PDA

View Full Version : Trojan trouble



DarkStar
2006-08-28, 02:52
I have been clean of malware and viruses for a couple years now, so this is rather unusual for me

Some symptoms (example file names are in bold):

1. iexplore.exe tries to connect to the internet on startup.

2. A program called (I think) "Monaco Gold Casino" tried to download/install itself at one time, which I promply killed.

3. At random times, AVG gives around 9 warnings in a row about Trojan files in C:\WINDOWS\system32\ and the name in the format: {C3136BED-7241-4140-BBA1-730C73F7EA05}.exe The name of the trojan that AVG reports and the string of numbers vary. An example of a name that AVG reports is Generic.XVF. When I tell AVG to do somthing with the files, I says (and I am paraphrasing) that it is unable to access them. Most of the time when I try to look for the files by hand, they do not show up in the system32 foulder. The one time I did find one, it had a simmalar icon to the "Monaco Gold Casino" task bar icon.

4. Several trojans were detected in system restore backups with name format A0036661.exe AVG said that it "healed" them, but they kept showing up in scans untill I deleted all system restore points.

5. Firefox and various other programs stoped working. When I try to open one, it will use up 95-100% of CPU time and do nothing. I had to install Opera to write this.

Things I have tried:

A. Ran Ad-aware. It fould mulitaple trojans in the JRE cache, a copy of CWS, and a couple others.

B. Ran Cwshredder. Found nothing.

C. Ran Spybot S&D. Runs extreamly slowly, then after 20 minutes locks up at around item 5000. Never managed to finish a scan. Reinstalling did not help. I checked, and it is not a heat issue.

D. Ran Windows Update (about a month out of date), and downloaded 29 patches (25 security related, one critical)

E. Ran HJT. Log included. I assume that the IP address from the Ukraine are not a good thing.


I am normaly fairly good with computers (I help clean up other peoples computers for them), but this one has me stumped. I hope one of you has some insight on what is causing this.

Some computer info not in the HJT log:
Athlon 64 3000+ (Venice core)
MSI Neo4 Platinum motherboard
2GB ram
C: OS drive
D: Programs drive and 20GB for Mandrive Linux
E: Photo database
J: Bulk data storage


Logfile of HijackThis v1.99.1
Scan saved at 7:34:09 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programs\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
D:\Programs\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\msdtc.exe
D:\Programs\D4\D4.exe
D:\Programs\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Programs\Internet Explorer\iexplore.exe
D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
D:\Programs\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\alg.exe
D:\Programs\Opera\Opera.exe
C:\WINDOWS\Explorer.EXE
D:\downloads\Utiletys\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programs\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [InCD] D:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] D:\Programs\D4\D4.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [wlzvc.exe] C:\WINDOWS\system32\wlzvc.exe
O4 - HKCU\..\Run: [WinColorReminder] D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
O4 - HKCU\..\Run: [TClockEx] D:\Programs\TClockEx\TCLOCKEX.EXE
O4 - Startup: HotSync Manager.lnk = D:\Programs\palmOne\HOTSYNC.EXE
O4 - Global Startup: MonacoGamma.lnk = D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.phaseone.com
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE6B4F-2823-460C-B123-72B5559F697E}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{776DC5EE-336E-47E8-B185-6D8F6ED99245}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF77C9D3-405F-4765-998A-4A0E278445F4}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0082535-5F8D-4ED8-A47D-DF57F9533F59}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - D:\Programs\DirMS\DirmsService.exe
O23 - Service: DM1Service - Unknown owner - D:\Programs\Olympus\DeviceDetector\DM1Service.exe (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - D:\Programs\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

illukka
2006-08-28, 13:18
hi

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

DarkStar
2006-08-28, 20:06
FixWareOut Report:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A55E1DAB57D-CC9B-1D84-0BC7-621CAB43{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F8EE9C937AD6-4679-B6B4-73A3-DC5B4E65{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E3F3E2C374EC-7D29-5134-2F6F-AE54C61A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1F636A90376-34FB-4124-EEBF-E4C1E14A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED751B495F91-E74B-59F4-110B-41F76353{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}185C012F2066-331A-F3A4-2142-A008D845{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CEA2C6AFCEEE-3E3A-FEE4-F600-1EAB8C01{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F10A72512A94-B80B-D204-9C5B-F4506916{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4A7CB080F960-BEBB-92E4-EE26-ECD21454{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0942B71A3C99-B6D9-8DB4-FE21-93BD37D8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CA018697F50F-F17A-FA84-B160-E32EBD69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E8E5B640C852-0348-90E4-C4A1-ABB85B64{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2CA2A9D20429-A009-3D64-1279-24034508{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}97183C62AE85-F708-F694-6836-5FF162D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9A9815AA1FA-012B-AC34-9F70-54BBEEC7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CB804FBE72-0198-5C44-95B5-9D6033F0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D81BB6EEE25B-518A-6234-8259-FC63C082{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E8694F253EA-CF29-6234-7F36-01CF7571{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93A6B9DF8665-1B09-4EB4-52F9-915173F0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFC641F8BAF0-659A-78B4-63EF-4AADAD3E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}749184B97739-3458-6E84-E206-95FC7F07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3E0D62074C07-7798-3F74-C69B-97115637{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB10A2A9D82F-862A-58F4-B750-38615D86{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E494B047D7A4-4CFB-9E44-C3D6-9DD16287{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9B5840837920-48B8-2554-CC19-DD5F08D0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8695E12105ED-A8B8-EEF4-C15B-D346E3DF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}210FD56A3527-1EC8-0BB4-8146-F070F107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A3EEED86ACE6-255B-1134-02CB-BF71A74F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSJIF.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJIF.EXE 51,219 2006-08-24

Other suspects.
Directory of C:\WINDOWS\system32
{F47A17FB-BC20-4311-B552-6ECA68DEEE3A}.exe
{701F070F-6418-4BB0-8CE1-7253A65DF012}.exe
{FD3E643D-B51C-4FEE-8B8A-DE50121E5968}.exe
{0D80F5DD-91CC-4552-8B84-0297380485B9}.exe
{78261DD9-6D3C-44E9-BFC4-4A7D740B494E}.exe
{68D51683-057B-4F85-A268-F28D9A2A01BA}.exe
{73651179-B96C-47F3-8977-70C47026D0E3}.exe
{70F7CF59-602E-48E6-8543-93779B481947}.exe
{E3DADAA4-FE36-4B87-A956-0FAB8F146CFC}.exe
{0F371519-9F25-4BE4-90B1-5668FD9B6A39}.exe
{1757FC10-63F7-4326-92FC-AE352F4968E0}.exe
{280C36CF-9528-4326-A815-B52EEE6BB18D}.exe
{0F3306D9-5B59-44C5-8910-27EBF408BC70}.exe
{7CEEBB45-07F9-43CA-B210-AF1AA5189A9C}.exe
{5D261FF5-6386-496F-807F-58EA26C38179}.exe
{80543042-9721-46D3-900A-92402D9A2AC2}.exe
{46B58BBA-1A4C-4E09-8430-258C046B5E8E}.exe
{96DBE23E-061B-48AF-A71F-F05F796810AC}.exe
{8D73DB39-12EF-4BD8-9D6B-99C3A17B2490}.exe
{45412DCE-62EE-4E29-BBEB-069F080BC7A4}.exe
{6196054F-B5C9-402D-B08B-49A21527A01F}.exe
{10C8BAE1-006F-4EEF-A3E3-EEECFA6C2AEC}.exe
{548D800A-2412-4A3F-A133-6602F210C581}.exe
{35367F14-B011-4F95-B47E-19F594B157DE}.exe
{A41E1C4E-FBEE-4214-BF43-67309A636F1B}.exe
{A16C45EA-F6F2-4315-92D7-CE473C2E3F3E}.exe
{34BAC126-7CB0-48D1-B9CC-D75BAD1E55A1}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.



New HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 1:00:03 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programs\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
D:\Programs\Ahead\InCD\InCD.exe
D:\Programs\D4\D4.exe
D:\Programs\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
D:\Programs\palmOne\HOTSYNC.EXE
C:\WINDOWS\Explorer.EXE
D:\downloads\Utiletys\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programs\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [InCD] D:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] D:\Programs\D4\D4.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ufvvl.exe] C:\WINDOWS\system32\ufvvl.exe
O4 - HKCU\..\Run: [WinColorReminder] D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
O4 - HKCU\..\Run: [TClockEx] D:\Programs\TClockEx\TCLOCKEX.EXE
O4 - Startup: HotSync Manager.lnk = D:\Programs\palmOne\HOTSYNC.EXE
O4 - Global Startup: MonacoGamma.lnk = D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.phaseone.com
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE6B4F-2823-460C-B123-72B5559F697E}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{776DC5EE-336E-47E8-B185-6D8F6ED99245}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF77C9D3-405F-4765-998A-4A0E278445F4}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0082535-5F8D-4ED8-A47D-DF57F9533F59}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - D:\Programs\DirMS\DirmsService.exe
O23 - Service: DM1Service - Unknown owner - D:\Programs\Olympus\DeviceDetector\DM1Service.exe (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - D:\Programs\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

illukka
2006-08-28, 22:09
hi

ok now lets do the following:

First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need to run ewido and update the definition files.
On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware

next:
open hijackthis, click do a system scan only

checkmark these lines:

O4 - HKLM\..\Run: [ufvvl.exe] C:\WINDOWS\system32\ufvvl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE6B4F-2823-460C-B123-72B5559F697E}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{776DC5EE-336E-47E8-B185-6D8F6ED99245}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF77C9D3-405F-4765-998A-4A0E278445F4}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0082535-5F8D-4ED8-A47D-DF57F9533F59}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS4\Services\Tcpip\..\{1E6883D9-EB1E-4D48-85D0-421B74296264}: NameServer = 85.255.114.55,85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21

then close all other windows, except for hijackthis, and click fix checked
close hijackthis



Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.


Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
Ewido will now begin the scanning process, be patient this may take a little time.
Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close ewido.


reboot into normal mode
rescan with hijackthis, and post its report and the ewido report here

the ewido report may be large, so use several posts if necessary to include everything in it

good luck

DarkStar
2006-08-28, 23:46
Here are the logs.

Also, this may throw off the reports but, when I was installing ewido, AVG brought up several warnings and quartined five or six of the files that were in C:\windows\system32 (the ones with names that look like file hashes)

Thanks.

HijackThis! report 3:

Logfile of HijackThis v1.99.1
Scan saved at 4:39:57 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Programs\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Programs\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Programs\Ahead\InCD\InCD.exe
D:\Programs\D4\D4.exe
D:\Programs\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Programs\ewido anti-spyware 4.0\ewido.exe
D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
D:\Programs\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\downloads\Utiletys\Security\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programs\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [InCD] D:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] D:\Programs\D4\D4.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "D:\Programs\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [WinColorReminder] D:\Programs\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
O4 - HKCU\..\Run: [TClockEx] D:\Programs\TClockEx\TCLOCKEX.EXE
O4 - Startup: HotSync Manager.lnk = D:\Programs\palmOne\HOTSYNC.EXE
O4 - Global Startup: MonacoGamma.lnk = D:\Programs\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.phaseone.com
O15 - Trusted Zone: http://download.windowsupdate.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - D:\Programs\DirMS\DirmsService.exe
O23 - Service: DM1Service - Unknown owner - D:\Programs\Olympus\DeviceDetector\DM1Service.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Programs\ewido anti-spyware 4.0\guard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - D:\Programs\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Programs\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


ewido report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:35:49 PM 8/28/2006

+ Scan result:



HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{548D800A-2412-4A3F-A133-6602F210C581}.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
D:\downloads\Network\Gaim\MessenPass\mspass.exe -> Not-A-Virus.PSWTool.Win32.Messen.106 : Cleaned with backup (quarantined).
D:\downloads\Network\Gaim\MessenPass\mspass.zip/mspass.exe -> Not-A-Virus.PSWTool.Win32.Messen.106 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0D80F5DD-91CC-4552-8B84-0297380485B9}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end

illukka
2006-08-29, 07:45
hi


show system and hidden files by doing the following:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

rehide them once we're finished, just reverse the instructions above

reboot into safe mode:

locate and delete the following files if still there:
C:\WINDOWS\System32\CSJIF.EXE
C:\WINDOWS\System32\{F47A17FB-BC20-4311-B552-6ECA68DEEE3A}.exe
C:\WINDOWS\System32\{701F070F-6418-4BB0-8CE1-7253A65DF012}.exe
C:\WINDOWS\System32\{FD3E643D-B51C-4FEE-8B8A-DE50121E5968}.exe
C:\WINDOWS\System32\{0D80F5DD-91CC-4552-8B84-0297380485B9}.exe
C:\WINDOWS\System32\{78261DD9-6D3C-44E9-BFC4-4A7D740B494E}.exe
C:\WINDOWS\System32\{68D51683-057B-4F85-A268-F28D9A2A01BA}.exe
C:\WINDOWS\System32\{73651179-B96C-47F3-8977-70C47026D0E3}.exe
C:\WINDOWS\System32\{70F7CF59-602E-48E6-8543-93779B481947}.exe
C:\WINDOWS\System32\{E3DADAA4-FE36-4B87-A956-0FAB8F146CFC}.exe
C:\WINDOWS\System32\{0F371519-9F25-4BE4-90B1-5668FD9B6A39}.exe
C:\WINDOWS\System32\{1757FC10-63F7-4326-92FC-AE352F4968E0}.exe
C:\WINDOWS\System32\{280C36CF-9528-4326-A815-B52EEE6BB18D}.exe
C:\WINDOWS\System32\{0F3306D9-5B59-44C5-8910-27EBF408BC70}.exe
C:\WINDOWS\System32\{7CEEBB45-07F9-43CA-B210-AF1AA5189A9C}.exe
C:\WINDOWS\System32\{5D261FF5-6386-496F-807F-58EA26C38179}.exe
C:\WINDOWS\System32\{80543042-9721-46D3-900A-92402D9A2AC2}.exe
C:\WINDOWS\System32\{46B58BBA-1A4C-4E09-8430-258C046B5E8E}.exe
C:\WINDOWS\System32\{96DBE23E-061B-48AF-A71F-F05F796810AC}.exe
C:\WINDOWS\System32\{8D73DB39-12EF-4BD8-9D6B-99C3A17B2490}.exe
C:\WINDOWS\System32\{45412DCE-62EE-4E29-BBEB-069F080BC7A4}.exe
C:\WINDOWS\System32\{6196054F-B5C9-402D-B08B-49A21527A01F}.exe
C:\WINDOWS\System32\{10C8BAE1-006F-4EEF-A3E3-EEECFA6C2AEC}.exe
C:\WINDOWS\System32\{548D800A-2412-4A3F-A133-6602F210C581}.exe
C:\WINDOWS\System32\{35367F14-B011-4F95-B47E-19F594B157DE}.exe
C:\WINDOWS\System32\{A41E1C4E-FBEE-4214-BF43-67309A636F1B}.exe
C:\WINDOWS\System32\{A16C45EA-F6F2-4315-92D7-CE473C2E3F3E}.exe
C:\WINDOWS\System32\{34BAC126-7CB0-48D1-B9CC-D75BAD1E55A1}.exe

are there still problems ?

DarkStar
2006-08-29, 21:52
Thank you, it is working fine now.

I tried uploading csjif.exe to www.virustotal.com and having them scan it. 15 of the programs found somthing, 12 did not. That might, however, be due to the fact that it was an adware problem and not a virus.

I will have to put those new scanning programs on my tools CD.

Thanks again.

illukka
2006-08-29, 22:50
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showpost.php?p=12880&postcount=2

DarkStar
2006-08-30, 05:40
That was what was so strange about this infection. My guess is that it came through the JVM, as that was the only program I did not update regulary (and I fould mulitaple trojans in the JRE cache when this started).

All the other programs you mentioned I already use (and recomend to others). I haven't used IE since Firefox (then Firebird) was in beta stage (0.8). IE is only used for windows update.

illukka
2006-08-30, 07:45
yep, several viruses utilize the vulnerabilities in outdated sun java versions.

tashi
2006-09-05, 02:41
As the problem appears to be resolved this topic has been archived. :cool:

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.