Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected by ( i think) Blackmal worm/virus


  • Please log in to reply

#1
Rouilla

Rouilla

    New Member

  • Member
  • Pip
  • 2 posts
Hi guys, this morning when i woke up i had an alert from my AV F-secure saying it had stopped an intrusion attempt, didnt think much about it since it happens from time to time. Call me paranoid or just safety aware but i keep my system very clean, running my AV often, also the free online scans from Trend micro, Bitdefender etc. Also have Ad-aware, Spy sweeper, Spybot, Pest Patrol, Bulletproff Spyware/adware remover that i run atleast twice a week. I also use hijackthis from rtime to time and do the online analysis at http://hijackthis.de to check if all is as it should be. So, now to my problem, i rebooted my computer some hour after i woke because i installed a new ram memory stick. I then went to http://hijackthis.de and pasted my log file of hijackthis and got this alert:

running process. (.EXE)
Added as a result of the BLACKMAL VIRUS!

I have ran all of my anti spyware program as well as my F-secure AV but find nothing.

So, what do i do about this, all tips and hints are very appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 15:47:53, on 2005-08-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1

.EXE
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\Program\Mouse Driver\mouse_2k.exe
C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.

exe
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\NovaStor\NovaBACKUP\NSENGINE.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
D:\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program\F-Secure\BackWeb\7681197\program\F-Secure

Automatic Update.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\FWES\Program\fsdfwd.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\F-Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
D:\Div. Program\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local

Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local

Page =
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer -

{C333CF63-767F-4831-94AC-E683D962C63C} -

C:\Program\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog

Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program\Mouse

Driver\mouse_2k.exe
O4 - HKLM\..\Run: [F-Secure Manager]

"C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB]

"C:\Program\F-Secure\TNB\TNBUtil.exe" /CHECKALL

/WAITFORSW
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP]

C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [FreeRAM XP] "D:\framxpro\FreeRAM XP

Pro 1.40.exe" -win
O4 - Global Startup: F-Secure Automatic Update.lnk =

C:\Program\F-Secure\BackWeb\7681197\program\F-Secure

Automatic Update.exe
O8 - Extra context menu item: &Google Search -

res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -

res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.ht

ml
O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages -

res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online

Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:

c:\program\bulletproofsoft.com\bps spyware & adware

remover\apptoport.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32}

(DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3}

(StagingUI Object) -

http://zone.msn.com/...agingUI.cab3412

0.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9}

(asusTek_sysctrl Class) -

http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}

(MessengerStatsClient Class) -

http://messenger.zon...essengerStatsPA

Client.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8}

(ZoneBuddy Class) -

http://zone.msn.com/...ZBuddy.cab32846

.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}

(MSN Photo Upload Tool) -

http://by13fd.bay13....ources/MsnPUpld.

cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3}

(ZonePAChat Object) -

http://zone.msn.com/...PAChat.cab32846.

cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros...v6/V5Controls/e

n/x86/client/wuweb_site.cab?1119979520562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai...001/housecall.t

rendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -

http://www.bitdefend...bitdefender.cab
O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7}

(FileSharingCtrl Class) -

http://appdirectory....pDirectory/P4Ap

ps/FileSharing/sv/filesharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft...s5free/asinst.c

ab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D}

(CRAVOnline Object) -

http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...nmessengersetup

downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://zone.msn.com/...tro.cab34246.ca

b
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9}

(ASquaredScanForm Element) -

http://www.windowsec...scan/axscan.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8}

(CBreakshotControl Class) -

http://messenger.zon...nkshot.cab31267

.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0}

(CBankshotZoneCtrl Class) -

http://zone.msn.com/...zpa_pool.cab361

07.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937}

(StadiumProxy Class) -

http://zone.msn.com/...roxy.cab35645.c

ab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3}

(ZPA_Backgammon Object) -

http://zone.msn.com/...s/ZPA_Backgammo

n.cab36385.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service

(ATKKeyboardService) - ASUSTeK COMPUTER INC. -

C:\WINDOWS\ATKKBService.exe
O23 - Service: F-Secure Automatic Update (BackWeb

Plug-in - 7681197) - BackWeb Technologies Inc.

-

C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1

.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter -

F-Secure Corp. -

C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure

Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. -

C:\Program\F-Secure\BackWeb\7681197\program\fsbwsys.

exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon

(FSDFWD) - F-Secure Corporation -

C:\Program\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) -

F-Secure Corporation -

C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program\Delade

filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NsEngine - Unknown owner -

C:\Program\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: Sandra Data Service (SandraDataSrv) -

SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra

Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware

- C:\Program\SiSoftware\SiSoftware Sandra Professional

2005\RpcSandraSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent

Service (default)) - Analog Devices, Inc. - C:\Program\Analog

Devices\SoundMAX\SMAgent.exe
O23 - Service: StyleXPService - Unknown owner -

C:\Program\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine

(svcWRSSSDK) - Webroot Software, Inc. -

C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#2
Rouilla

Rouilla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
You can mark this one as resolved, was just a stupid error in notepad :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP