Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help... Looks clean, but it won't DIE. [RESOLVED]


  • This topic is locked This topic is locked

#1
badaxe

badaxe

    Member

  • Member
  • PipPip
  • 30 posts
Travelling in Hong Kong this one managed to slip through my anti-virus protection (6/3/2005).

This is the most tenacious, vicious [bleep] I have ever seen. I have done my best but I need some help.

Symptoms:

1) Favorites changed to include:
AdultGambling.url
Free Online Dating.url
F--- Real Girls.url
Kill Annoying Popups.url
Online Sex Poker
Play Adult-Poker.url
Remove Toolbars.url
Spyware Uninstall.url
XXX personal photos.url

2) Unexpectedly redirected to poker/[bleep] sites when browsing

3) [bleep]/Gambling Pop-ups

Here are the steps I have taken so far:

aa) Windows Update for all Critical Security patches

a) Run McAfee Anti-Spyware (caught a few)
b) Run Microsoft Anti Spyware (shows clean)
c) Run Ad-Aware SE (shows clean)
d) Run Spybot S&D (shows clean)

e) Run OfficeScan Anti-Virus (shows clean)
f) Run Ewido (shows clean)

g) Run HijackThis (following advice here to fix every questionable entry)

h) Run Nail Fix
i) Run CWShredder (shows clean)

j) Run CleanUp to delete all TEMP files, all cookies, all offline content

At this point I was really hoping I was clean. I restart, fire up IE, and cruise around a bit. It usually takes 5 or 6 visits for anything to happen.

Sigh. Still getting redirected. I haven't seen any popups yet. So I took this step:

k) Run PANDA Active Scan. Panda finds 9 'infected' files-- the Favorites mentioned above.

I'm including my Panda log, my Ewido log, and my current HJT log.

Note: I have masked (#) the corporate domain servers; they look fine to me.
The WinVNC entries were installed by corporate IT. They may be compromised now, somehow, for all I know. I am worried about the last O23 entry for WinVNC marked [file missing].


PANDA

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url

EWIDO
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:54:16 AM, 6/8/2005
+ Report-Checksum: B8167123

+ Date of database: 6/8/2005
+ Version of scan engine: v3.0

+ Duration: 31 min
+ Scanned Files: 120829
+ Speed: 63.41 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
No infected files found!


::Report End

HIJACK THIS LOG (perfoming as of this exact moment)
Logfile of HijackThis v1.99.1
Scan saved at 12:04:06 PM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\netOctopus Agent\Nant.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Program Files\netOctopus Agent\nantsecc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\BEN\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = #.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thank you so much for finally getting to me. I can see you are busy and am very grateful.

Here is my current (normal mode) log. (The two O6 entries are added by Microsoft Anti-Spyware-- I was trying to lock down changes made to IE.)

The problem seems to come ONLY after I have loaded IE a couple of times. I am still getting the same three problems: (a) 'Windows Firewall' bogus pop-up (b) changing my favorties and © redirects.

For other details on what I have tried so far, pls see my first post. I've still been reading here and trying everything. Maybe I have been too smart for my own good, I dunno.

Here's the current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:01 AM, on 6/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\netOctopus Agent\Nant.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Program Files\netOctopus Agent\nantsecc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\BEN\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = #.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Well your HJT log appears clean.

Regarding the O23...HJT frequently reports files missing when they are not so i wouldn't be too worried about that one..

Do the following to clear out the files that pandascan won't disinfect. You will hve to change the filepath for the entry F---Real girls to the full path as it appears

I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
C:\Documents and Settings\All Users\Favorites\XXX personal photos.url


* Please download the http://www.bleepingc...es/killbox.php]Killbox by Option^Explicit[/url]. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Carry out a free online virus scan from the following link. Type in name, for company type anything you like, add email address in relevant boxes.

Kaspersky

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
  • 0

#5
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I'm doing my best to follow your instructions to the letter.

Therefore, I performed my scan in normal mode, and did *not* try to do anything with the files that Kaspersky found. Kaspersky found viruses that everything else missed; on that basis alone I wish it were recommended more prominently on these forums!

Kaspersky did not have any option to fix any of these, just to save a log file, which follows:

KASPERSKY
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 15, 2005 11:06:15
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/06/2005
Kaspersky Anti-Virus database records: 133810
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINNT
C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 17047
Number of viruses found: 5
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 790 sec

Infected Object Name - Virus Name
C:\WINNT\system32\cisvvc.exe Infected: Trojan-Clicker.Win32.Agent.db
C:\WINNT\system32\drv2cltr.dll Infected: Trojan-PSW.Win32.Agent.am
C:\WINNT\system32\loadctr.exe/data0006 Infected: Trojan-Dropper.Win32.Small.zx
C:\WINNT\system32\loadctr.exe Infected: Trojan-Dropper.Win32.Small.zx
C:\WINNT\system32\loihz.dll Infected: Trojan.Win32.StartPage.xb
C:\WINNT\system32\rdsndin.exe Infected: not-a-virus:AdWare.FindSpy.a

Scan process completed.

Here is the SILENTRUNNERS text file. (Again, I have masked my corporate domain with ###. If this becomes a problem, pls let me know.)

"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"RemoteAgent" = "C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe" ["Trend Micro Inc."]
"NANTSessionAgent" = "C:\Program Files\netOctopus Agent\nantsecc.exe" ["Netopia, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"eabconfg.cpl" = "C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start" ["Compaq"]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office 2000\Office\" [file not found]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csexv.exe" [null data]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\
"Logon" -> launches: "\\na.###.com\SysVol\na.###.com\Policies\{33A2FE52-C95F-4D62-B886-8239088889C3}\User\Scripts\Logon\###.cmd" [** WMI GetObject error **]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Disable changing home page settings}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
HIJACK WARNING! "NoBrowserOptions"=dword:00000001
[disables Tools|Internet Options... in Internet Explorer]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Browser Menus|Tools menu: Disable Internet
Options... menu option}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "radbxd0" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe "-run_only_if_connected" "-auto_initiation"" ["Cisco Systems, Inc."]
"TabUserW.exe" -> shortcut to: "C:\WINNT\system32\Wtablet\TabUserW.exe" ["Wacom Technology, Corp."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
netOctopus Agent, netOctopus Agent, "C:\Program Files\netOctopus Agent\Nant.exe" ["Netopia, Inc."]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" [null data]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
TabletService, TabletService, "C:\WINNT\system32\Tablet.exe" ["Wacom Technology, Corp."]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" -service" ["AT&T Research Labs Cambridge"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\drv2cltr.dll
C:\WINNT\system32\loadctr.exe/data0006
C:\WINNT\system32\loadctr.exe
C:\WINNT\system32\loihz.dll
C:\WINNT\system32\rdsndin.exe


* Please download the http://www.bleepingc...box.php]Killbox by Option^Explicit[/url]. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Rerun Ewido with PC in normal mode,

Rescan with Kaspersky

Rescan with HJT and post the log back together with the ewiodo report and kaspersky report
  • 0

#7
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
This time, Ewido dug up three of the files that I had just KillBox'ed. But after running Ewido, which found and cleaned 3 of the files, Kaspersky found two more of the previous files (loadctr.exe and its data file 006). But Kaspersky did not find the three files that Ewido found and cleaned, which I *hope* means that they were successfully cleaned by Ewido.

Can't tell you how much I wanted to jump ahead of you here and start KillBox'ing some of these. I am *really* sensitive to the fact that every time I launch IE (to view your reply or run Kaspersky, for example) I am afraid the virus/malware is reloading or moving around...

But I am following directions to the letter.

Here's all three logs, in order:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:56:00 PM, 6/15/2005
+ Report-Checksum: E04709

+ Date of database: 6/15/2005
+ Version of scan engine: v3.0

+ Duration: 33 min
+ Scanned Files: 107191
+ Speed: 52.80 Files/Second
+ Infected files: 4
+ Removed files: 4
+ Files put in quarantine: 4
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\RADBXD0\Cookies\radbxd0@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\system32\drv2cltr.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\WINNT\system32\loihz.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINNT\system32\rdsndin.exe -> Spyware.FindSpy -> Cleaned with backup


::Report End

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 15, 2005 16:02:42
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/06/2005
Kaspersky Anti-Virus database records: 133885
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 67783
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 3603 sec

Infected Object Name - Virus Name
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b
C:\WINNT\system32\loadctr.exe/data0006 Infected: Trojan-Dropper.Win32.Small.zx
C:\WINNT\system32\loadctr.exe Infected: Trojan-Dropper.Win32.Small.zx
D:\BEN\Nailfix\Nailfix\Process.exe Infected: not-a-virus:Tool.Win32.Processor.20
D:\BEN\Nailfix.zip/Nailfix/Process.exe Infected: not-a-virus:Tool.Win32.Processor.20
D:\BEN\Nailfix.zip Infected: not-a-virus:Tool.Win32.Processor.20

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 4:03:20 PM, on 6/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\netOctopus Agent\Nant.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Program Files\netOctopus Agent\nantsecc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
D:\BEN\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ###.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ###.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ###.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Again,

The only two we need to killbox again are the following.

C:\WINNT\system32\loadctr.exe/data0006
C:\WINNT\system32\loadctr.exe


Carry out the killbox procedure again copying the above two files into notepad.

Then rescan with Kaspersky, this may need a few runs at it
  • 0

#9
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
First, the log-- then a couple of questions at the end.

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 15, 2005 17:09:49
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/06/2005
Kaspersky Anti-Virus database records: 133888
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINNT
C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 17052
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 821 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
-------------------------------------------

It looks clean, but please leave this thread open a bit longer so I can zip around the net for a bit and make sure no popups come back.

I also have a couple of questions:

1) Why would Kaspersky find this thing, but not any other anti-virus or anti-spyware programs? Don't these guys talk to each other and share definition files? :tazz:

2) Why would KillBox need a couple of passes a file to delete it?

2a) I am any more or less likely for KillBox to succeed if I carry out that operation in Safe mode?

Again, it seems to be clean, so THANK YOU! If you would please leave this thread open for 24 hours, I would appreciate it. I want to scale back some of the draconian security settings I put on IE and see if everything is still ok.

I will post back with a final report!
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
ANSWERS.

1. we frequently find that one antivir program will find something where others don't, hence why i asked you to run an online scan even though you said you had already scanned.

2. Killbox sometimes needs two runs, particulally for trojan droppers as other files may be associated and protecting them, running other programs in conjunction ie ewido can sometimes kill one allowing the other to be got at.

2a. It makes no difference as to whether you are in safe mode or not. The actual killing is carried out on reboot.

Topic will remain open.

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

Advertisements


#11
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
On 1st reboot and connection, Ewido found and cleaned these two:

C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\rdsndin.exe

Google home page also took FOREVER to load up.

I think the jury's still out... but I am seeing the light at the end of the tunnel.
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Carry out free online scan from following link

Panda Activescan

Edited by usetobe, 15 June 2005 - 05:06 PM.

  • 0

#13
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I turned off the Ewido guard before scanning with Panda.

Panda comes up clean.
  • 0

#14
Guest_usetobe_*

Guest_usetobe_*
  • Guest
ok we'll leave topic open for a while
  • 0

#15
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I'm still getting redirected.

Every time I reboot, I run either Kaspersky (which finds something) or Ewido (which finds something). One of the two will come up clean, and the other program will catch something.

I can't seem to get rid of this same batch of bad actors either through Ewido (clean) or KillBox.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP