[killjuliet]

I think I may have a new W32.Toxbot variant on my system. Below I have listed (1) what I have already done, (2) why I think it is Toxbot, (3) HijackThis log.

(1). I have already taken these measures:

+Adaware SE
+Spybot S&D
+Spywareblaster
+HijackThis (eliminated hosts file)
+Trojan Hunter

+Microsoft's Malware Remover 1.6
+TrendMicro Housecall
+ca Virus Scan
+Symantec W32.Toxbot removal tool

(2). Why I think it is a W32.Toxbot variant:

When not connected to the internet, the dialer informs that the following are requesting connection:

0x80.goingformars.com
0x80.my1x1.com
0x80.my-secure.name.com
0x80.martiansong.com
0xff.memzero.info
0x80.online-software.org

Compare to TOXBOT.C variant:

0xff.devtech.us
0xff.memzero.info
0xDEADBEEF.goingformars.com
0xDEADBEEF.martiansong.com
0xDEADBEEF.my1x1.com
0xDEADBEEF.my-secure.name
mindleak.com

(3). Logfile of HijackThis v1.99.1

Scan saved at 12:36:14 PM, on 7/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dxdmain.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\KatyBeth\Desktop\Maintenance- once a week\HijackThis.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B8239D3-E5C9-44D2-9C16-21E51E9EF5AC}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe



Please help!

Terry

Edited by killjuliet, 26 July 2005 - 02:15 PM.

[Advertisements]

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

[Buckeye_Sam]

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

[Buckeye_Sam]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.