HiJack This Logfile [CLOSED]

Sorry about the delay, we have been very busy.

If you still require help, please post a fresh HJT log.

Let me know if your problems have been resolved

Hi usetobe,

Here is the latest HiJack This logfile. It shouldn't be much different from the last one as the affected PC has only been used once since.

Sorry for the delay in replying to you, hopefully, i shouldn't take up too much of your time.

Thanks in advance





Logfile of HijackThis v1.99.1
Scan saved at 12:01:30, on 04/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O15 - Trusted Zone: http://www.toucansurf.com
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116680577325
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Hi thedarkprince,

Lets earn you those brownie-points!

Please print out these instructions to make it easy to follow and to have access to them when you have to reboot your pc. Please read through them prior to commencing to do anything and if there is anything that you are unsure of, or do not understand, please contact me first for assistance.

I would like you to carry out the following free on-line virus scan and follow their instructions on removal of anything that it may find.

Panda Active Scan

Next please download the following two programs. Install them and update them both. Then run each one and have them fix anything that they may find.

Spybot Search and Destroy 1.4

Ad-aware S E 1.5

Download the following program.

Cleanup. Do NOT run it yet.

Set PC to show hidden files (Click link below if you do not know how

Show hidden files

Reboot into SAFE MODE by tapping the F8 key whilst PC starts up. Select SAFE MODE option

Open up HJT and rescan and Place a check against each of the following, making sure you get them all and not any others by mistake. Some of them might not be there as they will have been removed in previous stages of the sequence. This is normal so do not be alarmed

O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O16 - DPF: Win32 Classes -

FOR EXTRA BROWNIE POINTS YOU HAVE 2 OPTIONAL FIXES

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Office Startup Assistant is an optional item that if checked, will eliminate a known resource hog. You will still be able to start Office components from the Start menu.

Once you have decided on the optionals, Ensure no windows are open apart from HJT and click FIX CHECKED.

Now use the Cleanup program to clear out temp files, junk etc.

Reboot normally and rescan with HJT and post the log in this thread

Thanks for this, all looks quite straight forward.

Just thought i'd better mention that i won't be able to get access to the PC until later in the week so this may be a long drawn-out process.

I'll post back as soon as i can.

Thanks

No problems there is no time limit.

Hi usetobe,

Sorry for the delay.

I ran through everything you said, except for the Panda scan as i have the pc at my house now and have not configured the broadband yet. Also, Ad-aware and Spybot are not using the most current definition files for the same reason. The last update of them was last week.

Not sure if this is related at all but i have attached a screen shot of the task manager's performance tab. Its pretty much running at 100% all the time, do you happen to know if this is to do with the spyware or do you think it is most likely another problem?

Once again, thanks for all your help




Anyway, here is the new HiJack This logfile:

Logfile of HijackThis v1.99.1
Scan saved at 17:41:25, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O15 - Trusted Zone: http://www.toucansurf.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116680577325
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Edited by thedarkprince, 14 June 2005 - 11:04 AM.

Hi Again,

Download the following free 14 day trial of Ewido. install it, update it and then close it down.

Ewido

Reboot pc into safe mode,

Now run ewido, this may take some time, once it finds first problem tick the box for all. Save the log it produces to post back.

rescan with HJT and check the following entry:

O1 - Hosts: 66.40.16.234 auto.search.msn.com

Reboot normally, rescan with HJT and post the log back, together with the ewido log

Hi,

Its been awhile but i now have the pc so we should be able to move this along a little quicker now.

Okay, first of all, i have run the ewido program and fixed all the problems it found and have run HJT again.

I will have to find the ewido logfile, but for now here is the HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:27, on 28/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O15 - Trusted Zone: http://www.toucansurf.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116680577325
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Am i right in thinking this is the Sasser worm?

Cheers for your help the ewido log will follow shortly.

Please uninstall microsoft antispyware as it may interfere with what we need to do. You can reinstall it after we have finished.

Reboot into SAFE mode by tapping the F8 KEY.

Rescan with HJT and check the following:

O1 - Hosts: 66.40.16.234 auto.search.msn.com
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

Ensure no windows open except HJT and click fix checked

Reboot pc normally, rescan with HJT and post the log back. The logs for ewido and panda would be most useful

Hi,

Here's the ewido logfile:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:40:35, 29/06/2005
+ Report-Checksum: E4C5E548

+ Date of database: 27/06/2005
+ Version of scan engine: v3.0

+ Duration: 57 min
+ Scanned Files: 50923
+ Speed: 14.88 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117185.exe -> Backdoor.PoeBot.b -> Cleaned with backup
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117186.exe -> Backdoor.PoeBot.b -> Cleaned with backup
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117187.exe -> Backdoor.Rbot -> Cleaned with backup
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117188.sys -> Trojan.Rootkit.h -> Cleaned with backup
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117189.dll -> Spyware.TimeSink.c -> Cleaned with backup
C:\System Volume Information\_restore{61FFF707-BF19-4826-9EB6-892980DFCF55}\RP91\A0117190.sys -> Trojan.Rootkit.h -> Cleaned with backup


::Report End


I can only get on the internet for about 5 mins with the infected pc before it kicks me off with an error message saying LSASS.exe closed unexpectedly and the pc needs to reboot. It gives me about 60 seconds before shutting down.

Do you think the ewido log will be enough?

I will follow your previous post this evening as work calls i'm afraid.

Cheers

When you get the LSASS error is there any code and do you also get a svchost error?

Hi,

I would have to check if there is a code when i get that error. Will try when i get home. As for the svchost error, no i do not get that.

Would this worm be the reason why the CPU runs at near 100% all of the time?

Cheers

You should be able to abort the shutdown within those first 60 seconds by doing the following:

Press the Start button, and then the Run menu item.

Type shutdown -a . That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".

Press OK.

Keep it handy it might popup a few times.

That will give us the opportunity to sort this out.

It might be something similar to sasser, but i would have thought that Panda would have picked it up.

Here are 2 other online scans to carry out.

Kaspersky

Trend

Allow them to run and repair anything they find and post the logs back

Hi usetobe,

This thread can be closed now as the gf's parents have decided that the pc can be reformatted. All the important stuff has been saved so its just a case of reformatting and then re-installing Windows.

Cheers for all your help though you're a top bloke.