PDA

View Full Version : Command center / Outer Info / Viruses



cartoonistaaron
2007-08-05, 03:22
I came to visit my Dad and found his computer absolutely soaked with malware. Can it be fixed or should I format the hard drive?? Following is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:20:28 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1170376783\ee\AOLSoftware.exe
C:\WINDOWS\zrilyjbA.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\YMBOLS~1\msdtc.exe
C:\Program Files\?icrosoft.NET\n?lookup.exe
C:\WINDOWS\system32\regscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170376783\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [zrilyjbA] C:\WINDOWS\zrilyjbA.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\qeekjtfg.dll",forkonce
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [rwqf] C:\Program Files\Common Files\rwqf\rwqfm.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\YMBOLS~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Hcxsc] "C:\Program Files\?icrosoft.NET\n?lookup.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWljaGFlbA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

cartoonistaaron
2007-08-05, 03:24
Here is the online scan log (hopefully I've formatted it correctly):

checkin[1].htm VBS/MS06-014!exploit infected C:\Documents and Settings\Cathy\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\
Anima.class-6b4b0ba7-7ada0c4f.class Java/ByteVerify!exploit infected C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
omfg.class-5a8a5bd2-26142ca4.class Java/Shinwow.BD infected C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
abc123HJpDa.exe Win32/Oneraw!generic infected C:\Documents and Settings\Michael\Local Settings\Temp\
b116.exe Win32/Clspring.GA infected C:\Documents and Settings\Michael\Local Settings\Temp\
snapsnet.exe Win32/SillyDl.DBH infected C:\Documents and Settings\Michael\Local Settings\Temp\
_affvm[1] Win32/Vundo!generic infected C:\Documents and Settings\Michael\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LUBCXER\
smax4pnp.exe Win32/Secdrop.MT infected C:\Program Files\Analog Devices\Core\
issch.exe Win32/Secdrop.MT infected C:\Program Files\Common Files\InstallShield\UpdateService\
isuspm.exe Win32/Secdrop.MT infected C:\Program Files\Common Files\InstallShield\UpdateService\
MediaDetect.exe Win32/Secdrop.MT infected C:\Program Files\Corel\Corel Photo Album 6\
DMXLauncher.exe Win32/Secdrop.MT infected C:\Program Files\Dell\Media Experience\
DSAgnt.exe Win32/Secdrop.MT infected C:\Program Files\Dell Support\
IntelMEM.exe Win32/Secdrop.MT infected C:\Program Files\Intel\Modem Event Monitor\
iTunesHelper.exe Win32/Secdrop.MT infected C:\Program Files\iTunes\
jusched.exe Win32/Secdrop.MT infected C:\Program Files\Java\j2re1.4.2_03\bin\
hoqexi83122.dll Win32/Zquest.F infected C:\Program Files\Messenger\
msmsgs.exe Win32/Secdrop.MT infected C:\Program Files\Messenger\
mimboot.exe Win32/Secdrop.MT infected C:\Program Files\MUSICMATCH\Musicmatch Jukebox\
mm_tray.exe Win32/Secdrop.MT infected C:\Program Files\MUSICMATCH\Musicmatch Jukebox\
qttask.exe Win32/Secdrop.MT infected C:\Program Files\QuickTime\
RealPlay.exe Win32/Secdrop.MT infected C:\Program Files\Real\RealPlayer\
tgcmd.exe Win32/Secdrop.MT infected C:\Program Files\support.com\bin\
pccguide.exe Win32/Secdrop.MT infected C:\Program Files\Trend Micro\Internet Security 12\
TMAS_OEMon.exe Win32/Secdrop.MT infected C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\
sysdirl.exe Win32/Ilomo.I infected C:\
sysomwp.exe Win32/Ilomo.I infected C:\
sysxbyk.exe Win32/Ilomo.I infected C:\
U.exe Win32/Ilomo.I infected C:\
dls0523pmw.exe Win32/SillyDl.DBK infected C:\WINDOWS\
ancmurfm.exe Win32/Abetear.B infected C:\WINDOWS\system32\
b02FdUe1065.exe Win32/SillyDl.DBH infected C:\WINDOWS\system32\b02FdUe\
ddcca.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
tfswctrl.exe Win32/Secdrop.MT infected C:\WINDOWS\system32\dla\
edsmrhgu.exe Win32/Abetear.B infected C:\WINDOWS\system32\
etdalnpt.exe Win32/Abetear.B infected C:\WINDOWS\system32\
fxxiiced.dll Win32/Darksma!generic infected C:\WINDOWS\system32\
hkcmd.exe Win32/Secdrop.MT infected C:\WINDOWS\system32\
igfxpers.exe Win32/Secdrop.MT infected C:\WINDOWS\system32\
igfxtray.exe Win32/Secdrop.MT infected C:\WINDOWS\system32\
jedjuliw.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
jkkkjjh.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
misbcbhw.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
oiqkbtbr.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
oklagllu.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
qeekjtfg.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
ssqonlk.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
tsilbwbf.exe Win32/Secdrop.OC infected C:\WINDOWS\system32\
wkqtpvnf.exe Win32/Abetear.B infected C:\WINDOWS\system32\
kmhp83122.exe Win32/Zquest.F infected C:\WINDOWS\system32\X1\
z553.exe Win32/Multidropper.CN infected C:\WINDOWS\system32\X11\
xxyywur.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
yfdofbva.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
svcipa.exe Win32/Athsap.C infected C:\WINDOWS\Temp\
zrilyjb.exe Win32/SillyDl.DBJ infected C:\WINDOWS

I appreciate the help, this forum helped me with my girlfriend's computer not too long ago and it has run like clockwork ever since. Thanks!!

-Aaron

pskelley
2007-08-05, 15:13
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hi Aaron, I'll be candid, you have a very infected computer. I see PurityScan/OIN and Vundo of course, the Zeno_Think-Adz ADWARE! and this pest:
http://www.ca.com/securityadvisor/pest/pest.aspx?id=453113195
You also have: http://www.fileresearchcenter.com/D/DLS0523PMW.EXE-10734.html
and Command Service (cmdService) Command command.exe Status X Description Adware
There are other trojans also that I can't identify.

The real issue is with this one:
C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
http://www.google.com/search?hl=en&q=regscan.exe&btnG=Search
Now that is a backdoor trojan no doubt, I would say probably this one:
http://www.sophos.com/virusinfo/analyses/w32rbotha.html
Allows others to access the computer
Steals information
Records keystrokes
Installs itself in the Registry
Exploits system or software vulnerabilities
Used in DOS attacks
If you want to scan to see which one it is, use this free tool: http://www.virustotal.com/

Out of concern for your security, I believe you should have this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks...Phil

cartoonistaaron
2007-08-05, 17:52
Phil, I appreciate your words of advice. My Dad is not very computer-literate and so I'll be doing the backing up, reformatting and reinstalling myself, something I was loathe to do if it was avoidable -- but it sounds like that's the best course of action. My Dad is a self-employed artist and keeps client information on the computer, and, of course, does all of his banking there. The computer has been disconnected since he told me what was going on. I will have him use my computer later to get his passwords changed.

My next question is, before reformatting, is it safe to save anything from this machine (old emails, QuickBooks files, etc) or is there a possibility then of just transferring infected files back to the computer after it's been reformatted?

pskelley
2007-08-05, 18:54
The hackers usually infect .exe's and .dll, but that is not all. I would keep only what you must and take the time to scan anything you are unsure of, Trend should have a feature to scan specific areas. The stuff you are getting from the CD's is of course going to be safe. Here is some good information:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm


Thanks

tashi
2007-08-13, 22:02
This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.