Java/ByteVerify virus - please help

ainzuk · 21-Dec-2004, 08:05 PM #1

I've been attacked recently by a couple of different viruses. I've tried downloading and running hjt 1.99 but it stops running and shuts down each time I try it

Each time I run AVG it shows these three files as infected and doesn't do anything with them

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CDEN4TUZ\classload[1].jar:\GetAccess.class

Virus identified Java/ByteVerify Infected, Embedded object

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CDEN4TUZ\classload[1].jar:\InsecureClassLoader.class

Virus identified Java/ByteVerify Infected, Embedded object

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CDEN4TUZ\classload[1].jar:\Installer.class

Virus identified Java/ByteVerify Infected, Embedded object

AVG has also moved the following into the virus vault, but could not heal them. What do I do with them?

I've listed the virus names first then the paths below. Each time I start the internet, more are added to the vault. AVG's Resident Shield pops up and asks me to heal 3 viruses each time, then I think they are put into the vault.

VIRUS NAME

C:\Documents and Settings\OWNER\Local Settings\Temporary Internet Files\CONTENT.IE5\G1OXUHSN\mail9229[1].doc.bat
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\WINDOWS\SYSTEM32\logsyswin.exe
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Virus identified I-Worm/Sober.I
Virus identified I-Worm/Sober.I
Virus identified I-Worm/Sober.I
Virus identified I-Worm/Sober.I
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L
Trojan horse Downloader.Agent.5.K
Trojan horse Downloader.Agent.5.L

PATH

C:\Documents and Settings\OWNER\Local Settings\Temporary Internet Files\CONTENT.IE5\G1OXUHSN\mail9229[1].doc.bat
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\WINDOWS\SYSTEM32\addts32.exe
C:\WINDOWS\SYSTEM32\crta32.exe
C:\WINDOWS\javagl.exe
C:\WINDOWS\SYSTEM32\sdkpp.exe
C:\WINDOWS\SYSTEM32\ieyw32.exe
C:\WINDOWS\SYSTEM32\appgp.exe
C:\WINDOWS\apiic32.exe
C:\WINDOWS\SYSTEM32\mfczg.exe
C:\WINDOWS\SYSTEM32\sdknl32.exe
C:\WINDOWS\SYSTEM32\atlia32.exe
C:\WINDOWS\netzm32.exe
C:\WINDOWS\appvk32.exe
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP94\A0007302.exe
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP94\A0007303.exe
C:\WINDOWS\SYSTEM32\netdq32.exe
C:\WINDOWS\msgs32.exe
C:\WINDOWS\SYSTEM32\iejr32.exe
C:\WINDOWS\mstn32.exe
C:\WINDOWS\SYSTEM32\crypt.exe
C:\WINDOWS\SYSTEM32\logsyswin.exe
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP88\A0006996.exe
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP88\A0006997.exe
C:\WINDOWS\SYSTEM32\netjr32.exe
C:\WINDOWS\mfcma.exe
C:\WINDOWS\SYSTEM32\appso32.exe
C:\WINDOWS\addbk.exe
C:\WINDOWS\SYSTEM32\appjk.exe
C:\WINDOWS\ipnm.exe
C:\WINDOWS\sysuo.exe
C:\WINDOWS\SYSTEM32\ieek32.exe
C:\WINDOWS\SYSTEM32\d3wa.exe
C:\WINDOWS\SYSTEM32\syslg32.exe
C:\WINDOWS\iewg32.exe
C:\WINDOWS\SYSTEM32\atlai32.exe
C:\WINDOWS\netku32.exe
C:\WINDOWS\mfceu.exe
C:\WINDOWS\SYSTEM32\mfcee.exe
C:\WINDOWS\SYSTEM32\ntgw.exe
C:\WINDOWS\SYSTEM32\mfcsn.exe
C:\WINDOWS\SYSTEM32\msfk.exe
C:\WINDOWS\SYSTEM32\mfcff.exe
C:\WINDOWS\SYSTEM32\mscd32.exe
C:\WINDOWS\SYSTEM32\iplp32.exe
C:\WINDOWS\apitj.exe
C:\WINDOWS\SYSTEM32\crdw32.exe
C:\WINDOWS\sysvm.exe

Thank you for your advice.

khazars · 21-Dec-2004, 08:21 PM #2

do you have Sun's java , or Microsoft's javaVM? If you have sun's go to control panel, click on java, click cache and clear. If you have Microsoft's unistall it and download Sun's java.

http://www.helpwithwindows.com/WindowsXP/howto-21.html

http://java.com/en/download/help/cache_virus.jsp

this is the download page for Sun's Java

http://java.com/en/download/manual.jsp

khaz

ainzuk · 21-Dec-2004, 09:18 PM #3

I found java(TM) 2 runtime environment, standard edition 1.3.1_03. Is this what I need to uninstall? Thanks for your continued help!

ainzuk · 22-Dec-2004, 01:04 AM #4

Okay, I removed Microsoft's JavaVM and downloaded and installed Sun's Java.

I ran AVG and it found no viruses.

I reconnected to the Internet and AVG Resident Shield pops up with Trojan Horse Downloader.Agent.5.K or Downloader.Agent.5.L

I click to "heal" and it says that it heals, but then I notice it was added into my virus vault?

Is there anything I can do with all the files in my virus vault?

Thanks for the help.

ainzuk · 22-Dec-2004, 01:15 AM #5

I would post a hjt log if I could. I've tried downloading and running it again, but it quits while it's running saying that it has encountered and error and must close or shut down.

khazars · 06:04 AM

hi, it sounds like you have a lot more going on there, if you can't run hijack this it's indicative of this pest ms4hd. try and see if you van get an older version, like 1.98.2, which was the version last week, it's crashing the 1.99 versiom.

{NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it. For such cases, Use HijackThis 1.98.2 }

from the website http://www.merijn.org

Note: Anyone running Windows XP and ME should turn off system restore
to avoid reinfection while deletion of spyware, viruses etc is being
enacted by spybot's search and destroy and adaware etc.!

go to this site and download these tools and once you get both
adaware and spybot, update both of them.Set adaware to deep scan and
Delete everything adaware finds and delete what spybot finds marked in red.
With cwshredder close all browsers and programmes and select the fix button.

Save hijack this to it's own folder, and click scan then save the log
and post it here so we can take a look at it for you.

hijack this
. cwshredder
. SpyBot search and destroy
. AdAware

http://www.majorgeeks.com/downloads31.html

Run an online antivirus check from at least one and preferably 2 of the following sites....
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

make sure autoclean is enabled on the scans

khaz

ainzuk · 23-Dec-2004, 02:41 AM #7

Okay, I've completed everything listed in your previous posting. Here are the results of the two virus scans I ran. My hjt log is also included below.

Active scan result:
Incident Status Location

Virus:W32/Sober.I.worm No disinfected C:\WINDOWS\SYSTEM32\clonzips.ssc

RAV scan result:

C:\WINDOWS\twunk_16.exe->ADS:xibui - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\SYSTEM32\ddzwi.dll - TrojanDownloader:Win32/WinShow.AK -> Suspicious

Scanned
============================
Objects: 61143
Directories: 3725
Archives: 11977
Size(Kb): -117894
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 2
Disinfected files: 0
Mail files: 224

Logfile of HijackThis v1.98.2
Scan saved at 1:34:13 AM, on 12/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {59411F8E-CF6C-7B7A-F0C0-DB33873458BD} - C:\WINDOWS\winua32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103611633182
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} - http://fdl.msn.com/public/investor/v11/investor.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

Thanks.

khazars · 23-Dec-2004, 08:49 AM #8

hi, download aboutbuster from here, unzip it to desktop don't run just yet, check for updates.

http://www.majorgeeks.com/downloads31.html

have hijack this fix these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddzwi.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {59411F8E-CF6C-7B7A-F0C0-DB33873458BD} - C:\WINDOWS\winua32.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

now run cwshredder, close all progs and browsers, click FIX.

now run aboutbuster.

post another log

khazars · 23-Dec-2004, 09:21 AM #9

hi, do another scan from here.

http://support.f-secure.com/enu/home/ols.shtml

do a search to see if these are still on your system.

C:\WINDOWS\SYSTEM32\clonzips.ssc
C:\WINDOWS\twunk_16.exe->ADS:xibui - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\SYSTEM32\ddzwi.dll

khaz

ainzuk · 23-Dec-2004, 09:22 AM **#10**

Here is my aboutbuster log and my hjt log. Thanks for the help.

Scanned at: 8:10:51 AM on: 12/23/2004

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 21

Removed Data Streams:
C:\WINDOWS\River Sumida.bmp:jmumv
C:\WINDOWS\setdebug.exe:cnnrp
C:\WINDOWS\twunk_16.exe:xibui
C:\WINDOWS\winhelp.exe:zmvxp

Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 21

Removed Data Streams:
C:\WINDOWS\River Sumida.bmp:jmumv
C:\WINDOWS\setdebug.exe:cnnrp
C:\WINDOWS\twunk_16.exe:xibui
C:\WINDOWS\winhelp.exe:zmvxp

Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.2
Scan saved at 8:16:21 AM, on 12/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103611633182
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} - http://fdl.msn.com/public/investor/v11/investor.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

khazars · 23-Dec-2004, 09:24 AM **#11**

good, it got this one.

twunk_16.exe:xibui

do another online scan from my last post, search for those other files, otherwise your looking good.

post another log

khaz

ainzuk · 23-Dec-2004, 10:01 AM **#12**

Thanks for the help so far. I'll be away from my computer for about a week traveling to my in-laws and my parents for the holidays, but I'll do another scan and post another log when I get back.

Thanks again for helping me out.

khazars · 23-Dec-2004, 10:13 AM **#13**

ok.

to stop reinfection get these two tools, spywareguard and spywareblaster from

www.javacoolsoftware.com

get the hosts file from here.

put it into C:\windows\system32\drivers\etc, for xp and w2k or

C:\windows\ for 95,98 and ME

http://www.mvps.org/winhelp2002/hosts.htm

winpatrol

http://www.winpatrol.com/winpatrol.html

if you don't have a firewall, get one of these.

free firewalls

www.zonelabs.com

www.kerio.com

www.sygate.com

how to set up and configure kerio rules based firewall.

http://www.dslextreme.com/users/surferslim/tpf.html

also, turn on system restore and make a new restore point if your
clean? Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it. Plus you can also turn on spybot's tea timer
for added protection against pests.

i would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

http://www.mozilla.org/

khaz

ainzuk · 01-Jan-2005, 01:50 PM **#14**

Hi. I'm back.

I did a scan at f-secure. It found 0 viruses.

I also searched for these files like you suggested a couple posts ago and did not find them. C:\WINDOWS\SYSTEM32\clonzips.ssc
C:\WINDOWS\twunk_16.exe->ADS:xibui - TrojanDownloader:Win32/WinShow.AK -> Suspicious
C:\WINDOWS\SYSTEM32\ddzwi.dll

Winpatrol and spywareguard show up in my taskbar that they're are running. After enabling spywareblaster's protection, will I have to do anything else with it besides updating it. Is it running without me noticing it?

I haven't downloaded the hosts file or a firewall yet, but I will.

These files were detected (and healed?) by avg and are now included in the many files in my virus vault. One mentions hijackthis backups. Can I delete these files and all files in my virus vault? If so, can I always delete files from the virus vault?

Trojan horse Downloader.Winshow.BD C:\msinfo.exe 1/1/2005 10:46 msinfo.exe 7.5 KB

Trojan horse Downloader.Agent.6.L C:\Program Files\hijackthis\backups\backup-20041223-080315-413.dll 1/1/2005 10:54 backup-20041223-080315-413.dll 96.5 KB

Trojan horse Downloader.Winshow.BG C:\WINDOWS\SYSTEM32\ddzwi.dll 1/1/2005 11:07 ddzwi.dll 55 KB

Trojan horse Downloader.Agent.6.L C:\WINDOWS\winua32.dll 1/1/2005 11:15 winua32.dll 96.5 KB

And finally, here is my latest hjt log.

Thank you.

Logfile of HijackThis v1.98.2
Scan saved at 12:30:32 PM, on 1/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jam.canoe.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1103611633182
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} - http://fdl.msn.com/public/investor/v11/investor.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

khazars · 02:19 PM

yes, spywareblaster runs in the background, just check for updates on a weekly basis, when you get an update, click enable all protection. yes, you can delete them out of your virus vault.

The hosts file just blocks adds and nasty sites, but a useful tool. You only need to replace it when a new hosts file becomes available, usually 1-2 a year. iespyad is also a good tool, just unzip and run the dos prog, you can also lock the hosts file with it, I think, another useful little utility

https://netfiles.uiuc.edu/ehowes/www/main.htm

make sure to get a firewall, very important, even if the baddies get on one's system, a firewall can stop them from phning home and installing more crap on to your system. Just check when the firewall asks you do you want such and such to connect to the net, check it's name, if you launched a prog, then it's fine, if it pops up with a message and you haven't lauched a prog, then become suspicious, you can easilt google the name of the file and find out what it is and does it need to connect to the net. Progs like Windows media player and winamp like to connect to the net, but if your only using it to play music etc, then deny it.

Lastly, if using Xp, svchost.exe will ask to connect to the internet, this is a legit Microsoft programme, you have to allow it, or you won't be able to connect to the net. So, if you ever lose internet connection, just check the firewall your using and see what progs you have denied, sometimes you might accidentally deny a legit programmes like IE, mozilla or your ISP.

your log looks clean apart from this entry, have hijack this fix it.

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

Is all the viruses gone then?

khaz

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)