Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Request help w/Aurora- Nail virus (resolved)


  • This topic is locked This topic is locked

#16
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi ANDY,

I think that mydoom virus or W32Bot has attached itself to this particular file.

To be sure carry out online checks from at least 2 out of the following. (Do them all if you want)

Panda

F-secure

Bitdefender

Housecall

If they don't identify it as malicious then cancel the instructions to delete.

Let me know the results
  • 0

Advertisements


#17
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

When in SafeMode, I didn't see the process you listed as running. I attached a screenshot of what processes showed as running in SafeMode.
Attached File  processes_running_screenshot.doc   36.5KB   24 downloads

I did delete the file you listed from the C drive in explorer.

I logged back into Normal Mode and Spybot finds a single entry called 'Avenue A'. Just thought I'd let you know that.

Here's the latest HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:51:28 AM, on 05/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\userinit.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\amartino\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mww.metlife.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ForbesInvesting] C:\Program Files\ForbesInvesting\ForbesInvestingAlerts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures02.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101168491347
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\Software\..\Telephony: DomainName = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35316F07-35A7-4982-8389-9ADA16B9D4CB}: NameServer = 10.9.167.76,10.10.61.91
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A2CEC9-3209-46A5-8EAF-725563326B62}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: Domain = metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9FBD308-DBF1-4226-B0A0-A4B5EF9BF7CE}: NameServer = 10.5.20.166,10.1.56.63,209.154.36.74,209.154.35.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metlife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = metlife.com,metlife.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Castanet Tuner 4.6 (Marimba) - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Remote User Service (RemoteUser) - Unknown owner - C:\PROGRA~1\Marimba\CASTAN~1\RemoteUser.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

#18
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

Set PC to show hidden files. Carry out a search for avenue.exe. If found run a virus scan of that file only, using your installed AV.. If it comes back as infected delete it. If it comes back clean leave it. More than likely it will come back not found.

Boot into SAFE Mode and give ewido another scan and post the log back in this thread.
  • 0

#19
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

The search for avenue.exe came back file not found. It's hidng in there somewhere

I ran Ewido in SafeMode. Here's the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:40:38 PM, 05/10/2005
+ Report-Checksum: F72F9D99

+ Date of database: 05/10/2005
+ Version of scan engine: v3.0

+ Duration: 17 min
+ Scanned Files: 93572
+ Speed: 87.52 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
No infected files found!


::Report End
  • 0

#20
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

Your Ewido scan comes back clean, your HJT comes back clean.

How many accounts do you have on machine? It maybe that one of your other accounts could still have malware on it that is getting picked up
  • 0

#21
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi,

It looks like there are 5 User's set up. When I thought I needed a User ID set up to enter SafeMode, I had temporarily set it up then and have since deleted it (Now enter the 'SafeMode w/Networking' which accepts my regular ID / Psswd).

I'm not sure what the other ID's are for.

I attached a screenshot showing the description of each User ID.

Attached File  Users_screenshot.doc   70.5KB   16 downloads
  • 0

#22
Guest_usetobe_*

Guest_usetobe_*
  • Guest
The aspnet_wp or ASP.NET Machine Account is created when the Microsoft .Net Framework 1.1 is installed onto a Windows XP computer. The user is created to run the asp.net worker process used in Microsoft's Internet Information Services, which allows ASP.net to run on your local web server (This is pretty much its only use, it is not used to run normal .net managed executables). There is not a need to worry about this user's presence; it was not created in malicious way.

Support_388945a0 CN=MICROSOFT CORPORATION account is also legitimate. You can disable it if you don't use the Online Help and Support.

Guest account legitimate, if you don't expect it to be used by guests disable that one

Metuser is obviously your company one so thats ok as well.

Help assistant is also legitimate account used if Remote Desktop Assistance is activated on your machine to get remote help.

None of the above lead me to think that there would be anything malicious on any of them.

Your ewido scan shows clean, your HJT log shows clean. Avenue cannot be located on your PC, this maybe be a false positive by Spybot.

To satisfy yourself here are the links to several online virus scans. Carry out a few to see if any of them can detect Avenue.

Kaspersky

Trend

Panda Activescan

Bitdefender

F-secure

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#23
andy1210

andy1210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Well, I'm not sure if there's any significant following of the Grateful Dead in the UK, but in the immortal words of Jerry Garcia, "What a long, strange trip it's been!" :tazz:

For a while there, I wasn't so sure we were going to be able to get my PC back in a more healthy state, but based on what you're saying it looks like you did it. Thanks so much for your help and patience throughout the ordeal. It is MUCH appreciated.

Andy
  • 0

#24
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Andy,

Glad to be of assistance now i'm going for a :tazz:


Problem resolved, topic closed.

Original post can PM a moderator if this topic needs to be reopened.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP