H! E! L! P!

Viruses and worms
1

I have a … something… thats keeps sending emails from my PC (as advised by outgoing message scan from Avast). I’ve run MULTIPLE spyware/trojan/etc utilities, finding NOTHING (that i haven’t fixed). It still keeps sending emails (unless I shut down my network connection). I’ve also killed just about every running process hoping to find the process doing this.

I have hijack-this (if it helps). Ok, now that I have tried every concievable thing I can think of…PLEASE HELP!!!

(I sure hope spelling is OPTIONAL on this board :slight_smile:

2

Go ahead and post a log, but don’t fix anything yet.

It always has been for me. Well, correct spelling, anyway :slight_smile:

BTW, what utilities have you already tried? And what operating system?

3

We will need more information to be able to help you:

  • What avast! version and VPS file (virus database) number?
  • What was the filename and path where the virus was found?
  • Which actions have you taken to try solving the problem?
  • Do you use a firewall? Which one?
  • Do you have any other antivirus installed in your system?
  • Any other security programs that could interfere?
4

OK, Info blast coming…

Running Windows XP SP2

I have run…

Avast 4.7 Home
AdAware
Spybot S&D
Spyware Dr. (Didin’t clean anything WITH this, but did find a few things)
a-squared
TrendMicro House call (online scan)

I update the databases prior to each run. I now get pretty much clean scans with every one of these (except for minor things like a few cookies, which I clean EVERY time…). I’ve also turned off Recovery so the stuff found in there is now clean too. I’ve even killed processes to try and catch the process sending the emails, with no success. I’m getting tired of the hours it takes to keep scanning, just to find nothing. :expressionless:

Anyway, here is the log from HJT:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:36:05 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HiJackThis\HiJackThis_v2.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

By the way, if you got any unsolicitied spam today,… sorry. :slight_smile:

5

Btw, here is the original avast log when this thing started showing up…

5/25/2007 3:53:03 AM user 3420 Sign of “Win32:Spyware-gen. [Trj]” has been found in “C:\System Volume Information_restore{7E60783E-118B-456F-AB3F-AAE256EC9760}\RP383\A0079272.exe” file.
5/24/2007 9:24:09 PM SYSTEM 1676 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\user\LOCALS~1\Temp\ykopgufb.dll” file.
5/24/2007 8:24:50 PM SYSTEM 1696 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\user\LOCALS~1\Temp\blkyivrl.dll” file.
5/24/2007 8:16:40 PM SYSTEM 1696 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.
5/24/2007 8:16:35 PM SYSTEM 1696 Sign of “Win32:Agent-ECD [Trj]” has been found in “http://l.mezzicodec.net/a412/tr.php?m=0&b=779\[PECompact]” file.
5/24/2007 8:16:19 PM SYSTEM 1696 Sign of “Win32:Agent-FDG [Trj]” has been found in “http://l.mezzicodec.net/a412/sv.php?m=0&b=779” file.
5/24/2007 8:15:56 PM SYSTEM 1696 Sign of “Win32:Alphabet [Trj]” has been found in “http://l.mezzicodec.net/a412/de.php?b=779\[PECompact]” file.
5/24/2007 7:52:29 AM user 3884 Sign of “Win32:Spyware-gen. [Trj]” has been found in “C:\Archives\zrnb.exe” file.
5/24/2007 7:11:12 AM SYSTEM 2012 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\b122.exe” file.
5/24/2007 7:10:54 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\tcjlicw.exe[UPX]” file.
5/24/2007 7:10:53 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm[UPX]” file.
5/24/2007 7:10:50 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\tcjlicw.exe[UPX]” file.
5/24/2007 7:10:46 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GMBPQ8R9\rsctda[1].htm[UPX]” file.
5/24/2007 7:10:37 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\tcjlicw.exe[UPX]” file.
5/24/2007 7:10:34 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm[UPX]” file.
5/24/2007 7:10:30 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\tcjlicw.exe[UPX]” file.
5/24/2007 7:10:20 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GMBPQ8R9\rsctda[1].htm[UPX]” file.
5/24/2007 7:10:17 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\tcjlicw.exe[UPX]” file.
5/24/2007 7:10:10 AM SYSTEM 2012 Sign of “Win32:Agent-GSA [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm[UPX]” file.
5/24/2007 7:10:05 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\tbsrqet.exe” file.
5/24/2007 7:09:55 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm” file.
5/24/2007 7:09:52 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\tbsrqet.exe” file.
5/24/2007 7:09:44 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L0FIYQG0\spvogojr[1].htm” file.
5/24/2007 7:09:41 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\tbsrqet.exe” file.
5/24/2007 7:09:38 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm” file.
5/24/2007 7:09:33 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\tbsrqet.exe” file.
5/24/2007 7:09:30 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L0FIYQG0\spvogojr[1].htm” file.
5/24/2007 7:08:56 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\tbsrqet.exe” file.
5/24/2007 7:08:53 AM SYSTEM 2012 Sign of “Win32:Small-ECR [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm” file.
5/24/2007 7:08:50 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\ecri.exe” file.
5/24/2007 7:08:48 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\T9KZVWIQ\mjaibj[1].htm” file.
5/24/2007 7:08:46 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\ecri.exe” file.
5/24/2007 7:08:43 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\mjaibj[1].htm” file.
5/24/2007 7:08:40 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\ecri.exe” file.
5/24/2007 7:08:38 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\T9KZVWIQ\mjaibj[1].htm” file.
5/24/2007 7:08:35 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\ecri.exe” file.
5/24/2007 7:08:32 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\mjaibj[1].htm” file.
5/24/2007 7:08:29 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\ecri.exe” file.
5/24/2007 7:08:27 AM SYSTEM 2012 Sign of “Win32:Small-EKD [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8HUM3PG9\mjaibj[1].htm” file.
5/24/2007 7:08:06 AM SYSTEM 2012 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.
5/24/2007 7:08:01 AM SYSTEM 2012 Sign of “Win32:Agent-ECD [Trj]” has been found in “http://l.mezzicodec.net/a412/tr.php?m=0&b=779\[PECompact]” file.
5/24/2007 7:07:56 AM SYSTEM 2012 Sign of “Win32:Agent-FDG [Trj]” has been found in “http://l.mezzicodec.net/a412/sv.php?m=0&b=779” file.
5/24/2007 7:07:32 AM SYSTEM 2012 Sign of “Win32:Alphabet [Trj]” has been found in “http://l.mezzicodec.net/a412/de.php?b=779\[PECompact]” file.
5/4/2007 6:27:30 AM SYSTEM 136 An error has occured while attempting to update. Please check the logs.
5/4/2007 6:27:28 AM SYSTEM 136 Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.
3/11/2007 5:24:39 AM SYSTEM 784 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://ftp.osuosl.org/pub/opensuse/distribution/10.2/iso/dvd/openSUSE-10.2-GM-LiveDVD.iso (C:\WINDOWS\TEMP_avast4_\unp67567245.tmp) returning error, 00000084.
3/10/2007 7:45:28 AM SYSTEM 1896 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://covet.cs.utah.edu/pub/opensuse/distribution/10.2/iso/dvd/openSUSE-10.2-GM-DVD-i386.iso (C:\WINDOWS\TEMP_avast4_\unp49774713.tmp) returning error, 0000001E.
1/14/2007 10:55:34 AM SYSTEM 2040 Sign of “Win32:Adan-055 [Adw]” has been found in “http://launch.gamespyarcade.com/software/launch/alaunch.cab\gsda.dll” file.
12/25/2006 8:28:43 AM user 2124 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Archives\ProShow.Gold.v2.5.1614.WinAll.Incl.Keygenerator-TMG.ZIP\crack-inf.exe” file.

6

Hi daronmiller,

Nothing obvious in the log. Try a scan for rootkits (hidden malware):

http://www.pandasoftware.com/products/antirootkit/

Also try AVG Anti-Spyware (Ewido):

http://www.ewido.net/en/

(For spelling I recommend the in-line spell checker with Firefox.)

7

OK, I’m on it. :slight_smile:

8

I’m not entirely sure about that beta of HijackThis. The log is very short.

After checking for rootkits try Deckard’s System Scanner. It will give us a HJT v1.99.1 log plus a little more to work with

Download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt from the C:\Deckard\System Scanner folder into your next replies - you will need to use multiple posts to fit everything.

You should also get a firewall installed. Here’s a link to Comodo

http://www.filehippo.com/download_comodo/

Zone Alarm and PC Tools Firewall are also good.

9

Would agree on the length of the log suspiciously small - Beta means work in progress I would recommend sticking with 1.99 for the moment. Definitely trojans on there possibly the new Vitumondo but not sure yet see what DSS says

10

OK, AVG Found a trojan (trojan.dialer.qn) and cleaned it. I’m running the rootkit scan now. I also ran Avast boot scan, and according to the logs and chest, it found nothing.

The HJT log might be small because I cleaned out a bunch of stuff with it that I felt was safe to remove when I began using it. I HAD run the VundoFix thing when this all started, and it cleaned 8 files, but the email stuff was still going on. So far THIS reboot (since AVG), I’m not seeing any outbound emails. If I get this licked I’m probably going to re-run ALL the scans to validate nothing else is found. Then, I want to find a programmer that works in virus and trojan software and, ummmmm,…THANK Him for all the time I’ve had to waste scanning and cleaning. I also need to find out if it’s illigal in Texas to place a head-on-a-pole in front of your house (in case I FIND that programmer :))

I will try the DSS thing in a bit, but…should I replace the Windows Firewall with Comodo? I do have the firwall turned on with no exceptions, but if Comodo is better I’ll install it.

11

The Windows Firewall provides no outbound protection so, once your infected, email, personal data, or whatever can be sent out with no notification at all. Comodo will control this.

Also, please post the VunodFix log when you can, as well as DSS.

12

OK, I should have KNOWN better than to say it was fixed… :frowning:

Anyway, here is the dump from DSS (Part 1):

Deckard’s System Scanner v20070426.43
Run by user on 2007-05-26 at 10:35:15
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-05-26 15:35:19 UTC - RP1 - System Checkpoint

Performed disk cleanup.

– HijackThis (run as user.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:38:08 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\user.exe

13

…Part 2

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
S3 RivaTuner32 - c:\program files\rivatuner v2.0 final release\rivatuner32.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 WMPNetworkSvc (Windows Media Player Network Sharing Service) - “c:\program files\windows media player\wmpnetwk.exe” (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - “c:\program files\winpcap\rpcapd.exe” -d -f “c:\program files\winpcap\rpcapd.ini” <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>
S4 Imapi Helper - “c:\program files\alex feinman\iso recorder\imapihelper.exe” <Not Verified; Alex Feinman; ISO Recorder>

– Scheduled Tasks -------------------------------------------------------------

2007-05-25 17:15:00 388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-03-21 06:58:54 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

14

…Part 3

– Files created between 2007-04-26 and 2007-05-26 -----------------------------

2007-05-26 10:00:25 8704 --a------ C:\WINDOWS\system32\drivers\amathsifvidv.sys
2007-05-25 20:16:02 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-05-25 20:16:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-25 20:16:02 0 d–h----- C:\Documents and Settings\Administrator\Recent
2007-05-25 20:16:02 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-25 20:16:02 229376 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-25 20:16:02 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-05-25 20:16:02 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-25 20:16:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-25 20:16:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-25 20:16:02 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-25 20:16:02 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-25 18:02:51 0 d-------- C:\HiJackThis
2007-05-25 15:42:13 0 d-------- C:\Program Files\a-squared Free
2007-05-24 21:23:25 0 d-------- C:\VundoFix Backups
2007-05-24 21:09:45 0 d-------- C:\Program Files\Spyware Doctor
2007-05-24 21:09:45 0 d-------- C:\Documents and Settings\user\Application Data\PC Tools
2007-05-24 20:21:57 209526 --a------ C:\WINDOWS\system32\vrsyeutj.exe
2007-05-24 07:10:58 2 --a------ C:\752151790
2007-05-24 07:08:10 1536 --a------ C:\xxxcwainda.exe
2007-05-15 18:56:59 0 d-------- C:\MoTeC
2007-05-15 18:56:57 0 d-------- C:\Program Files\MoTeC
2007-04-27 16:21:03 0 d-------- C:\Program Files\GTR2

– Find3M Report ---------------------------------------------------------------

2007-05-26 07:29:27 0 d-------- C:\Program Files\WhatsRunning
2007-05-25 21:16:02 0 d-------- C:\Documents and Settings\user\Application Data\wsInspector
2007-05-25 17:34:53 0 d-------- C:\Documents and Settings\user\Application Data\VMware
2007-05-24 19:26:54 0 d-------- C:\Documents and Settings\user\Application Data\Simple Sudoku
2007-05-10 20:03:36 0 d-------- C:\Program Files\Simple Sudoku
2007-04-02 18:11:35 0 d-------- C:\Program Files\EA SPORTS
2007-04-01 22:11:41 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-03-31 16:18:05 0 d-------- C:\Program Files\Common Files\Logitech
2007-03-31 16:17:57 0 d-------- C:\Program Files\Logitech

– Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“!AVG Anti-Spyware”=“"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,
6d,73,73,74,79,6c,65,73,00
“InstallTheme”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{A00ED310-6EE3-4764-883D-F0B833AEC645}”=“”
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“Auto EPSON Stylus C84 Series on VALUED-ECECF7F4”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P47 "Auto EPSON Stylus C84 Series on VALUED-ECECF7F4" /O26 "\\VALUED-ECECF7F4\Printer4" /M "Stylus C84"”
“EPSON Stylus C84 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“RemoteControl”=“"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

newlycreated - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RPCLOCATOR

– End of Deckard’s System Scanner: finished at 2007-05-26 at 10:38:48 ---------

15

And here is the Vudofix scan report…

VundoFix V6.4.1

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 9:23:25 PM 5/24/2007

Listing files found while scanning…

VundoFix V6.4.1

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:31:18 PM 5/24/2007

Listing files found while scanning…

c:\windows\fonts\apdb.dll
C:\WINDOWS\system32\gwrhjgcf.dll
C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qknxywlt.ini
C:\WINDOWS\system32\tlwyxnkq.dll

Beginning removal…

Attempting to delete c:\windows\fonts\apdb.dll
c:\windows\fonts\apdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gwrhjgcf.dll
C:\WINDOWS\system32\gwrhjgcf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\khfgdef.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\knnmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qknxywlt.ini
C:\WINDOWS\system32\qknxywlt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tlwyxnkq.dll
C:\WINDOWS\system32\tlwyxnkq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal…

Attempting to delete C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\khfgdef.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 10:49:30 PM 5/24/2007

Listing files found while scanning…

No infected files were found.

VundoFix V6.4.1

Checking Java version…

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 8:28:06 PM 5/25/2007

Listing files found while scanning…

No infected files were found.

16

Ok, I’m going to go and buy an abacus. Do they make games for those? :slight_smile:

17

I have been using the beta 2.0 version and even though my system is fairly buttoned down, my log file is larger, it is almost like 1.99 being run from safe mode. If anything the beta lists more things than 1.99.1 does.

So was this beta version of HJT 2.0 run from safe mode ?

18

No, I just ran it within “normal” windows. I have to reboot now to install the comodo firewall. I’ll be back.

19

Upload these files to Virus Total for analysis and post the results if anything is found:

C:\WINDOWS\system32\drivers\amathsifvidv
C:\WINDOWS\system32\vrsyeutj.exe
C:\752151790
C:\xxxcwainda.exe

20

The xxxcwainda.exe is infected. I added the “xxx” to try and hide it, BUT, more importantly, I can’t connect to that site (VirusTotal). HELP!