Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Random name generated trojan


  • Please log in to reply

#1
Lapthom

Lapthom

    New Member

  • Member
  • Pip
  • 2 posts
Hello there geeks!
I've followed your guide step by step but theres at least one trojan, which starts up under a random name everytime I reboot. Neither Ewido or TDS-3 can remove it and Norton AntiVirus keeps notifying me about it :tazz:. It's in my system32 folder and this time its called sbjekif.exe. Any idea how to get rid of it permanently? Heres my log:


Logfile of HijackThis v1.99.1
Scan saved at 13:01:32, on 22-07-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
c:\windows\system32\sbjekif.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Flles filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Programmer\Flles filer\Symantec Shared\ccApp.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\Flles filer\Real\Update_OB\realsched.exe
C:\Programmer\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmer\SECRETMAKER\secretmaker.exe
C:\Programmer\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\fvmbpvfmky.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-campus.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e-campus.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Flles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmer\Flles filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Flles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fihatmh] C:\WINDOWS\fihatmh.exe
O4 - HKLM\..\Run: [Win32Xp Updater] win32xp.exe
O4 - HKLM\..\Run: [K0@]"iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [K0@]"1C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [K0@]"9C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe
O4 - HKLM\..\Run: [# "h'9ӜU3rŲWC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe
O4 - HKLM\..\Run: [dbtxsan] c:\windows\system32\sbjekif.exe r
O4 - HKLM\..\RunServices: [Win32Xp Updater] win32xp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Win32Xp Updater] win32xp.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SECRETMAKER.lnk = C:\Programmer\SECRETMAKER\secretmaker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Programmer\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22....es/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FLLESF~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\Security Center\SymWSC.exe


I thank you in advance

Regards, LapThom

Edited by Lapthom, 22 June 2005 - 06:35 AM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi there Lapthom and Welcome!

I need you to do a couple of things first!

Please locate this file win32xp.exe

You may need to have Windows Configured to Show Hidden files to find it,here a link to help with that!
http://www.bleepingc...torial=62#winxp

Once Located,Right Click and Select "Send To" then Select Compressed(Zipped)Folder

Please email that Zipped Folder here>> filesubmit@charter.net

Now if you Will,Open HijackThis and Click Config>>Misc Tools>>Open Uninstall Manager>>Save list>>Save it to the Desktop!

Place the Results in the Next Post!

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter win32xp.exe into the Search Box and Save those results

Now Enter win32xp and if the results are different,post them as well!

Post back with those logs and let me know if you were able to loacate and Send the file!

Edited by Cretemonster, 22 June 2005 - 06:57 PM.

  • 0

#3
Lapthom

Lapthom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi again Cretemonster and thanks for your quick reply!

I configured Windows to show hidden files, but I didn't get any results when I used the searchassistant to look for win32xp.exe.

But I did the other things instead.
Here's the hijackthis! ad/remove list:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (kun fjernelse)
Baghdad .2 for Desert Combat
Battlefield 1942
CleanUp!
DesertCombat 0.7
DiamondCS TDS-3
Final Fantasy VII
HijackThis 1.99.1
HP Billed-cd
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Invest
K-Lite Codec Pack 2.24 Full
LG PC Sync
LG Phone Manager
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft Age of Empires II
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
MSN Messenger 7.0
MSN Toolbar
Music Visualizer Library 1.4.00
Norton AntiVirus 2003
Norton WMI Update
OpenMG Limited Patch 3.1-02-10-22-01
OpenMG Limited Patch 3.1-02-10-22-02
OpenMG Limited Patch 3.1-02-12-04-01
OpenMG Secure Module 3.1
PhotoMix 5.3
PowerDVD
QuickTime
RealPlayer
S3Display
S3Gamma2
S3Info2
Screensavers Installer
SECRETMAKER
Sikkerhedsopdatering til Windows XP (KB883939)
Sikkerhedsopdatering til Windows XP (KB890046)
Sikkerhedsopdatering til Windows XP (KB896358)
Sikkerhedsopdatering til Windows XP (KB896422)
Sikkerhedsopdatering til Windows XP (KB896428)
Skype Beta 0.97
Smart Link 56K Modem
SonicStage 1.5.06
Spybot - Search & Destroy 1.3.1 TX
Starcraft
SuperType
Twister and Utilities
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9-hotfix [Se KB885492 for at f yderligere oplysninger]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
XoftSpy

And here's the register search list:


REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "win32xp.exe" 28-07-2005 18:37:25

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32Xp Updater"="win32xp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Win32Xp Updater"="win32xp.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32Xp Updater"="win32xp.exe"

[HKEY_USERS\S-1-5-21-126639907-3563514748-4210259494-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="win32xp.exe"

[HKEY_USERS\S-1-5-21-126639907-3563514748-4210259494-1006\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32Xp Updater"="win32xp.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32Xp Updater"="win32xp.exe"


These were the only things I could do. Do I have to be worried for not finding the win32xp.exe?

Thanks again,
LapThom

P.s. I don't think I have a zip program. Do u know a good link for one?
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I believe that file is the Key Bugger!

You can look through the Logs>>Reports>>History of each of the programs you used like DiamondCS TDS-3 and see if it was IDed and Deleted!

To create a Zipped Folder,you Right Click the Desktop and Select Compressed(Zipped)Folder>> Name it and Hit Enter!

Look in these locations for it

C:\WINDOWS\System32

C:\WINDOWS

Once these folders have been opened,Right Click inside the folder and select "Arrange Icons" then Click "Name",this will Alphabetize them and make it easier to locate them!

While you searching around there,look for these as well!

win32xp.exe

c:\windows\system32\sbjekif.exe

C:\WINDOWS\fvmbpvfmky.exe

C:\WINDOWS\fihatmh.exe

C:\WINDOWS\jvrycxj.exe

If you locate any of those place a copy into the New Zipped Folder and Email it to me!

You can Delete the originals while in Safe Mode!

OK,on to getting you fixed up!

Copy&Paste these Instructions to Notepad and Save them to your Desktop!

Go to Add\Remove Programs and Remove these

Invest<< Unless you know why its there!

Screensavers Installer<< Bad Boy!!

XoftSpy<< Less than desirable and you allready have better installed!

Download "The Hoster" from here
http://www.funkytoad...load/hoster.zip

Open it and Press "Restore Original Hosts" then press "OK".

Exit Program.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Solo Antivirus
http://www.srnmicro....ate/TrySolo.exe

Click Update to let Solo check for new updates available,then Click Options,put a check by "Scan Archives" and "Create a Report"

Get Ad Aware Updated!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

From the NailFix Folder, please double-click on Nailfix.cmd.

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Open Ewido and Solo but dont Run or Minimize them!

Right Click the TaskBar and Select Task Manager>> Click Processes>> Look for

fvmbpvfmky.exe<< If found,Click once and Select End Process

Repeat for this one

sbjekif.exe<< If found,Click once and Select End Process

Now when you Kill the next Process,the Desktop and Taskbar will disappear,dont Panic,this is Normal!

Explorer.exe<< Click once and Select End Process

Scan with Solo and Select "Scan&Delete" (The Report will be located in Program Files Folder under SRN Micro)

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Pay close attention to the logs to see if one of the files mentioned above was Deleted or Renamed!

Once the Scans are Done,in the Task Manager>> Click File>> New Task(Run...)

Type or Copy&Paste C:\WINDOWS\Explorer.EXE into the Open Box and Click OK!

Search for and Delete if found

win32xp.exe

c:\windows\system32\sbjekif.exe

C:\WINDOWS\fvmbpvfmky.exe

C:\WINDOWS\fihatmh.exe

C:\WINDOWS\jvrycxj.exe

C:\Programmer\ISTsvc<< Entire Folder!

C:\Programmer\Ebates_MoeMoneyMaker<< Entire Folder!

Please Let me know if you couldnt Delete any of these files or folders!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [fihatmh] C:\WINDOWS\fihatmh.exe

O4 - HKLM\..\Run: [Win32Xp Updater] win32xp.exe

O4 - HKLM\..\Run: [K0@]"iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe

O4 - HKLM\..\Run: [K0@]"1C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe

O4 - HKLM\..\Run: [K0@]"9C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe

O4 - HKLM\..\Run: [# "h'9ӜU3rŲWC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\jvrycxj.exe

O4 - HKLM\..\Run: [dbtxsan] c:\windows\system32\sbjekif.exe r

O4 - HKLM\..\RunServices: [Win32Xp Updater] win32xp.exe

O4 - HKCU\..\Run: [Win32Xp Updater] win32xp.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Programmer\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Scan with Ad Aware>>Remove all it finds and Delete all Quaratine Files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
http://www.kaspersky...oduct=161744315

You will need to be using Internet Explorer for the Scan to work!

Save a Report if Possible!

Post back with a fresh HijackThis log and the reports from Ewido>> Solo and Kasperskys Online Scan!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP