PDA

View Full Version : Virus detected whilst using ie



hot_b
2006-07-28, 12:12
Hi,

I have a problem wherby my AV software (nod32) detects a new threat regularly whilst Internet Explorer is being used.

I have run Spyboot & found nothing.

Here is the threat log from nod32 (apologies for formatting..):

Time,Module,Object,Name,Threat,Action,User,Information
28/07/2006 09:47,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=5,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 09:09,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=4,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 09:07,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 09:04,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 09:02,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\32G3JP4L\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 09:02,AMON,file,C:\WINDOWS\TEMP\winD3.tmp,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 09:02,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 09:00,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=5,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 08:40,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=4,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 08:38,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\Q5U9G36B\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 08:38,AMON,file,C:\WINDOWS\TEMP\win362.tmp,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 08:38,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 08:36,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
28/07/2006 08:34,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\ZGCSXT3E\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 08:34,AMON,file,C:\WINDOWS\TEMP\win1D0.tmp,Win32/Dialer.PZ trojan,quarantined - deleted - error while cleaning - operation unavailable for this type of object,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
28/07/2006 08:34,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 21:50,IMON,self-extracting archive,http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe,Win32/PrcView application,Connection terminated,STUDY_PC\Matt,
27/07/2006 21:50,IMON,self-extracting archive,http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe,Win32/PrcView application,Connection terminated,STUDY_PC\Matt,
27/07/2006 21:40,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=4,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 20:56,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 19:30,AMON,file,C:\WINDOWS\TEMP\win154.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
27/07/2006 19:30,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 19:30,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\32G3JP4L\bgates[1].exe,Win32/Dialer.PZ trojan,deleted,NT AUTHORITY\SYSTEM,Event occurred at an attempt to access the file by the application: C:\Program Files\Prevx1\PXAgent.exe.
27/07/2006 19:30,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\32G3JP4L\bgates[1].exe,Win32/Dialer.PZ trojan,deleted,NT AUTHORITY\SYSTEM,Event occurred at an attempt to access the file by the application: C:\Program Files\Prevx1\PXAgent.exe.
27/07/2006 19:28,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 18:58,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 18:56,AMON,file,D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\MJCVSTUN\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
27/07/2006 18:56,AMON,file,C:\WINDOWS\TEMP\winCB.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
27/07/2006 18:56,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Matt,
27/07/2006 18:53,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=5,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
25/07/2006 23:23,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
25/07/2006 22:43,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=5,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Matt,
25/07/2006 20:55,AMON,file,D:\DOCUME~1\Matt\LOCALS~1\Temp\AAWTMP\C47309859\ADE1\Setup.exe,Win32/TrojanDropper.VB.NAI trojan,quarantined - deleted,STUDY_PC\Matt,Event occurred on a new file created by the application: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe. The file was moved to quarantine. You may close this window.
25/07/2006 11:32,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=4,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 11:13,AMON,file,D:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\NQ9GL3JN\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 11:12,AMON,file,C:\WINDOWS\TEMP\win2F3.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 11:12,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 10:52,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 10:32,AMON,file,D:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\TXG283HF\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 10:32,AMON,file,C:\WINDOWS\TEMP\win1D9.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 10:32,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 10:10,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=5,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 08:20,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=4,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 08:18,AMON,file,D:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\GHO127KD\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 08:18,AMON,file,C:\WINDOWS\TEMP\win158.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 08:17,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 08:15,IMON,file,http://d.mettere.net/a412/a571.php?m=1&b=1785&c=2,Win32/Dialer.U trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 08:13,AMON,file,D:\Documents and Settings\Jane\Local Settings\Temporary Internet Files\Content.IE5\NQ9GL3JN\bgates[1].exe,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 08:13,AMON,file,C:\WINDOWS\TEMP\win149.tmp,Win32/Dialer.PZ trojan,quarantined - deleted,STUDY_PC\Jane,Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
25/07/2006 08:13,IMON,file,http://www.content-loader.com/getexe/?wmid=bgates,Win32/Dialer.PZ trojan,Connection terminated,STUDY_PC\Jane,
25/07/2006 07:45,AMON,file,C:\WINDOWS\system32\hgggdef.dll,Win32/Adware.Virtumonde application,quarantined - deleted,STUDY_PC\Jane,Event occurred on a newly created file. The file was moved to quarantine. You may close this window.
25/07/2006 07:44,IMON,self-extracting archive,http://d.mettere.net/a412/ac_yb.php?m=1&b=1785,a variant of Win32/TrojanDownloader.PurityScan.BV trojan,,STUDY_PC\Jane,

A manual scan also found:
D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP162\A0019729.exe »NSIS »aaa - Win32/PrcView application - was a part of the deleted object

Panda online scan report to follow

hot_b
2006-07-28, 12:25
A panda AV on line scan reported nothing in any category.

Here's the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 09:51:25, on 28/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\apps\skype\phone\Skype.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Skype] "c:\apps\skype\phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MagicTune3.5.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51BCDE08-3AA9-40A4-939E-BD215272B799}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

NB. from the reference to Virtumode in the nod32 threat log I thought I should use the Vundofix.exe tool. However this reported no infected files.

Running both nod32 manual scans and Spybot from safe mode reported nothing new.

I run nod32, Zone alarm, Spybot and Ad-aware.
Can anyone advise me where to look next? Thanks in advance for any advice.

Cheers,

Matt

pskelley
2006-08-01, 02:57
Welcome to the forum, sorry about the wait, logs are many and volunteers are few. I don't see a lot in the log so we will try to remove the trojan I do see, clean some and look a little, if you still need help, please do this in the posted order.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
How to use the Delete on Reboot tool

At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:

Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winjgf32.dll
and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

3) Download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan and a new HJT log, along with any comments you think will help.



Thanks...pskelley
Safer Networking Forums

hot_b
2006-08-02, 00:55
Hi,

Thanks for your advice. I've followed the instructions and removed the offending dll. In the mean time I also bought Webroot Spysweeper which found & removed the winLogonHook trojan.

The ewido scan is clear:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:48:26 01/08/2006

+ Scan result:


Nothing found.


::Report end

And here is the new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 22:46:48, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\apps\skype\phone\Skype.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [Skype] "c:\apps\skype\phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{51BCDE08-3AA9-40A4-939E-BD215272B799}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

No more symptoms are present, so I'm hoping I'm all clear now?
Thanks again for your help!:bigthumb:

pskelley
2006-08-02, 01:05
Thanks for returning the information. SpySweeper is also a fine program, I try to stay with freeware, but it does offer a nice trial and I use it a lot. Your HJT log appears clean of malware, I would appreciate a look at the SpySweeper "sweep" if you still have. it.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...tashi :) will close your topic in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi
2006-08-06, 20:45
This topic has been archived.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.