I have been searching for similar problems, It seems everyone who has the same problem has vundo and hijack picks it up. Maybe I got a special case or we are overlooking things. I have been doing some research and I have something running on explorer.exe on port 1137. When I get popups ports in the range of 1890-1950 open up and connect to ad servers on port 80.
Help remove spyware
- Thread starter blitzo
- Start date
Thanks for that feedback, we must work together if we want to be successful. I volunteer my time but I start early in the AM, and after many logs and many hours I am usually worthless in the early afternoon. At issue is the fact that much had been done and many tools run before I ever got a look at a log. These multinfections need to be removed in a certain order, if not bits and pieces are left behind by the tools and it can be near to impossible to clean it all. This situation if I might, is kind of like one mechanic tore a car all apart and then asked another one to put it back together again and have it working like new. Having looked over the logs at the amount of infection that was on this computer, I would have suggested it be reformated, unfortunately I did not see the computer before you started running fixes. If you have completed all instructions, look back over the them to be sure, then I would like to start like this.
1) Remove any of Vundo fix you have on the computer and follow these instructions:
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe to your desktop
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks
1) Remove any of Vundo fix you have on the computer and follow these instructions:
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks
I ran vundofix and I am still coming up with nothing. Do you need me to upload anything?
VundoFix V6.3.18
Checking Java version...
Sun Java not detected
Scan started at 11:35:53 PM 3/31/2007
Listing files found while scanning....
No infected files were found.
Logfile of HijackThis v1.99.1
Scan saved at 11:45:16 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
VundoFix V6.3.18
Checking Java version...
Sun Java not detected
Scan started at 11:35:53 PM 3/31/2007
Listing files found while scanning....
No infected files were found.
Logfile of HijackThis v1.99.1
Scan saved at 11:45:16 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack\blitzo.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Thanks for returning this information, If you would like to be heard about these hackers who have invaded your personal space, you can do that here:
http://www.malwarecomplaints.info/
I note that you do not appear to be running Sun Java, originally you said this:
If this Vundofix report is correct without SunJava running, and we checked for Smitfraud...none was present and also scanned for a possible Rootkit with BlackLight that showed nothing (we made need a deeper scan to be sure) We seem to have ruled out the two items you mentioned to start. Do you remember anything about symptoms from the original infection that might point us in a direction?
C:\WINDOWS\system32\awvts.dll <<< with all files and folder enabled, do a search for that file. I can't seem to see where it was deleted by Vundofix? Let me know about this.
C:\WINDOWS\system32\ddcya.dll <<< I am not sure if SDFix was run after Vundo, but search for that file also. Make sure all files and folder are enabled or you will not find them even if they are there:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Question: Have you run Combofix? If not, do not search for it and run it. We may later, it is a multipurpose tool that may help us.
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe <<< I am interested in what your firewall is telling you. I use ZoneAlarm Free and no program can access the internet without either approval or prior approval from me. Does your firewall not block internet access from programs you have not allowed access?
What I would appreciate would be if you will do this:
1) Update the program and run AVG Anti-Spyware, delete or quarantine anything it finds and post the scan report.
2)Thanks to miekiemoes for the canned:
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart, post those two report, any information I requested and any comments you think will help.
Thanks
http://www.malwarecomplaints.info/
I note that you do not appear to be running Sun Java, originally you said this:
<<< did you have issues removing Vundo at that time without Java?
If this Vundofix report is correct without SunJava running, and we checked for Smitfraud...none was present and also scanned for a possible Rootkit with BlackLight that showed nothing (we made need a deeper scan to be sure) We seem to have ruled out the two items you mentioned to start. Do you remember anything about symptoms from the original infection that might point us in a direction?
C:\WINDOWS\system32\awvts.dll <<< with all files and folder enabled, do a search for that file. I can't seem to see where it was deleted by Vundofix? Let me know about this.
C:\WINDOWS\system32\ddcya.dll <<< I am not sure if SDFix was run after Vundo, but search for that file also. Make sure all files and folder are enabled or you will not find them even if they are there:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Question: Have you run Combofix? If not, do not search for it and run it. We may later, it is a multipurpose tool that may help us.
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe <<< I am interested in what your firewall is telling you. I use ZoneAlarm Free and no program can access the internet without either approval or prior approval from me. Does your firewall not block internet access from programs you have not allowed access?
What I would appreciate would be if you will do this:
1) Update the program and run AVG Anti-Spyware, delete or quarantine anything it finds and post the scan report.
2)Thanks to miekiemoes for the canned:
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Restart, post those two report, any information I requested and any comments you think will help.
Thanks
info
To answer some of your questions, I did not really have trouble getting rid of the spyware. I did some research grabbed some tools and went to work. Those 2 files you mention, (awvts.dll ddcya.dll) I had to manually remove those in recovery console along with a third file. As for combofix I believe I ran it but it did not come up with anything, I ran this towards the end of my progress.
I installed a firewall after I fixed my machine. It is outpost, I have everything locked up now. I have logs and I will provide some samples to you.
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1141
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1140
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1139
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1138
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1137
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1136
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1133
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1132
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1131
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1130
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1129
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1128
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1125
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1124
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1123
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1122
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1121
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1120
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1117
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1116
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1115
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1114
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1113
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1112
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1111
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP KPOP
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1108
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1107
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1106
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1105
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1104
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1103
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1102
It start my computer and explorer.exe wants to make connections like those to those same addresses. Those ports are local and it wants to connect on port 80 of the remote address's. If I let it make the connections, you can see it forwards it to some kind of adserver, then I get my popups.
I ran avg spyware and came up clean, Dr. web cureit came up with some interesting things.
To answer some of your questions, I did not really have trouble getting rid of the spyware. I did some research grabbed some tools and went to work. Those 2 files you mention, (awvts.dll ddcya.dll) I had to manually remove those in recovery console along with a third file. As for combofix I believe I ran it but it did not come up with anything, I ran this towards the end of my progress.
I installed a firewall after I fixed my machine. It is outpost, I have everything locked up now. I have logs and I will provide some samples to you.
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1141
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1140
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1139
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1138
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1137
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1136
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1133
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1132
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1131
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1130
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1129
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1128
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1125
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1124
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1123
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1122
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1121
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1120
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1117
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1116
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1115
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1114
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1113
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1112
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1111
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP KPOP
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1108
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1107
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1106
EXPLORER.EXE unknown.Level3.net n/a Unknown TCP 1105
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1104
EXPLORER.EXE www.in-t-e-r-n-e-t.com n/a Unknown TCP 1103
EXPLORER.EXE www.i-n-te-r-n-e-t.com n/a Unknown TCP 1102
It start my computer and explorer.exe wants to make connections like those to those same addresses. Those ports are local and it wants to connect on port 80 of the remote address's. If I let it make the connections, you can see it forwards it to some kind of adserver, then I get my popups.
I ran avg spyware and came up clean, Dr. web cureit came up with some interesting things.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:37:10 PM 4/1/2007
+ Scan result:
Nothing found.
::Report end
backup-20070322-115430-895.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-115501-651.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-120027-284.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Deleted.;
A0000097.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000117.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000119.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.ShutDown.11;Deleted.;
A0000227.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000228.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000229.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:37:10 PM 4/1/2007
+ Scan result:
Nothing found.
::Report end
backup-20070322-115430-895.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-115501-651.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
backup-20070322-120027-284.dll;C:\hijack\backups;Trojan.Virtumod;Deleted.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;Deleted.;
A0000097.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000117.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.Prockill;Deleted.;
A0000119.exe;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP1;Tool.ShutDown.11;Deleted.;
A0000227.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000228.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
A0000229.dll;C:\System Volume Information\_restore{5BFBE975-3637-447B-A6D2-4F4A79B60E1F}\RP3;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
Thanks for the feedback, keep in mind that I have no knowledge of the firewall you are running so the log you provided means nothing to me. Perhaps you should discuss the log with technical support at Outpost?
AVG Anti-Spyware - Scan Report Created at: 1:37:10 PM 4/1/2007
C:\hijack\backups <<< this is probably HJT backups which can not get back on the computer unless you restore them. I would clean the backups after a few days.
C:\System Volume Information\_restore <<< System restore, you have not done so, these instructions will purge those files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Oops sorry, looks like the bottom report was DrWeb, same thing applies.
Thanks
AVG Anti-Spyware - Scan Report Created at: 1:37:10 PM 4/1/2007
C:\hijack\backups <<< this is probably HJT backups which can not get back on the computer unless you restore them. I would clean the backups after a few days.
C:\System Volume Information\_restore <<< System restore, you have not done so, these instructions will purge those files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Oops sorry, looks like the bottom report was DrWeb, same thing applies.
Thanks
Last edited:
I just wanted to share the firewall log with you, I understand the log so if you need something more specific let me know. what I posted are blocked outgoing connections from explorer.exe, thats where my popups are coming from, something is opening those local ports and trying to contact those remote address's.
I reset system restore again. Do you have anything else to try?
I reset system restore again. Do you have anything else to try?
There is no way to look at the logs from the firewall to tell what program is orginating internet access?
You may be able to locate freeware that will help you track where these are orginating on your computer.
http://www.google.com/search?hl=en&q=freeware+to+track+outgoing+internet+activity&btnG=Search
Here is another freeware rootkit tool you can try.
Click here to download AVG Anti Rootkit and save it to your desktop.
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
You can also give this tool a try to see if it shows anything
http://www.emsisoft.com/en/software/free/
Thanks
You may be able to locate freeware that will help you track where these are orginating on your computer.
http://www.google.com/search?hl=en&q=freeware+to+track+outgoing+internet+activity&btnG=Search
Here is another freeware rootkit tool you can try.
Click here to download AVG Anti Rootkit and save it to your desktop.
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
You can also give this tool a try to see if it shows anything
http://www.emsisoft.com/en/software/free/
Thanks
the program originating the internet access is explorer.exe there is something attached to explorer that is opening the port.
AVG rootkit came up with nothing.
a-squared came up with this
C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought
C:\Documents and Settings\jk\Cookies\jk@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt:44 detected: Trace.TrackingCookie
C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
AVG rootkit came up with nothing.
a-squared came up with this
C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought
C:\Documents and Settings\jk\Cookies\jk@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\jk\Application Data\Mozilla\Firefox\Profiles\3o953v6q.default\cookies.txt:44 detected: Trace.TrackingCookie
C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
I got it
I GOT IT!!!!
I was browsing through my files and doing research and I seen something that didn't look right. I am not sure what it is but it was causing explorer.exe to open the ports. It was a file named core.sys and a file core.cache.dsk I removed them and everything is fine now. I did make backups copies of these files before I deleted them. I am sure you can take a copy of them or tell me what to do so we can prevent this happening to other users. Thank You!!
I GOT IT!!!!
I was browsing through my files and doing research and I seen something that didn't look right. I am not sure what it is but it was causing explorer.exe to open the ports. It was a file named core.sys and a file core.cache.dsk I removed them and everything is fine now. I did make backups copies of these files before I deleted them. I am sure you can take a copy of them or tell me what to do so we can prevent this happening to other users. Thank You!!
In case I did not post them, here are links you can save if you need to scan a file to find out what it is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought <<< I suggest you scan the file in red and delete it if it is bad.
two cookies: http://www.mvps.org/winhelp2002/cookies.htm
C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
Left from SDFix and Smitfraud, delete the folder in red.
That's great, we had some really long scans coming up with little hope of finding anything.
core.sys: http://www.google.com/search?hl=en&q=core.sys+&btnG=Search
core.cache.dsk: http://www.google.com/search?hl=en&q=core.cache.dsk+&btnG=Search
Experts would love to get hold of those files to see what they are, please follow the instruction here:
http://www.bleepingcomputer.com/submit-malware.php you can mention my name: Phil Skelley
and link them here: http://forums.spybot.info/member.php?u=233 I would appreciate it if possible, that you retain those until we hear from BleepingComputer in case Grinler needs those attached or sent elsewhere.
I would remove all tools we downloaded during the fix, if we did not use ATF-Cleaner, you might like that nice small tool:
http://forums.security-central.us/showthread.php?t=1925
If we recently cleaned the System Restore files, then cleaning them again is optional:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\voiceip.dll detected: Trace.File.2ndThought <<< I suggest you scan the file in red and delete it if it is bad.
two cookies: http://www.mvps.org/winhelp2002/cookies.htm
C:\spy\SDFix.zip/SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
Left from SDFix and Smitfraud, delete the folder in red.
That's great, we had some really long scans coming up with little hope of finding anything.
core.sys: http://www.google.com/search?hl=en&q=core.sys+&btnG=Search
core.cache.dsk: http://www.google.com/search?hl=en&q=core.cache.dsk+&btnG=Search
Experts would love to get hold of those files to see what they are, please follow the instruction here:
http://www.bleepingcomputer.com/submit-malware.php you can mention my name: Phil Skelley
and link them here: http://forums.spybot.info/member.php?u=233 I would appreciate it if possible, that you retain those until we hear from BleepingComputer in case Grinler needs those attached or sent elsewhere.
I would remove all tools we downloaded during the fix, if we did not use ATF-Cleaner, you might like that nice small tool:
http://forums.security-central.us/showthread.php?t=1925
If we recently cleaned the System Restore files, then cleaning them again is optional:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
this topic has been archived.