PDA

View Full Version : Smitfraud.C.Toolbox888 NOT removable by Spybot



schorsch
2006-11-08, 17:33
Hello there,

I just yesterday got some mean trojans on my notebook.
Thanks to Sophos, AVG Anti-Spyware and Spybot I was able to remove most of that crap BUT:

There is a process (vturspp.dll) still running on my notebook that spybot identifies as "Smitfraud.C.Toolbox888" and that seems to try to connect to internet (probably to download new crap ..)

v

schorsch
2006-11-08, 19:11
Sorry, hit ENTER unintentionally at the wrong time in unfamiliar browser (Firefox) and hence the previous post was generated too early ....


Again:

Just to clarify: I will probably give my system a fresh reinstall and I'm NOT posting here because I would desperately need help.
I'm rather posting here because I hope it might be interesting for other users or some of the Spybot developers to track down the problems I'm facing right now.
(And a little bit because that dude just fools my effords to fight it - and hence it's more a question of sportsmanship that I realy would like to solve with elegance more than brute force by smacking that little ........ (by mounting the disk to another PC ...) )

The process (vturspp.dll) that is still running on my notebook and is identified by spybot as part of Smitfraud.C.Toolbox888.
It runs under the winlogon process and resists ANY attempts to delete it.
It seems to PROTECTS ITSELF against any removal by Spybot, HijackThis, Killbox or manuall removal attempts in the registry.

I quarantined the Notebook from the Internet and it seem not to be able to spread further but it constantly tries to open network connections as revealed by the IE "work offline" dialog.
I could just dismantle the harddisk and probably delete that file and hence the problem by attaching the harddisk to a different PC or just by reinstalling a clean system.

What I am concerned about is the powerfull way that this dll resists against multiple removal tools:
(Windows system recovery is DISABLED! It really looks like the dll is constantly monitoring it's registry entries and it's file to protect itself against deletion and even fights against Killbox routines.)

1. The vturspp.dll resides in WINDOWS\system32\ as hidden system file
2. It's referenced at three positions in the registry
a) HKEY_CLASSES_ROOT\CLSID\{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}\InprocServer32 vturspp.dll
b) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}\InprocServer32 vturspp.dll
c) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vturspp vturspp.dll

3. Sysinternals Process Explorer shows that it's loaded by the processes
winlogon.exe (PID 256) as DLL and as File Handle
explorer.exe (PID 1028) as DLL

4. Spybot finds it at c) (it DOESN'T show the other two entries. Intentionally?)
Spybot 1.4 (with latest updates) just claims to "remove" the problem - with absolutely NO effect (!). THAT'S A SET-BACK !!!
Spybot 1.3 (with latest updates) at least identified it but than realised that it CANNOT delete it and AT LEAST TRIED to remove it with the next boot process - to no avail but anyway STILL BETTER than Version 1.4 is doing!!!

5. HijackThis finds
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\vturspp.dll
O20 - Winlogon Notify: vturspp - C:\WINDOWS\SYSTEM32\vturspp.dll
but can' fix it either.

6. I tried to use Killbox to delete the C:\WINDOWS\SYSTEM32\vturspp.dll BUT
just deleting it is not working. AND trying to delete or replace it "on reboot" results in an system warning
"PendingFileRenameOperations Registry Data has been Removed by External Process" :oops:
with subsequent cancelling of reboot.

7. Trying to delete or rename the registry-entries manually results in immediate re-registering of the original entry in the registry.

Using protected mode doesn't make a difference at all (becaus winlogon is running at that time already anyway!)

It looks like vturspp.dll is loaded under the shield of winlogon and monitors any attempts to alter its registry entries or attempts to remove its dll and even actively fights tools like killbox.

Any IDEAS how to track down and get rid of that little b.......?
Or wether that dll might be protected by any other malicious programs?

Running Sophos AV and AVG Anti-Spyware (with latest signature-files) doesn't show any further threads and Spybot ONLY finds that vicious dll identified as (remain) of Smitfraud.C.Toolbox888

Best regards

Uwe


=====================================================

Complete Hijack-Log:


Logfile of HijackThis v1.99.1
Scan saved at 14:57:44, on 08.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Dokumente und Einstellungen\Uwe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\vturspp.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.isiknowledge.com
O15 - Trusted Zone: *.ni.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105103357637
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\Software\..\Telephony: DomainName = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFC4EE0-1BF8-43A2-9A66-E0CA9FF80B7D}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: vturspp - C:\WINDOWS\SYSTEM32\vturspp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Programme\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Mr_JAk3
2006-11-09, 14:05
Hi schorsch and welcome to Safer Networking Forums :)

You got some infections there...

I read that you have tried to clean it, the infection won't die with traditional methods (as you propably noticed ;) )

Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log. (take the HijackThis log from normal mode, NOT from safe mode)

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

schorsch
2006-11-09, 15:00
Hi JAk3, Thanks for the ride! :red:

Meanwhile due to other postings I alsy tried SmitfraudFix - write about that at the end of the posting ;)

I tried Vundo and it says:

----------------------------------------------

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 13:24:18 09.11.2006

Listing files found while scanning....

C:\WINDOWS\system32\dmxvrgg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dmxvrgg.dll
C:\WINDOWS\system32\dmxvrgg.dll Has been deleted!

Performing Repairs to the registry.
Done!

=======================================


the new HijackThis log for the complete system (after Vundo) is:

---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 13:30:43, on 09.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programme\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\Programme\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\tp4serv.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spamihilator\spamihilator.exe
C:\Programme\Sophos\AutoUpdate\ALMon.exe
C:\Programme\IBM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Uwe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\vturspp.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105103357637
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\Software\..\Telephony: DomainName = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFC4EE0-1BF8-43A2-9A66-E0CA9FF80B7D}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: vturspp - C:\WINDOWS\SYSTEM32\vturspp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Programme\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

=========================================


Due to some suggestions in other more recent posted threads I also tried to apply SmitfraudFix and afterwards again Killbox to get rid of the vturspp.dll that Spybot identified - with only minor success:

SmitFraudFix found an infected file and removed it:

search log:------------------------------------------

SmitFraudFix v2.119

Scan done at 10:33:53,83, 09.11.2006
Run from C:\Dokumente und Einstellungen\Uwe\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Uwe


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Uwe\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» E:\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


clear log:------------------------------------------------

SmitFraudFix v2.119

Scan done at 10:41:49,79, 09.11.2006
Run from C:\Dokumente und Einstellungen\Uwe\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ismini.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


=======================================


Unfortunately applying Killbox AFTER SmitfraudFix (as suggested in a different thread for another user) didn't change anything.

Killbox still can't delete WINDOWS\system32\vturspp.dll as described before and its attempts to delet it on reboot are prevented by an "external process" as written in the first time.

THANKS FOR THE HELP! :D:

Mr_JAk3
2006-11-09, 21:01
Hi again :)

I know that you want to get yourself cleaned but please don't do things of your own. That can make things difficult for us :)

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\vturspp.dll

In the comments, please mention that I asked you to upload this file
Click on Send File
Please let me know when you have done this and then we'll get you cleaned :waytogo:

schorsch
2006-11-10, 13:11
I know that you want to get yourself cleaned but please don't do things of your own.

Hi JAk3,
yip, sorry - I know. But I already did that before you stepped in and I was sure do get help especially for me :wub:
So from now on I will not do anything on my own without prior consultation! Scout's honour!



I need you too upload C:\WINDOWS\system32\vturspp.dll for further inspection.


I just post to let you know that I'm not at the university today :coffee: and don't have access to the infected Notebook right now.

I'll probably get there during the weekend and post (and maybe send PM) as soon as I uploaded that file.
Hope I have some really frightening new stuff there :spider:

Have a nice weekend!

Mr_JAk3
2006-11-10, 21:22
Ok you too have a great weekend :)

I'll give you the following step too but I really hope that you upload the file BEFORE this :bigthumb:

Run VundoFix again:
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\vturspp.dll
C:\WINDOWS\system32\ppsrutv.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

schorsch
2006-11-13, 11:09
Hi there!

Sorry I did'nt make it earlier to upload the file - just did it a few minutes ago!
(I still have a copy - just in case :rolleyes: )

removing the file vturspp.dll manually through VundoFix worked fine. :bigthumb:
The only thing that bothers me is that HijackThis now reports other Files missing as well - mainly Sophos AV related ones probably.

Any idea what happened?

btw: Thanks for the fine work! :crowned:



VundoFix-Log:----------------------------------------------------

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 09:26:14 13.11.2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\vturspp.dll
C:\WINDOWS\system32\vturspp.dll Has been deleted!

Performing Repairs to the registry.
Done!

HijackThis-Log-----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:33:20, on 13.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programme\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\Programme\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\tp4serv.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spamihilator\spamihilator.exe
C:\Programme\Sophos\AutoUpdate\ALMon.exe
C:\Programme\IBM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Uwe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\vturspp.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105103357637
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\Software\..\Telephony: DomainName = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFC4EE0-1BF8-43A2-9A66-E0CA9FF80B7D}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Programme\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Mr_JAk3
2006-11-13, 15:41
Hi again, thanks for the upload :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\vturspp.dll (file missing)


Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log

schorsch
2006-11-13, 19:47
O.k. Used ATF-Cleaner and afterwards latest AVG-Scan.

AVG found some minor "No-Virus.Hoax" stuff ( :scratch: where does that come from now?!?), but apart from that, the system behaves "good":

I've been connected to the Internet first time after infection and I cannot see any sign of further unwanted "activity" on the system .... :wink::

Latest Scan-Logs:


AVG: (german log!)------------------------------------


---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 17:28:12 13.11.2006

+ Scan-Ergebnis: (scan result)



C:\WINDOWS\system32\drvvex.dll -> Not-A-Virus.Hoax.Win32.Renos.ge : Mit Backup gesäubert (unter Quarantäne gestellt).
(something like: "removed with backup (quarantined)")

::Berichtende (end of log)


HijackThis-------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 18:31:00, on 13.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programme\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\oodag.exe
C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\Programme\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\tp4serv.exe
C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spamihilator\spamihilator.exe
C:\Programme\Sophos\AutoUpdate\ALMon.exe
C:\Programme\IBM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Dokumente und Einstellungen\Uwe\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ThinkPad-Software - Aktualisierung - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programme\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105103357637
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://labview.ni.demoservers.com/proxy/srdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\Software\..\Telephony: DomainName = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFC4EE0-1BF8-43A2-9A66-E0CA9FF80B7D}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ACC4C1B-EEA1-4303-B55D-6BB0D5A19771}: NameServer = 134.99.128.2,134.99.128.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fkphy.uni-duesseldorf.de
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Programme\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Programme\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Mr_JAk3
2006-11-13, 22:00
Hi again, it is looking clean now :)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

schorsch
2006-11-15, 11:52
Hail Dear JAk3 ! :bow:

I'll keep an eye close on my system next time :blink: to monitor it's behaviour (I'm still not trusting it completely :fear: ).

It was an very interesting experience to struggle with that nasty piece of program and to learn about how these things drill themselfes into the system. :sick:


Thanks again for the help! :flowers:

Best regards!

Mr_JAk3
2006-11-15, 12:00
You're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: