ran that ServiceFilter script and in the earlier mentioned sectioned it said that it wasn't started and wasn't stopped. Must be gone. Thanks for all of your help! Here's the ServiceFilter log in case you want to look at it. Jim

[day2day]

Wow, just noticed I didn't post the log. Here it is: The script did not recognize the services listed below. This does not mean that they are a problem. To copy the entire contents of this document for posting: At the top of this window click "Edit" then "Select All" Next click "Edit" again then "Copy" Now right click in the forum post box then click "Paste" ######################################## ServiceFilter 1.1 by rand1038 Microsoft Windows XP Home Edition Version: 5.1.2600 Service Pack 2 Nov 24, 2004 12:15:08 PM ===> Begin Service Listing <=== Unknown Service #1 Service Name: ImapiService Display Name: IMAPI CD-Burning COM Service Start Mode: Manual Start Name: LocalSystem Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this ... Service Type: Own Process Path: c:\windows\system32\imapirox.exe State: Stopped Process ID: 0 Started: False Exit Code: 0 Accept Pause: False Accept Stop: False Unknown Service #2 Service Name: Nhksrv Display Name: Netropa NHK Server Start Mode: Auto Start Name: LocalSystem Description: ... Service Type: Own Process Path: c:\windows\nhksrv.exe State: Stopped Process ID: 0 Started: False Exit Code: 1067 Accept Pause: False Accept Stop: False Unknown Service #3 Service Name: SwPrv Display Name: MS Software Shadow Copy Provider Start Mode: Manual Start Name: LocalSystem Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ... Service Type: Own Process Path: c:\windows\system32\dllhost.exe /processid:{b0a2456c-f1a2-47d9-8a39-cb9111f04968} State: Stopped Process ID: 0 Started: False Exit Code: 1077 Accept Pause: False Accept Stop: False Unknown Service # 4 Service Name: SysManager Display Name: Microsofot x386 System Monitor Start Mode: Auto Start Name: LocalSystem Description: ... Service Type: Share Process Path: "c:\windows\system32\system32.exe" -netsvcs State: Stopped Process ID: 0 Started: False Exit Code: 0 Accept Pause: False Accept Stop: False Unknown Service # 5 Service Name: TUWinStylerThemeSvc Display Name: TuneUp WinStyler Theme Service Start Mode: Manual Start Name: LocalSystem Description: ... Service Type: Own Process Path: c:\program files\tuneup utilities 2004\winstylerthemesvc.exe State: Stopped Process ID: 0 Started: False Exit Code: 1077 Accept Pause: False Accept Stop: False ---> End Service Listing <--- There are 87 Win32 services on this machine. 5 were unrecognized. Script Execution Time: 43.76563 seconds.

[Micah_6:8]

Unknown Service # 4
Service Name: SysManager
Display Name: Microsofot x386 System Monitor
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\system32\system32.exe" -netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

It's still in the log, but it is "stopped".

And you can't find the file, your log has stopped being hijacked, so I don't think you have much to worry about.

[day2day]

I hadn't planned on getting it, but thinking it was $30 I picked it up (it was $60). Anyway, I bought Norton Internet Security 2005. I have Norton AV 2002 that came with the computer and AVG 7. I am using ZoneAlarm (free version) and the built-in Windows Firewall. I also have a DSL connection. Do I really need this, would it be worth keeping and installing? I don't know much about it and would like some opinions from some folks that do. When I bought the computer from a friend it was crammed full of virii and ad/spy/malware. I was walked through removing most of it, still a little sluggish, but I don't want to go through all of that again. I don't have the system restore disk or a full operating system to restore to. Thanks for the help/suggestions. Jim

[dgosling]

Hello Jim
It might be wise to have a look at an HJT log before installing any AV product because you need a clean PC to install it to. It would also help us give you advice because we will know what other software you are running that may conflict with NIS. Everyone should have resident AntiVirus software and a Firewall as a minimum for going on the Internet. There are other small programs that can help you with security.

1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' and name the folder 'Hijack This'.

2. Download Hijackthis to the new folder from this website: http://www.downloads.../hijackthis.zip

3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

4. Close ALL windows except HijackThis

5. SCAN with HijackThis

6. POST the log in this thread using 'Add Reply' so that we can give you instructions to start removing the infection.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

[day2day]

Here's my HJT log. Also, right after this post, folloiwing a thread similiar to mine, I ran Stinger and it's a good thing. I'll post that log also. One more, if you want to take a look, there's a thread of me and Micah 6:8 and what we've already done as well.
http://forums.tomcoy...showtopic=22330

HJT log
Logfile of HijackThis v1.98.2
Scan saved at 9:58:23 PM, on 11/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://accelerator.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth® Internet Service
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100745970045
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Stinger log

McAfee AVERT Stinger Version 2.4.5.1 built on Nov 19 2004

Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Nov 19 2004.

Ready to scan for 45 viruses, trojans and variants.



Scan initiated on Fri Nov 26 21:29:57 2004

C:\WINDOWS\SYSTEM32\bling.exe\bling.exe

Found the W32/Sdbot.worm.gen.g virus !!!

C:\WINDOWS\SYSTEM32\bling.exe\bling.exe has been deleted.

C:\WINDOWS\SYSTEM32\cmd.ftp

Found the W32/Sasser.worm!ftp virus !!!

C:\WINDOWS\SYSTEM32\cmd.ftp has been deleted.

C:\WINDOWS\SYSTEM32\o

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINDOWS\SYSTEM32\o has been deleted.

C:\WINDOWS\SYSTEM32\o.0.o

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINDOWS\SYSTEM32\o.0.o has been deleted.

C:\WINDOWS\SYSTEM32\Soundsyst.exe\Soundsyst.exe

Found the W32/Sdbot.worm.gen.g virus !!!

C:\WINDOWS\SYSTEM32\Soundsyst.exe\Soundsyst.exe has been deleted.

C:\WINDOWS\SYSTEM32\TFTP3204

Found the W32/Sdbot.worm.gen virus !!!

C:\WINDOWS\SYSTEM32\TFTP3204 has been deleted.

C:\WINDOWS\SYSTEM32\TFTP3768\TFTP3768

Found the W32/Sdbot.worm.gen.g virus !!!

C:\WINDOWS\SYSTEM32\TFTP3768\TFTP3768 has been deleted.

C:\WINDOWS\SYSTEM32\videosd32.exe

Found the W32/Sdbot.worm.gen.p virus !!!

C:\WINDOWS\SYSTEM32\videosd32.exe has been deleted.

Number of clean files: 109125

Number of infected files: 8

Number of files deleted: 8



Thanks!
Jim

[dgosling]

I will be returning you to Micah_6:8 because he is already helping you with your problems. Please keep your posts within the same thread while you have the same problem. He is as qualified as I am to answer your questions.

[day2day]

That's cool. I had thought we were finished and I was just wondering about the Norton thing. I wasn't trying to second guess anyone or anything like that. Thanks for the info and help.

[day2day]

Here's the latest HJT:

Logfile of HijackThis v1.98.2
Scan saved at 6:13:38 PM, on 11/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://accelerator.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth® Internet Service
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100745970045
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

I don't know if you saw where I posted a few posts back, but Stinger got rid of quite a few that weren't showing up. I posted some other logs there as well. Just to mention it.

Thanks for the help!

Jim

[Micah_6:8]

The log looks good. What kind of problem are you having?