Help - Search - Members
Full Version: Infected - Carin
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
LeonB
Jul 2 2006, 10:16 AM
We've got a small network of 7 pc's and I think all of them are infected. Kaspersky showed numerous viruses and infections. I'm goiing to post logs under separate topics. Can someone please help !

Logfile of HijackThis v1.99.1
Scan saved at 12:14:13 PM, on 7/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Liesl.Louw\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{617D9EE1-1EB3-49B8-B8DD-4E8A459E2B13}: NameServer = 192.168.10.200,196.25.1.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
AndyManchesta
Jul 3 2006, 12:54 AM

This machine looks fine, see the comments in the other topics about having two AV's , this machine also has no Service Packs so needs upgrading as soon as possible.

If Kaspersky is detecting infections on this machine please post the report back.

LeonB
Jul 12 2006, 06:56 PM
Hi Andy,

Herwith the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 12, 2006 8:53:44 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/07/2006
Kaspersky Anti-Virus database records: 206920
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 47022
Number of viruses found: 5
Number of infected objects: 30 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:01:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-07-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5D50B6.tmp/transcript.htm .scr Infected: Email-Worm.Win32.Mydoom.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5D50B6.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1F5D50B6.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EB8055A.tmp/message.html .exe Infected: Email-Worm.Win32.Mydoom.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EB8055A.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EB8055A.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EE55127.tmp/message.htm .scr Infected: Email-Worm.Win32.Mydoom.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EE55127.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EE55127.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\Liesl.Louw\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/Deleted Items/15 Jun 2005 06:51 from webmaster@thepromo.co.za:WARNING MESSAGE:/important-details.zip/important-details.doc .pif Infected: Net-Worm.Win32.Mytob.bk skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/Deleted Items/15 Jun 2005 06:51 from webmaster@thepromo.co.za:WARNING MESSAGE:/important-details.zip Infected: Net-Worm.Win32.Mytob.bk skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items1/15 Jun 2005 07:11 to 'Leon Brynard':FW: WARNING MESSAGE: YOUR SE/important-details.zip/important-details.doc .pif Infected: Net-Worm.Win32.Mytob.bk skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items1/15 Jun 2005 07:11 to 'Leon Brynard':FW: WARNING MESSAGE: YOUR SE/important-details.zip Infected: Net-Worm.Win32.Mytob.bk skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 4 skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\History\History.IE5\MSHist012006071220060713\index.dat Object is locked skipped
C:\Documents and Settings\Liesl.Louw\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Liesl.Louw\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Liesl.Louw\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Flashget\fgf160.exe/WISE0017.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Flashget\fgf160.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Flashget\fgf160.exe WiseSFX: infected - 2 skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Remote Administrator 2.1\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Remote Administrator 2.1\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Remote Administrator 2.1\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Remote Administrator 2.1\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Leon_Backup\Write\cds vir oom leon\Leon\software\Remote Administrator 2.1\RADMIN21.EXE Gentee: infected - 4 skipped
C:\Leon_Backup\Write\Software\Nav2004\CRACK_Norton_Antivirus_2004_Activation_istruzioni\KEYGEN\keygen.exe Object is locked skipped
C:\Leon_Backup\Write\Software\Nav2004\Nav2004 Pro\KEYGEN\keygen.exe Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0148NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0719NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002391.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002391.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002391.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002391.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002391.EXE Gentee: infected - 4 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002531.exe/WISE0017.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002531.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP4\A0002531.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\_restore{968E3815-5A74-4A40-BA1C-8774ECD1ED77}\RP76\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
AndyManchesta
Jul 12 2006, 07:55 PM
Hi Leon

No major problems there, its clear the Worm has been on the system as its in your email deleted items, sent items and Nortons Quarantine but there doesnt appear to be any active infection. The free version of Flashget is Ad-Supported which is why its showing a Cydoor infection so you may want to consider removing that from the system

Clear Nortons Quarantine as described Here and clear Outlooks Items especially any with attachments to remove the traces of the Worm
QUOTE
C:\Leon_Backup\Write\Software\Nav2004\CRACK_Norton_Antivirus_2004_Activation_istruzioni\KEYGEN\keygen.exe

Avoid using Cracked software as most malware comes from the sites that supply those files,


Use Ccleaner to remove Temp files from the system and then clear all the System restore points and start a fresh one.

To Reset the Restore Points.

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'

Next goto Start Menu > Run > type

cleanmgr

click OK, when Disk Cleanup opens goto the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Please let us know if your still having any problems on the PC.

Thanks

Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.