Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Logfile of HijackThis. Infected with BlackWorm & other


  • This topic is locked This topic is locked
79 replies to this topic

#61 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 March 2006 - 03:33 PM

I think we finally killed them :rofl:

We're not done yet.

I don't see a Anti-Virus program in your log. Here's a free one:

Click the link and Save, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#62 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 11 March 2006 - 04:46 PM

Working on scan now So far: Virus infected - Worm/Opanki.GV keeps popping up 5 Infected objects w/ Trojan Horse Dropper.Agentpp, Trojan Horse...........

#63 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 March 2006 - 04:47 PM

That PC was pretty infected, but I think we've about get it. Let me know if it finds anything it can't kill and remember the file and location.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#64 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 11 March 2006 - 05:20 PM

Logfile of HijackThis v1.99.1 Scan saved at 5:11:52 PM, on 3/11/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe * DLLCompare Log version(1.0.0.127) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,039 items found: 1,039 files, 0 directories. Total of file sizes: 189,219,986 bytes 180.45 M Administrator Account = True --------------------End log--------------------- Have to go.

#65 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 March 2006 - 05:22 PM

Did you reboot after the scan? Your HJT log didn't show the whole scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#66 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 11 March 2006 - 07:38 PM

Ran program, Empty recycle bin, reboot, copy/paste new log
I may have missed some of it when I cut/ paste - got called away from the computer. Sorry.
Follows is HJT log & Dll

Logfile of HijackThis v1.99.1
Scan saved at 7:14:22 PM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,039 items found: 1,039 files, 0 directories.
Total of file sizes: 189,219,986 bytes 180.45 M

Administrator Account = True

--------------------End log---------------------


AVG scan test results there are several listed with RED ! beside them with results: "could be infected" and Status "infected" ??? Do I need to run again?
C:\WINNT\System32\Lavan\lock.bat
C:\ \Lavan\iL.dbx
C:\ \Lavan\KAHOL.exe\devcheck.exe
C:\ \Lavan\KAHOL.exe\lock.bat
C:\ \Lavan\KAHOL.exe
C:\ \Lavan\lock.bat

#67 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 March 2006 - 06:39 AM

http://www.sophos.co...jzapchasah.html

We need to delete those:

C:\WINNT\System32\Lavan\lock.bat
C:\ \Lavan\iL.dbx
C:\ \Lavan\KAHOL.exe\devcheck.exe
C:\ \Lavan\KAHOL.exe\lock.bat
C:\ \Lavan\KAHOL.exe
C:\ \Lavan\lock.bat

Just delete the folders altogther:
C:\ \Lavan
C:\WINNT\System32\Lavan

After the above.
Run another Virus scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#68 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 12 March 2006 - 10:03 AM

Good Morning,
Virus Scan: Nothing found. Nothing to delete so I Did Not reboot...
Logs follow.



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,039 items found: 1,039 files, 0 directories.
Total of file sizes: 189,219,986 bytes 180.45 M

Administrator Account = True

--------------------End log---------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:50:49 AM, on 3/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#69 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 March 2006 - 12:46 PM

We only have one bad guy left :thumbup:

Boot into Safe Mode.
Windows 2000, XP:
1. Restart the computer
2. Watch the screen while it is black. After the BIOS memory check is done, start tapping the F8 key. If done right, the Windows Advanced Options Menu will appear.
3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take several minutes

I am going to have you remove this bogus service RpcSssvc by doing the following:
Click Start-> Run and type cmd in the Open: line. Click OK.
* Type or paste in the following in bold: sc delete RpcSssvc
* Hit Enter
* Type: Exit
* Hit Enter

Run hijackthis and click the scan button, when it has finished scanning then put a tick against the following, close all other browsers and windows and click 'fix checked'

O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe (file missing)

Reboot normally anpost a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#70 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 12 March 2006 - 02:10 PM

Hi,

Followed instructions fine, however
produced: "Sc" is not recognized as an internal or external command
I tried: delete RpcSssvc responded: delete is not recognized.....
I tried del RpcSssvc responded: can not find.

I opened explorer, C:\WINNT\System32
do not see it.. 2 files named rpcss.dll

New HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:43 PM, on 3/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

    Advertisements

Register to Remove


#71 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 March 2006 - 02:18 PM

Click Start > Run > and type in:

services.msc

Does that show RpcSssvc

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#72 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 12 March 2006 - 02:41 PM

No. 1. Remote Access Auto Connection Manager 2. Remote Access Conection Manager 3. Remote Procedure Call (RPC) 4. Remote Procedure Call (RPC) Locator 5. Remote Procedure Call (RPC) Service 6. Remote Registry Service Highlight and view Properties of each: Only thing I see close is under the Remote Procedure Call (RPC) Service. Currently it is STOPPED With Auto Startup. The Path to Executable is C:\WINNT\System32\RpcSs.exe All others have nothing related to the file name we are looking for. Please advise.

#73 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 March 2006 - 02:45 PM

All those are ok. I think we'll just leave everything like it is. Hows everything running.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#74 devotion

devotion

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 12 March 2006 - 02:55 PM

Seems to be fine. Start up is faster and no problems with internet so far. Have some error messages if run programs we have been using, have to close and start over or Ignore.

#75 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 March 2006 - 03:07 PM

Have some error messages if run programs we have been using, have to close and start over or Ignore

I don't know what would be causing that. Do the programs work?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users