-
June 29th, 2004, 06:23 PM
#11
if hijackthis doesnt work you only option may be to reformat the harddrive. Yea it will suck, but hopefully you backed up any valuable info before you got infected. BUt after a full format you can prett much guarantee that the virus will be gone.
-
June 29th, 2004, 09:17 PM
#12
Most of them do look out of place to me with the following exception
wuauclt.exe
http://www.liutilities.com/products/...brary/wuauclt/
looks like the Windows update client, however also seems like it is dropped by at least one virus
http://securityresponse.symantec.com...kdoor.clt.html
If we are looking for trojan that implies ports being open to recieve commands usually so you might light to try Fport and see which processes are attached to your open ports http://www.foundstone.com/resources/proddesc/fport.htm
I know you can get the same sort of thing by doing netstat -an but I prefer Fport and its free
Definately go back and run another scan and write down the Trojan names etc this time.
Good luck
-
June 29th, 2004, 09:27 PM
#13
When you computer is on take a look at the task manager (same as hijack this but try something) see what svchost is running at (how much resource it is taking up) I had this problem.
Anyway I would DL spybot and cwshredder and run them both in safe-mode.
Another thing I would try is run housecall again and write down the names of the problems it found and post them here or research them.
- MilitantEidolon
Yeah thats right........I said It!
Ultimately everyone will have their own opinion--this is mine.
-
June 29th, 2004, 09:36 PM
#14
Lets not forget adaware from lavasoft, spybot S&D, and CWSShredder from merjin...
Spyware creates random file names as well...
Make sure everything you run is updated, and run in "safe mode"
-
June 29th, 2004, 11:50 PM
#15
Junior Member
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
Now, don't go ahead and delete these yet, I am looking for conformation from some of the other members here. So gang, do these look like they belong to you?
Cheers:
not at all but i am new
also something i look for is CAPS in your running programs it doesnt mean they arent legit
but most if not all are in lower case
could mean a possible overwrite of the orginal file so these i would check as well
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\Explorer.EXE
USUALLY programmers dont use the caps unless there is a reason
unless the first two are lexmark printer drivers and the programmer is a AOL user who doesnt know <GRIN> it's a joke
C:\WINNT\Explorer.EXE is a bad file i'd bet
C:\Program Files\Internet Explorer\iexplore.exe is your browser
i would bet norton has been overwritten or at least parts
good luck and let us know
jeremy
I usually reload <grin>
-
June 30th, 2004, 12:32 AM
#16
also something i look for is CAPS in your running programs it doesnt mean they arent legit
but most if not all are in lower case
That's just a quirk of HJT, and it's meaningless..don't feel bad though, I thought the same thing.
It almost looks like you have a peper trojan, but not quite...I would be running this through some online scanners.
* PandaSoft
* TrendMicro
* Symantec
Post up your results afterwards, along with a new log.
Just a helpful note to everybody else that helps with these logs...always run virus scans and anti-spyware applications first before removing anything manually. It saves a lot of headaches in the long run.
Also, CWS shredder, if run in the wrong instance, will make a CWS infection worse, so please be careful about recommending it. A nice way to determine if it is a CWS infection that is repairable by the shredder is to create a shortcut on your desktop to the shredder. Then in the properties, change the path-name to add /debug at the end. Then when running the shredder, it will open in debug mode, and you can paste the redirect address into the box. It will tell you if it is a CWS infection...clear as mud?
I'm glad to see some people are interested in learning how to combat this crap.
-
June 30th, 2004, 12:46 AM
#17
In addition to the online scanners it never hurts to run an anti-trojan. I would recommend to download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.
-
June 30th, 2004, 01:00 AM
#18
Junior Member
Hello, have you tried the cleaner http://www.moosoft.com and disbling the system restore before scanning in safe mode http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
hope this can help
-
June 30th, 2004, 03:16 AM
#19
Junior Member
ok i tried housecall again.. no viruses.. yes i did try "the cleaner" before.. i tried the other things suggested.. nothing
here is my log
Logfile of HijackThis v1.97.7
Scan saved at 10:21:39 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\iz17i3.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\0qqn.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\lxp2zwl.exe
C:\WINNT\System32\33wh.exe
C:\WINNT\System32\lxp2zwl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [UBMWERJTB] C:\WINNT\UBMWERJTB.exe
O4 - HKLM\..\Run: [BMZHRJX] C:\WINNT\BMZHRJX.exe
O4 - HKLM\..\Run: [BHOUY] C:\WINNT\BHOUY.exe
O4 - HKLM\..\Run: [HSD] C:\WINNT\HSD.exe
O4 - HKLM\..\Run: [XFPZ] C:\WINNT\XFPZ.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CIPWG] C:\WINNT\CIPWG.exe
O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt0_x.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
O17 - HKLM\System\CS1\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
is it possible i have a registry problem? i really dont know what im talking about anymore
-
June 30th, 2004, 03:25 AM
#20
Junior Member
i just looked in my add remove programs and there are about 20 programs called Windows XP hotfix and a letter # combo afterwards.. every time i try to delete them it makes me restart.. are these related?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|