Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

it began w/nav bloodhound.w32.ep detect

Started by dieselten , Nov 25 2004 09:22 PM

  • This topic is locked This topic is locked

#1
dieselten
Posted 25 November 2004 - 09:22 PM

dieselten

    New Member

  • Member
  • Pip
  • 2 posts
An out-of-date nav detected a bloodhound.wp32.ep virus last night. At the same time, browser was hijacked. Screen background replaced with message "WARNING! YOU'RE IN DANGER" followed by some poor grammar.

Read a few of the related posts and replies. The progams to be deleted or fixed in hijackthis are not the same, so I'm being cautious. Have downloaded and run Ad-Aware, Spybot, AVG. AVG Resident shield could delete only three of the nine or so viruses it detected. (Neither could it heal or vault them.) One such virus it dubs Java/ByteVerify. Others were trojan horses. It redirects me to Microsoft Update page for suggestions on removal, but I don't find specific information there. Have updated with microsoft sp1a but not 2 yet.

Here is hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 9:09:00 PM, on 11/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Software\software.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\WINDOWS\System32\eeexe.exe
C:\WINDOWS\System32\efvee.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Software] C:\WINDOWS\System32\Software\software.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRA~1\PESTPA~1\ppclean.exe" "clean" "ts:20041125030553732" "euniverse" "2"
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.net
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Apologies for the hijacker's rough language.

FYI, AVG identified another virus with the tag: GetAccess.class, living in my local user's temp files.

Any help would be appreciated. Hard to fight off hijackers and roast a turkey at the same time. --dieselten
  • 0

Advertisements

#2
dieselten
Posted 25 November 2004 - 09:35 PM

dieselten

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
To go with with posted hijackthis log, here is AVG log for detected viruses, along action that AVG took:

"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2d874979-39d4c503.zip:\GetAccess.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2d874979-39d4c503.zip:\InsecureClassLoader.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2d874979-39d4c503.zip:\Installer.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-5c1a03da.zip:\GetAccess.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-5c1a03da.zip:\InsecureClassLoader.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Documents and Settings\Ben\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-5c1a03da.zip:\Installer.class","Virus identified Java/ByteVerify","Infected, Embedded object"
"C:\Program Files\PestPatrol\Quarantine\20040829120942740.zip:\WINDOWS\downloaded program files\istactivex.dll","Trojan horse Downloader.Istbar.4.G","Infected, Embedded object"
"C:\Program Files\PestPatrol\Quarantine\20040829120942740.zip:\WINDOWS\syssfitb.exe","Trojan horse Downloader.Agent.4.BJ","Infected, Embedded object"
"C:\Program Files\PestPatrol\Quarantine\20041125030553732.zip:\Program Files\internet optimizer\update\actalert.exe","Trojan horse Downloader.Dyfica.2.AN","Infected, Embedded object"
"C:\Program Files\PestPatrol\Quarantine\20041125030553732.zip:\Program Files\internet optimizer\actalert.exe","Trojan horse Downloader.Dyfica.2.AN","Infected, Embedded object"
"C:\Documents and Settings\Ben\Local Settings\Temp\temp.fr7C31","","Deleted"
"C:\Documents and Settings\Ben\Local Settings\Temp\Temporary Internet Files\Content.IE5\EF4BELAX\gdnUS208[1].exe","","Deleted"
"C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\AL4VGN01\gdnUS208[1].exe","","Deleted"
"C:\Program Files\Internet Optimizer\actalert.exe","","Deleted"
"C:\Program Files\Internet Optimizer\update\actalert.exe","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP288\A0062545.exe","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0064872.dll","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0064911.dll","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0065361.dll","","Deleted"
"C:\WINDOWS\imqbal.dat","","Deleted"
"C:\WINDOWS\iplu32.dll","","Deleted"
"C:\WINDOWS\nem220.dll","","Deleted"
"C:\WINDOWS\wsem302.dll","","Deleted"
"C:\WINDOWS\Downloaded Program Files\111774.exe","","Deleted"
"C:\WINDOWS\SYSTEM32\appsi32.dll","","Deleted"
"C:\WINDOWS\SYSTEM32\ipfe32.dll","","Deleted"

--dieselten
  • 0

#3
MFDnSC
Posted 26 October 2006 - 05:52 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP