1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HiJack This run - Virus take over?

Discussion in 'Virus & Other Malware Removal' started by amaul, Oct 5, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. amaul

    amaul Thread Starter

    Joined:
    Jun 7, 2000
    Messages:
    217
    Someone at this post
    http://forums.techguy.org/web-email...rts-when-internet-connection.html#post4047980
    suggested that I do a new post with a HiJack This log inserted. I also have Symantec AntiVirus which seems to have detected some bad stuff. First the HiJack This log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:00:20 AM, on 10/5/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\System32\cpqalert.exe
    C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    c:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\System32\cpqdmi.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\logn.exe
    C:\elk.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\WINNT\system\dllhost.exe
    C:\HiJack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
    O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
    O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
    O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe



    Now when doing a Symantec AntiVirus scan, it found the following as shown in the attached file AV.xls
    In "dllhost.exe" if finds "W32.Spybot.Worm". It also finds "Hacktool.Spammer" in other files.

    Please help. You can find more on the history behind this problem at the link at the top of this message.
     

    Attached Files:

    • AV.xls
      File size:
      20.5 KB
      Views:
      45
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Go to this web site: http://virusscan.jotti.org/
    In the File to upload & scan box copy and paste each of the following one at a time. Then click the Submit button.

    C:\logn.exe
    C:\elk.exe

    Copy the results and paste them back here in your next reply with a new HJT log.
     
  3. amaul

    amaul Thread Starter

    Joined:
    Jun 7, 2000
    Messages:
    217
    Yes, I was wondering what those two files were. They kept on trying to access the internet as my ZoneAlarm kept on warning. As mentioned in the post above here, I suspected these files in my previous post which may provide more background on the problem, here:
    http://forums.techguy.org/web-email/503904-computer-restarts-when-internet-connection.html

    Also as shown in this previous post is a screen capture from ZoneAlarm, which I'll try to link here:
    [​IMG]

    Since the problem computer keeps on getting a BSOD stop error each time it connects to the internet, I'll have to load those two files to floppies and upload them to that website from a friend's or library computer. Thus, it may take some time, at least 12-24 hours between posts for me unfortunately because of this.

    By the way, my Symantec AV definitions were updated in late September. Other scans with AV show that the virus is back, keeps on recreating the infected file, dllhost.exe
    Also, I did another scan from safe mode. Pretty much followed the instructions found at
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=3
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Let's not wait 12-24 hours... ;)

    Please download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & paste in the list of files below and when it has created the archive on your desktop.

    Please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so they can by examined.

    Just press new topic, fill in the needed details and post a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the window press send to upload the file.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Click Here and download Killbox and save it to your desktop.



    Run HJT again and put a check in the following:

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
    O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe

    Close all applications and browser windows before you click "fix checked".

    Close Hijackthis.


    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    In the "Full Path of File to Delete" box, copy and paste the following line.

    C:\WINNT\system\dllhost.exe

    Click on the button that has the red circle with the X in the middle after you enter the file name.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask for confimation to reboot now.
    Click Yes.

    Note: It is possible that Killbox will tell you that the file does not exist.
    If your computer does not restart automatically then please restart it manually.
    If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

    After reboot please post your hijackthis log. Use Task Manager to kill those two processes after you reboot.
     
  6. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,206
    First Name:
    Frank
    amaul:

    I got your private message. I'm not going to be of any help to you because I've never used Windows 2000. Continue to follow cybertech's instructions.

    -------------------------------------------------------------------------------------

    I wouldn't have Symantec Norton Antivirus nor ZoneLabs ZoneAlarm in my computer, but that's me.

    -------------------------------------------------------------------------------------
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    :confused:

    amaul,

    You PM'd me and asked me to help you. Are you having problems with any thing I have requested you to do?
     
  8. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,206
    First Name:
    Frank
    Cybertech:

    He PM'd me with this message:

    Hi. I was wondering if you could possibly help me out as you did recently for another on a similar problem.

    I've never worked with Windows 2000 anyway, so I'm of no real help to him. I'm staying out of this thread and leaving it to you. I don't know why he hasn't replied back to your previous instructions.

    Frank

    -------------------------------------------------------------------------------------
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Same here flavallee.
     
  10. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
  11. amaul

    amaul Thread Starter

    Joined:
    Jun 7, 2000
    Messages:
    217
    I haven't been back to that computer yet. I'll try it out tomorrow. I sent out the help requests prior to Cybertech's 07-Oct-2006 02:09 PM post, as my previous post really got me nowhere (few responses, nothing solved). I'm happy that there are now many who would like to help.

    Please have patience in my responses, as the computer I have for the internet is geographically in a separate location to the sick computer, which cannot connect to the internet.

    I only wish that I can save the TechGuy page to transfer and to look at on that faulty computer that can't connect to the internet. Every time I do a File / Save As to this web page, it gives the error "The web page cannot be saved" shown as attached.
    [​IMG]
     

    Attached Files:

    • Save.jpg
      Save.jpg
      File size:
      8.4 KB
      Views:
      1,702
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Can you make a hard copy? Print it.
     
  13. amaul

    amaul Thread Starter

    Joined:
    Jun 7, 2000
    Messages:
    217
    No printer. I did a "view source" and saved the txt as a html document so that I could look at it on my other computer. Doesn't look as nice as if I could have just saved the web page with a "Save As", but it did the trick. I was able to follow your instructions.

    Well I saved
    C:\logn.exe
    C:\elk.exe
    and dllhost.exe
    to a floppy to check in http://virusscan.jotti.org/ but I think I grabbed the wrong floppy to check using this computer that works. Duh! Do you want me to try again?

    The next step,
    I'm sorry Cybertech, but other than downloading SFP, unzipping it, and running the program, I'm lost here. I don't know what to paste in this SFP window.
    [​IMG]

    Next step,
    Ok, I got KILLBOX on the bad PC. I ran HJT again and put a check in those two boxes. Closed all apps and browser windows and chose "fix checked" and closed HJT. Ran Killbox, did everything you mentioned, and chose "yes" to reboot. It couldn't shutdown all the way hanging up somewhere showing just a black screen and a movable mouse pointer, but I manually forced a restart as you mentioned. No error messages. A HJT log follows. I'm not sure what two processes you wanted me to kill using Task Manager, but here is the TM window:
    [​IMG]

    HJT:
    Logfile of HijackThis v1.99.1
    Scan saved at 7:28:43 PM, on 10/9/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\System32\cpqalert.exe
    C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    c:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\System32\cpqdmi.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\logn.exe
    C:\elk.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HiJack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
    O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
    O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
    O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
     

    Attached Files:

  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    These are the two processes to kill:
    logn.exe
    elk.exe
    both are visible in the Task Manger list you posted.

    Since you have a copy of each of these files I would suggest deleting them from the infected machine.

    You don't need to submit dllhost.exe, that file is known bad.


    Upgrade IE to v6 when you get this device back on the internet.


    Run HJT again and put a check in the following:

    O4 - HKLM\..\Run: [winmlp02] C:\logn.exe
    O4 - HKLM\..\Run: [winmlp05] C:\elk.exe
    O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)

    Close all applications and browser windows before you click "fix checked".

    All you need to do with SFP is copy:
    c:\logn.exe
    c:\elk.exe
    and paste into the box.

    No problem on the time it takes to get this done. (y)
     
  15. amaul

    amaul Thread Starter

    Joined:
    Jun 7, 2000
    Messages:
    217
    I couldn’t delete logn.exe & elk.exe until after I ran HJT again and fixed the three checked lines you indicated. Before this, it wouldn’t allow me to delete them. They're now deleted. I didn't upgrade the infected computer's IE to v.6. I'm afraid to connect to the internet while still having a pizza virus eating my computer. I'm afraid that it'll also just crash when the internet connection is made as was happening befoire. Now on checking all of these files (plus a new one, pizza.exe)…

    At http://virusscan.jotti.org/ I inputted the files LOGN.EXE, ELK.EXE, and DLLHOST.EXE. The results are below. I also noticed this afternoon a weird file in the C:\ root directory, the only application there. PIZZA.EXE. The jotti.org website identified this as an infected file.

    File: LOGN.EXE
    Status: INFECTED/MALWARE
    MD5 d1eeed403db8b752715284f09ed8eca5
    Packers detected: -
    Scanner results
    AntiVir Found Trojan/Proxy.Small.FD
    ArcaVir Found Trojan.Proxy.Small.Fd
    Avast Found nothing
    AVG Antivirus Found Proxy.FUW
    BitDefender Found BehavesLike:Win32.Backdoor (probable variant)
    ClamAV Found nothing
    Dr.Web Found Trojan.Proxy.1088
    F-Prot Antivirus Found Possibly a new variant of W32/Behavior:SelfStarterInternetTrojan!Maximus
    Fortinet Found W32/Small.FD!tr
    Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Small.fd
    NOD32 Found nothing
    Norman Virus Control Found Sandbox: W32/Malware; [ General information ]
    * File length: 9216 bytes.
    [ Changes to registry ]
    * Creates value "winmlp02"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
    [ Network services ]
    * Opens URL: http://58.20.162.136/ok.php?p=1030.
    [ Security issues ]
    * Possible backdoor functionality [UNKNOWN] port 1030.
    [ Process/window information ]
    * Creates a mutex winmlp02.
    * Will automatically restart after boot (I'll be back...).
    UNA Found nothing
    VirusBuster Found Trojan.PR.Small.EHI
    VBA32 Found Trojan-Proxy.Win32.Small.fd

    File: ELK.EXE
    Status: INFECTED/MALWARE
    MD5 6010af1e95421806de23ddcdf789f693
    Packers detected: -
    Scanner results
    AntiVir Found Trojan/Proxy.Small.FD.1
    ArcaVir Found Trojan.Proxy.Small.Fd
    Avast Found nothing
    AVG Antivirus Found Proxy.GAF
    BitDefender Found BehavesLike:Trojan.FirewallBypass (probable variant)
    ClamAV Found nothing
    Dr.Web Found Trojan.Proxy.1089
    F-Prot Antivirus Found Possibly a new variant of W32/Behavior:SelfStarterInternetTrojan!Maximus
    Fortinet Found W32/Small.FD!tr
    Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Small.fd
    NOD32 Found nothing
    Norman Virus Control Found W32/Smalltroj.KEI
    UNA Found nothing
    VirusBuster Found Trojan.PR.Mailer.B
    VBA32 Found Trojan-Proxy.Win32.Small.fd

    File: DLLHOST.EXE
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 bfd30ff043a16228e8a950ad1c684618
    Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
    Scanner results
    AntiVir Found Worm/Sdbot.43520.30
    ArcaVir Found Trojan.Sdbot.Xd
    Avast Found nothing
    AVG Antivirus Found IRC/BackDoor.SdBot2.HWV
    BitDefender Found Generic.Sdbot.4A2A001D
    ClamAV Found Trojan.SdBot-2700
    Dr.Web Found BackDoor.IRC.Sdbot
    F-Prot Antivirus Found W32/Sdbot.UNJ
    Fortinet Found W32/SDBot.XD!tr.bdr
    Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.xd
    NOD32 Found a variant of IRC/SdBot
    Norman Virus Control Found W32/SDBot.AJKO
    UNA Found nothing
    VirusBuster Found Worm.SdBot.CRX
    VBA32 Found Backdoor.Win32.SdBot.xd

    Ok, I ran SFP for logn.exe & elk.exe to create one zipped file and for pizza.exe for another zipped file. I uploaded them to that website (I think), linked here –
    http://www.thespykiller.co.uk/forum/index.php?topic=2787.0
    and
    http://www.thespykiller.co.uk/forum/index.php?topic=2786.0
    I also emailed these two zipped files to [email protected] for further analysis.

    I did another AV scan in Safe Mode. Didn’t find anything. See AVscanhist.xls attached.

    My latest Task Manager appears as shown. I don't see Pizza.exe here, but think it's just a matter of time. How do I address pizza.exe and others that might pop up?
    [​IMG]

    The latest HJT log is as shown:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:20:57 PM, on 10/10/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\System32\cpqalert.exe
    C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINNT\Explorer.EXE
    c:\dmi\win32\bin\Win32sl.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\System32\cpqdmi.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\ctfmon.exe
    C:\HiJack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f344.mail.yahoo.com/ym/ShowFolder?YY=39622&box=Inbox&YN=1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158024677093
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C0345D1D-67F0-4B37-9FFF-F619C050EEF5}: NameServer = 10.10.1.4
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
    O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
    O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
    O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe
     

    Attached Files:

  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/507149

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice