malware assistance needed [Archive] - Safer-Networking Forums

View Full Version : malware assistance needed

crazyhazey33

2006-12-02, 21:45

Statistics

Time
00:47:42

Files
293602

Folders
5461

Boot Sectors
2

Archives
1520

Packed Files
20413

Results

Identified Viruses
4

Infected Files
14

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
9

Engines Info

Virus Definitions
324025

Engine build
AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\John\.housecall6.6\Quarantine\xxfgmy.dll.bac_a01536=>(Quarantine-4)
Infected with: Trojan.Spywarestrike.Dldr.B

C:\Documents and Settings\John\.housecall6.6\Quarantine\xxfgmy.dll.bac_a01536=>(Quarantine-4)
Disinfection failed

C:\Documents and Settings\John\.housecall6.6\Quarantine\xxfgmy.dll.bac_a01536=>(Quarantine-4)
Deleted

C:\Documents and Settings\John\Local Settings\Temp\laf3E.tmp
Infected with: Trojan.Stration.A

C:\Documents and Settings\John\Local Settings\Temp\laf3E.tmp
Disinfection failed

C:\Documents and Settings\John\Local Settings\Temp\laf3E.tmp
Deleted

C:\Program Files (x86)\Video ActiveX Object\iesplugin.dll
Infected with: Trojan.Downloader.Zlob.LG

C:\Program Files (x86)\Video ActiveX Object\iesplugin.dll
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\iesplugin.dll
Delete failed

C:\Program Files (x86)\Video ActiveX Object\iesuninst.exe
Infected with: Trojan.Downloader.Zlob.LG

C:\Program Files (x86)\Video ActiveX Object\iesuninst.exe
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\iesuninst.exe
Deleted

C:\Program Files (x86)\Video ActiveX Object\isaddon.dll
Infected with: Trojan.Downloader.Zlob.LA

C:\Program Files (x86)\Video ActiveX Object\isaddon.dll
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\isaddon.dll
Delete failed

C:\Program Files (x86)\Video ActiveX Object\isamini.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\Program Files (x86)\Video ActiveX Object\isamini.exe
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\isamini.exe
Delete failed

C:\Program Files (x86)\Video ActiveX Object\isamonitor.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\Program Files (x86)\Video ActiveX Object\isamonitor.exe
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\isamonitor.exe
Delete failed

C:\Program Files (x86)\Video ActiveX Object\pmmon.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\Program Files (x86)\Video ActiveX Object\pmmon.exe
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\pmmon.exe
Delete failed

C:\Program Files (x86)\Video ActiveX Object\pmsngr.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\Program Files (x86)\Video ActiveX Object\pmsngr.exe
Disinfection failed

C:\Program Files (x86)\Video ActiveX Object\pmsngr.exe
Delete failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025053.dll
Infected with: Trojan.Downloader.Zlob.LA

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025053.dll
Disinfection failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025053.dll
Deleted

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025054.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025054.exe
Disinfection failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025054.exe
Deleted

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025055.exe
Infected with: Trojan.Downloader.Zlob.LA

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025055.exe
Disinfection failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025055.exe
Deleted

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025059.dll
Infected with: Trojan.Spywarestrike.Dldr.B

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025059.dll
Disinfection failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025059.dll
Deleted

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025060.exe
Infected with: Trojan.Downloader.Zlob.LG

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025060.exe
Disinfection failed

C:\System Volume Information\_restore{7BA87A65-0A76-42B2-8A7F-EE99B5B60468}\RP123\A0025060.exe
Deleted

crazyhazey33

2006-12-02, 21:46

Logfile of HijackThis v1.99.1
Scan saved at 2:42:50 PM, on 12/2/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\Program Files (x86)\Video ActiveX Object\pmsngr.exe
C:\Program Files (x86)\Video ActiveX Object\isamonitor.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files (x86)\Video ActiveX Object\pmmon.exe
C:\Program Files (x86)\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files (x86)\QuickTime\qttask.exe
C:\Program Files (x86)\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files (x86)\Video ActiveX Object\isamini.exe
C:\Program Files (x86)\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files (x86)\Microsoft Works\WkDStore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by127fd.bay127.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=00000000%2d0000%2d0000%2d0000%2d000000000001&a=937f83c79e8e8fa7f625045bfb8cc6fb44393ae319481334357f5ebb7078a10d&fti=yes
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Program Files (x86)\Video ActiveX Object\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar2.dll
O3 - Toolbar: Protection Bar - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - C:\Program Files (x86)\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files (x86)\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Virus-Bursters] "C:\Program Files (x86)\Virus-Bursters\virus-bursters.exe" /h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - C:\WINDOWS\SysWow64\xxfgmy.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

shelf life

2006-12-02, 23:37

hi crazyhazey33,

read thru this sticky, download what you need (smitfraud and avg). To run the clean option in smitfraud its best to be in safe mode, so i would copy/paste the part to do in safe mode into notepad and save it somewhere so you can read it in safe mode. the sticky will make all of this clear.
post back the smitfraud fix logs, and a new hjt log and the saved avg log.

the sticky:
http://forums.spybot.info/showthread.php?t=4015

crazyhazey33

2006-12-03, 18:49

Hi. I can't download the AVG 7.5 software. I've got 64 bit windows XP and it's only compatible with 32 bit versions. Is there an alternative software I should use, or a differend way to do it? Thanks

shelf life

2006-12-04, 03:07

hi crazyhazey33,

try this in place of avg:
http://www.superantispyware.com/

or this:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

what about smitfraud? if its compatiable with X64, go ahead and go thru the "fix". skip the avg part.

shelf life

LonnyRJones

2006-12-11, 11:53

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.