WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help with Trojan downlaoder Conhook

Started by Ry260 , Nov 27 2005 09:28 AM

This topic is locked

26 replies to this topic

#1 Ry260

New Member

Authentic Member
13 posts

Posted 27 November 2005 - 09:28 AM

I need help with fixes in my hjt log. I recently discovered the trojan downloader conhook in my ad aware scan. I ran the vundo fix on the file qomlm.dll and my scans no longer see any trouble. I am now not sure what to fix in the hjt log below. Any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:37 AM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\System32\system12.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\csr.exe
F:\WINDOWS\lsass.exe
F:\WINDOWS\system32\pctspk.exe
F:\WINDOWS\sdktemp.exe
C:\WINDOWS\system32\wbem\bin32\services.exe
C:\WINDOWS\system32\wbem\bin32\svchost.exe
F:\HJT\HijackThis.exe

O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - F:\WINDOWS\System32\urqqo.dll
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] F:\WINDOWS\System32\system12.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: efeba - efeba.dll (file missing)
O20 - Winlogon Notify: iiife - iiife.dll (file missing)
O20 - Winlogon Notify: qomlm - qomlm.dll (file missing)
O20 - Winlogon Notify: urqqo - F:\WINDOWS\System32\urqqo.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing)
O23 - Service: netconf32 - Unknown owner - F:\WINDOWS\netconf32.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: sdktemp - Unknown owner - F:\WINDOWS\sdktemp.exe
O23 - Service: System32 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: System64 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe

Advertisements

Register to Remove

#2 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 27 November 2005 - 10:09 AM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#3 Ry260

New Member

Authentic Member
13 posts

Posted 27 November 2005 - 11:43 AM

I ran the spysweeper but the computer froze when it tried to restart. Here's the log ******** 12:20 PM: | Start of Session, Sunday, November 27, 2005 | 12:20 PM: Spy Sweeper started 12:20 PM: Sweep initiated using definitions version 575 12:20 PM: Starting Memory Sweep 12:21 PM: Found Adware: virtumonde 12:21 PM: Detected running threat: F:\WINDOWS\system32\urqqo.dll (ID = 77) 12:24 PM: Memory Sweep Complete, Elapsed Time: 00:03:39 12:24 PM: Starting Registry Sweep 12:24 PM: Registry Sweep Complete, Elapsed Time:00:00:14 12:24 PM: Starting Cookie Sweep 12:24 PM: Found Spy Cookie: yieldmanager cookie 12:24 PM: lockhart@ad.yieldmanager[2].txt (ID = 3751) 12:24 PM: Found Spy Cookie: nextag cookie 12:24 PM: lockhart@adq.nextag[2].txt (ID = 5015) 12:24 PM: Found Spy Cookie: ask cookie 12:24 PM: lockhart@ask[1].txt (ID = 2245) 12:24 PM: Found Spy Cookie: 2o7.net cookie 12:24 PM: lockhart@msnportal.112.2o7[1].txt (ID = 1958) 12:24 PM: lockhart@nextag[1].txt (ID = 5014) 12:24 PM: Found Spy Cookie: reliablestats cookie 12:24 PM: lockhart@stats1.reliablestats[1].txt (ID = 3254) 12:24 PM: Found Spy Cookie: winantiviruspro cookie 12:24 PM: lockhart@www.winantiviruspro[2].txt (ID = 3690) 12:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:24 PM: Starting File Sweep 12:29 PM: Found Adware: winantispyware 2005 12:29 PM: setup.exe (ID = 188339) 12:29 PM: winfixer2005setup.exe (ID = 188341) 12:30 PM: File Sweep Complete, Elapsed Time: 00:06:16 12:30 PM: Full Sweep has completed. Elapsed time 00:10:12 12:30 PM: Traces Found: 10 12:32 PM: Removal process initiated 12:32 PM: Quarantining All Traces: virtumonde 12:32 PM: virtumonde is in use. It will be removed on reboot. 12:32 PM: F:\WINDOWS\system32\urqqo.dll is in use. It will be removed on reboot. 12:32 PM: Quarantining All Traces: winantispyware 2005 12:32 PM: Quarantining All Traces: 2o7.net cookie 12:32 PM: Quarantining All Traces: ask cookie 12:32 PM: Quarantining All Traces: nextag cookie 12:32 PM: Quarantining All Traces: reliablestats cookie 12:32 PM: Quarantining All Traces: winantiviruspro cookie 12:32 PM: Quarantining All Traces: yieldmanager cookie 12:32 PM: Warning: Launched explorer.exe 12:32 PM: Warning: Quarantine process could not restart Explorer. 12:33 PM: Preparing to restart your computer. Please wait... 12:33 PM: Removal process completed. Elapsed time 00:00:45 ******** 12:17 PM: | Start of Session, Sunday, November 27, 2005 | 12:17 PM: Spy Sweeper started 12:17 PM: Your spyware definitions have been updated. 12:20 PM: | End of Session, Sunday, November 27, 2005 |

#4 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 27 November 2005 - 03:16 PM

Can I see a new hijackthis log please.

#5 Ry260

New Member

Authentic Member
13 posts

Posted 27 November 2005 - 04:00 PM

Here's the latest

Logfile of HijackThis v1.99.1
Scan saved at 4:59:25 PM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\System32\system12.exe
F:\WINDOWS\System32\wupsys64.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\csr.exe
F:\WINDOWS\lsass.exe
F:\WINDOWS\system32\pctspk.exe
F:\WINDOWS\sdktemp.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\sysmgr64.exe
C:\WINDOWS\system32\wbem\bin32\services.exe
C:\WINDOWS\system32\wbem\bin32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] F:\WINDOWS\System32\system12.exe
O4 - HKLM\..\Run: [MSPP System Update 64] F:\WINDOWS\System32\wupsys64.exe
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: efeba - efeba.dll (file missing)
O20 - Winlogon Notify: iiife - iiife.dll (file missing)
O20 - Winlogon Notify: qomlm - qomlm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing)
O23 - Service: netconf32 - Unknown owner - F:\WINDOWS\netconf32.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: sdktemp - Unknown owner - F:\WINDOWS\sdktemp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: sysmgr64 - Unknown owner - F:\WINDOWS\sysmgr64.exe
O23 - Service: System32 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: System64 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 27 November 2005 - 08:15 PM

Please download Stinger from the link below. Scan your system then allow it clean what it finds and then post a new log please. Yoiu have a few worms on your system and hopefully ythis will clean a few of them. If not we will do it manually. After we are done you should change all o your passwords.

http://vil.nai.com/vil/stinger/

#7 Ry260

New Member

Authentic Member
13 posts

Posted 27 November 2005 - 09:09 PM

Stinger found five files and deleted all but one--sdktemp.exe

Logfile of HijackThis v1.99.1
Scan saved at 10:05:44 PM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\System32\system12.exe
F:\WINDOWS\System32\wupsys64.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\csr.exe
F:\WINDOWS\lsass.exe
F:\WINDOWS\system32\pctspk.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wbem\bin32\services.exe
C:\WINDOWS\system32\wbem\bin32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] F:\WINDOWS\System32\system12.exe
O4 - HKLM\..\Run: [MSPP System Update 64] F:\WINDOWS\System32\wupsys64.exe
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: efeba - efeba.dll (file missing)
O20 - Winlogon Notify: iiife - iiife.dll (file missing)
O20 - Winlogon Notify: qomlm - qomlm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing)
O23 - Service: netconf32 - Unknown owner - F:\WINDOWS\netconf32.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: System32 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: System64 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 27 November 2005 - 09:37 PM

Scan with hijackthis and put a check beside these lines and choose FIX O20 - Winlogon Notify: efeba - efeba.dll (file missing) O20 - Winlogon Notify: iiife - iiife.dll (file missing) O20 - Winlogon Notify: qomlm - qomlm.dll (file missing) O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing) O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing) O23 - Service: netconf32 - Unknown owner - F:\WINDOWS\netconf32.exe (file missing) Then reboot and a new log please.

#9 Ry260

New Member

Authentic Member
13 posts

Posted 28 November 2005 - 05:25 AM

made the fixes

Logfile of HijackThis v1.99.1
Scan saved at 6:23:41 AM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINDOWS\System32\system12.exe
F:\WINDOWS\System32\wupsys64.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\csr.exe
F:\WINDOWS\lsass.exe
F:\WINDOWS\system32\pctspk.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wbem\bin32\services.exe
C:\WINDOWS\system32\wbem\bin32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] F:\WINDOWS\System32\system12.exe
O4 - HKLM\..\Run: [MSPP System Update 64] F:\WINDOWS\System32\wupsys64.exe
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing)
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: System32 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: System64 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 28 November 2005 - 08:41 PM

Download Ewido

Download and install Ewido Security Suite It is a free trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

NEXT
======
Update Ewido
You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

NEXT
======
Ewido Scan
Once the updates are installed do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
o You will need to step through the process of cleaning files one-by-one.
o If ewido detects a file you KNOW to be legitimate, select none as the action.
o DO NOT select "Perform action on all infections"
o If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Reboot and post the ewido log as well as a new hijackthis log please.

Advertisements

Register to Remove

#11 Ry260

New Member

Authentic Member
13 posts

Posted 29 November 2005 - 04:28 PM

With Ewido I found and deleted many things--heres the hjt

Logfile of HijackThis v1.99.1
Scan saved at 5:22:18 PM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\WINDOWS\csr.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\system32\pctspk.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wbem\bin32\services.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wbem\bin32\svchost.exe
F:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - F:\WINDOWS\dlhost.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - F:\WINDOWS\lsass.exe (file missing)
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - F:\WINDOWS\msdt.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: System32 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: System64 - Unknown owner - C:\WINDOWS\system32\wbem\bin32\services.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:46:07 PM, 11/29/2005
+ Report-Checksum: EA00971C

+ Scan result:

[1752] F:\WINDOWS\System32\system12.exe -> TrojanProxy.Ranky : Cleaned with backup
[1760] F:\WINDOWS\System32\wupsys64.exe -> TrojanProxy.Ranky : Cleaned with backup
[216] F:\WINDOWS\lsass.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\proxi.exe -> TrojanProxy.Ranky : Cleaned with backup
C:\WINDOWS\system32\sxe1.tmp -> TrojanProxy.Ranky : Cleaned with backup
C:\WINDOWS\system32\wbem\bin32\lsass.exe -> Backdoor.Iroffer.13b11 : Cleaned with backup
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VBPXPLB\is[1].exe -> TrojanSpy.Agent.hn : Cleaned with backup
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MYJR2K02\proxi[1].exe -> TrojanProxy.Ranky : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@e-2dj6wfkiahc5gdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@e-2dj6wjl4wld5weo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Lockhart\Cookies\lockhart@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
F:\Documents and Settings\Lockhart\Local Settings\Temp\temp.fr2117 -> TrojanSpy.Agent.hn : Cleaned with backup
F:\Documents and Settings\Lockhart\Local Settings\Temp\temp.fr7A09 -> TrojanSpy.Agent.hn : Cleaned with backup
F:\Documents and Settings\Lockhart\Local Settings\Temp\temp.frEB2C -> TrojanSpy.Agent.hn : Cleaned with backup
F:\Documents and Settings\Lockhart\Local Settings\Temporary Internet Files\Content.IE5\9RJBDXCE\mm[2].js -> Spyware.Chitika : Cleaned with backup
F:\WINDOWS\lsass.exe -> Backdoor.SdBot.xd : Cleaned with backup
F:\WINDOWS\sdktemp.exe -> Backdoor.SdBot.aad : Cleaned with backup
F:\WINDOWS\system32\byvus.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\byvvu.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\jkhgg.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\khhfg.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\ljhii.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\mljih.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\oppom.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\pmkhh.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\pmnkl.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\pmnlk.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
F:\WINDOWS\system32\rqolk.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\rqrol.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\sstst.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\ssttr.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\system12.exe -> TrojanProxy.Ranky : Cleaned with backup
F:\WINDOWS\system32\tuspo.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\tustq.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\wupsys64.exe -> TrojanProxy.Ranky : Cleaned with backup
F:\WINDOWS\system32\wvuuv.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\xxwtu.dll -> TrojanSpy.Agent.hn : Cleaned with backup
F:\WINDOWS\system32\xxyvs.dll -> TrojanSpy.Agent.hn : Cleaned with backup

::Report End

#12 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 29 November 2005 - 09:42 PM

Can you please sacan these lines at the scanner below and then post the reports for each, you can only do one at a time

C:\WINDOWS\system32\wbem\bin32\services.exe

F:\WINDOWS\csr.exe

F:\WINDOWS\lsass.exe

F:\WINDOWS\msdt.exe

F:\WINDOWS\dlhost.exe

Scan them here >>>>> http://virusscan.jotti.org/

#13 Ry260

New Member

Authentic Member
13 posts

Posted 30 November 2005 - 04:48 PM

Service Service load: 0% 100% File: services.exe Status: INFECTED/MALWARE MD5 560588d9d6290dc8e539ffb1841febd3 Packers detected: UPX Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found Misc/G6service Kaspersky Anti-Virus Found nothing NOD32 Found Win32/Tool.ServiceRunner.D application Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing File: csr.exe Status: INFECTED/MALWARE MD5 455f864ad0ffa1a524193be69f67735b Packers detected: - Scanner results AntiVir Found Worm/SdBot.60416.27 ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found BackDoor.IRC.Sdbot F-Prot Antivirus Found W32/Sdbot.MLO Fortinet Found W32/SDBot.AFM!bdr Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.aik NOD32 Found a variant of IRC/SdBot Norman Virus Control Found W32/SdBot.VHF UNA Found nothing VBA32 Found nothing F:\WINDOWS\dlhost.exe F:\WINDOWS\msdt.exe F:\WINDOWS\lsass.exe got this message below and would not scan The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

#14 Siggyx

SuperHelper

Authentic Member
6,776 posts

Posted 30 November 2005 - 09:15 PM

Click Start -> Run -> (type) services.msc

Scroll down and find the service called Microsoft Distributed Transaction When you find it, double-click on it. In the next window that opens, click the Stop button(if available), then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Follow those same steps with these services also.

System32
System64
Server Runtime Service
DynamicHost (DLHOST)
Local Security Authority Subsystem Service

Next run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

csrss32

Do the same with these these.

DLHOST
lsass
MSDT

Download the Pocket Killbox >>> http://www.downloads...org/KillBox.zip

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

F:\WINDOWS\csr.exe
F:\WINDOWS\dlhost.exe
F:\WINDOWS\lsass.exe
F:\WINDOWS\msdt.exe
C:\WINDOWS\system32\wbem\bin32\services.exe

Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.

After reboot please post a new hijackthis log, from normal mode if possible.

Edited by Siggyx, 30 November 2005 - 09:47 PM.

#15 Ry260

New Member

Authentic Member
13 posts

Posted 01 December 2005 - 04:00 PM

Ok, on step 1 I was able to disable all but Server Runtime Service--because I didn't see it listed--only thing similar was Server. On step 2, I deleted all NT services but csrss32--It says it wasn't found in the registry. With KillBox is was only able to delete C:\WINDOWS\system32\wbem\bin32\services.exe all others listed would not show up in the clipboard. I even tried copying them but it still didn't recognize any as files. Thanks alot for all the help.

Logfile of HijackThis v1.99.1
Scan saved at 4:48:29 PM, on 12/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\system32\pctspk.exe
F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\System32\wuauclt.exe
F:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132959072127
O20 - Winlogon Notify: WRNotifier - F:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: Client Server Runtime Service (csrss32) - Unknown owner - F:\WINDOWS\csr.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - F:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

Body Background

skin color theme