Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Worm/VB.HC or Lop.DN or both

Started by jeffree , Sep 20 2007 03:50 PM

  • Please log in to reply

#1
jeffree
Posted 20 September 2007 - 03:50 PM

jeffree

    New Member

  • Member
  • Pip
  • 2 posts
how this came in is relevant limewire or just clicking on a harmless looking download link. this computer is at a church and not many have access to it. symptoms are popups on internet of various sites. avg is my free antivirus and it went crazy detecting worm/vb.hc a few days later it found lop.dn oddly enough it didnt prevent this. also adaware pro finds it reboots and tries to remove it but doesnt, spybot doesnt do much or registryfix. could you please assist me. vundofix has been run several times and nothing found. thanks. jeff

hijack log


Logfile of HijackThis v1.99.1
Scan saved at 5:46:50 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Jeff\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147790052587
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85...sCamControl.ocx
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

dss scan

Deckard's System Scanner v20070905.67
Run by Jeff on 2007-09-20 17:12:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2007-09-20 21:12:24 UTC - RP6 - Deckard's System Scanner Restore Point
4: 2007-09-20 18:39:28 UTC - RP5 - System Checkpoint
3: 2007-09-19 16:58:42 UTC - RP4 - Last known good configuration
2: 2007-09-19 16:58:37 UTC - RP3 - clean1
1: 2007-09-19 16:58:37 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-20 17:13:25
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: (no name) - {010859AE-616F-4B3B-814F-6453A20A603F} - C:\WINDOWS\system32\ssttu.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6AF934DC-7451-4E66-B811-5ACDD0A40E07} - C:\WINDOWS\system32\vtstq.dll (file missing)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\fccddda.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147790052587
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) - http://java.sun.com/...indows-i586.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.255.127.85...sCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} () -
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.micr...04/clearadj.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: fccddda - C:\WINDOWS\system32\fccddda.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys

S3 P2k (Motorola iDEN P2k Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 DomainService -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A66B3B10DC00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A66B3B10DC00
Service: NIC1394


-- Files created between 2007-08-20 and 2007-09-20 -----------------------------

2007-09-20 17:05:55 0 d-------- C:\VundoFix Backups
2007-09-19 12:58:48 1975746 ---hs---- C:\WINDOWS\system32\uttss.bak1
2007-09-19 12:58:20 312416 --a------ C:\WINDOWS\system32\ssttu.dll
2007-09-17 17:35:51 0 d-------- C:\WINDOWS\system32\NtmsData
2007-09-14 15:00:17 0 d-------- C:\Program Files\WM Converter
2007-09-14 14:54:22 0 d-------- C:\videooutput
2007-09-14 14:54:19 383238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-09-13 03:14:22 75328 --a------ C:\WINDOWS\system32\eefwcuhv.exe <Not Verified; ; DDC>
2007-09-13 03:13:29 2009073 --ahs---- C:\WINDOWS\system32\qtstv.bak2
2007-09-12 15:14:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\NCH Swift Sound
2007-09-12 15:14:32 0 d-------- C:\Program Files\NCH Swift Sound
2007-09-12 15:14:32 0 d-------- C:\Documents and Settings\Jeff\Application Data\NCH Swift Sound
2007-09-12 15:14:27 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\NCH Software
2007-09-12 15:13:41 0 d-------- C:\Program Files\NCH Software
2007-09-12 15:13:19 6448 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-09-12 15:13:05 109600 --a------ C:\WINDOWS\system32\sptll.dll
2007-09-12 15:07:55 44054 --a------ C:\WINDOWS\system32\fccddda.dll
2007-09-12 14:05:13 0 d-------- C:\Documents and Settings\Jeff\Application Data\AVS4YOU
2007-09-12 14:05:05 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVS4YOU
2007-09-12 14:03:48 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-09-12 14:03:33 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-12 14:03:33 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-12 14:03:33 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2007-09-12 14:03:33 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2007-09-12 14:03:33 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2007-09-12 14:03:32 0 d-------- C:\Program Files\AVS4YOU


-- Find3M Report ---------------------------------------------------------------

2007-09-20 14:22:36 0 d-------- C:\Program Files\e-Sword
2007-09-20 12:30:32 0 d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2007-09-12 14:03:48 0 d-------- C:\Program Files\Common Files
2007-07-25 14:35:46 0 d-------- C:\Program Files\Common Files\Symantec Shared


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{010859AE-616F-4B3B-814F-6453A20A603F}]
09/19/2007 12:58 PM 312416 --a------ C:\WINDOWS\system32\ssttu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AF934DC-7451-4E66-B811-5ACDD0A40E07}]
C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}]
09/12/2007 03:07 PM 44054 --a------ C:\WINDOWS\system32\fccddda.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/13/2007 11:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{733E9132-53CA-4C97-9AC9-145C4502FA20}"= C:\WINDOWS\system32\fccddda.dll [09/12/2007 03:07 PM 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccddda]
fccddda.dll 09/12/2007 03:07 PM 44054 C:\WINDOWS\system32\fccddda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstq]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ssttu

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\159H]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\keyboard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Luho]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]
C:\\mousepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys0305157347-16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdS7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Usqxxorc]
C:\Documents and Settings\Jeff\Application Data\?dobe\d?xplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wahm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTask driver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{33-3E-E1-1D-ZN}]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 itxt.vibrantmedia.com


-- End of Deckard's System Scanner: finished at 2007-09-20 17:14:56 ------------
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP