Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Unknown Virus

  1. #11
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    if hijackthis doesnt work you only option may be to reformat the harddrive. Yea it will suck, but hopefully you backed up any valuable info before you got infected. BUt after a full format you can prett much guarantee that the virus will be gone.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  2. #12
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    Most of them do look out of place to me with the following exception

    wuauclt.exe

    http://www.liutilities.com/products/...brary/wuauclt/

    looks like the Windows update client, however also seems like it is dropped by at least one virus

    http://securityresponse.symantec.com...kdoor.clt.html

    If we are looking for trojan that implies ports being open to recieve commands usually so you might light to try Fport and see which processes are attached to your open ports http://www.foundstone.com/resources/proddesc/fport.htm

    I know you can get the same sort of thing by doing netstat -an but I prefer Fport and its free

    Definately go back and run another scan and write down the Trojan names etc this time.

    Good luck

  3. #13
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    When you computer is on take a look at the task manager (same as hijack this but try something) see what svchost is running at (how much resource it is taking up) I had this problem.

    Anyway I would DL spybot and cwshredder and run them both in safe-mode.

    Another thing I would try is run housecall again and write down the names of the problems it found and post them here or research them.

    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

  4. #14
    Lets not forget adaware from lavasoft, spybot S&D, and CWSShredder from merjin...
    Spyware creates random file names as well...

    Make sure everything you run is updated, and run in "safe mode"

  5. #15
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe

    Now, don't go ahead and delete these yet, I am looking for conformation from some of the other members here. So gang, do these look like they belong to you?

    Cheers:


    not at all but i am new
    also something i look for is CAPS in your running programs it doesnt mean they arent legit
    but most if not all are in lower case
    could mean a possible overwrite of the orginal file so these i would check as well
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINNT\Explorer.EXE

    USUALLY programmers dont use the caps unless there is a reason
    unless the first two are lexmark printer drivers and the programmer is a AOL user who doesnt know <GRIN> it's a joke
    C:\WINNT\Explorer.EXE is a bad file i'd bet
    C:\Program Files\Internet Explorer\iexplore.exe is your browser
    i would bet norton has been overwritten or at least parts
    good luck and let us know
    jeremy

    I usually reload <grin>

  6. #16
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    also something i look for is CAPS in your running programs it doesnt mean they arent legit
    but most if not all are in lower case
    That's just a quirk of HJT, and it's meaningless..don't feel bad though, I thought the same thing.

    It almost looks like you have a peper trojan, but not quite...I would be running this through some online scanners.
    * PandaSoft
    * TrendMicro
    * Symantec

    Post up your results afterwards, along with a new log.

    Just a helpful note to everybody else that helps with these logs...always run virus scans and anti-spyware applications first before removing anything manually. It saves a lot of headaches in the long run.

    Also, CWS shredder, if run in the wrong instance, will make a CWS infection worse, so please be careful about recommending it. A nice way to determine if it is a CWS infection that is repairable by the shredder is to create a shortcut on your desktop to the shredder. Then in the properties, change the path-name to add /debug at the end. Then when running the shredder, it will open in debug mode, and you can paste the redirect address into the box. It will tell you if it is a CWS infection...clear as mud?

    I'm glad to see some people are interested in learning how to combat this crap.

  7. #17
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    In addition to the online scanners it never hurts to run an anti-trojan. I would recommend to download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.


  8. #18
    Junior Member
    Join Date
    Mar 2004
    Posts
    6
    Hello, have you tried the cleaner http://www.moosoft.com and disbling the system restore before scanning in safe mode http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
    hope this can help

  9. #19
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    ok i tried housecall again.. no viruses.. yes i did try "the cleaner" before.. i tried the other things suggested.. nothing

    here is my log
    Logfile of HijackThis v1.97.7
    Scan saved at 10:21:39 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\iz17i3.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\0qqn.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\WINNT\System32\33wh.exe
    C:\WINNT\System32\lxp2zwl.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_10_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [UBMWERJTB] C:\WINNT\UBMWERJTB.exe
    O4 - HKLM\..\Run: [BMZHRJX] C:\WINNT\BMZHRJX.exe
    O4 - HKLM\..\Run: [BHOUY] C:\WINNT\BHOUY.exe
    O4 - HKLM\..\Run: [HSD] C:\WINNT\HSD.exe
    O4 - HKLM\..\Run: [XFPZ] C:\WINNT\XFPZ.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [CIPWG] C:\WINNT\CIPWG.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\RunOnce: [Q828026] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt0_x.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
    O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16
    O17 - HKLM\System\CS1\Services\Tcpip\..\{6507559C-CE36-4F65-815F-33C0206E4EC8}: NameServer = 199.224.86.15 199.224.86.16


    is it possible i have a registry problem? i really dont know what im talking about anymore

  10. #20
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    i just looked in my add remove programs and there are about 20 programs called Windows XP hotfix and a letter # combo afterwards.. every time i try to delete them it makes me restart.. are these related?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •