TheTechGuide Forum

General Category => Tech Clinic => Topic started by: vantaray on June 22, 2008, 11:32:36 PM

Title: Trojans Reproducing After Being "Deleted"
Post by: vantaray on June 22, 2008, 11:32:36 PM

My Windows XP has gotten hit by a monster virus of some kind this weekend: In a matter of seconds it wiped out most functions. It won't even shut down apart from using the power switch.

 I was finally able to run an Avast boot-time scan in Safe Mode, which identified & deleted several Trojans. But the files keep reproducing:

 

In the System Configuration Utility, in Startup, I repeatedly uncheck the affected files:

 

C:\WINDOWS\System32\drivers\svchost.exe

 

C:\Documents and Settings\user1\svchost.exe

 

C:\Documents and Settings\user1\Start Menu\Programs\Startup\userint.exe

 

When I reboot, the box pops-up to indicate the unchecked-changes were made, but when I open msconfig Startup again, they're are all checked again. (I know these appear to be system files, but they never showed up before the computer got infected).

 

I've run all my antiVirus programs and Googled for other information, but the problem remains. (Also, System Restore has been wiped clean).

 

If anyone can shed some light on this it would be greatly appreciated!

 

HijackThis shows the following:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:31:27 PM, on 6/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\drivers\services.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start (http://\"http://www.vtisp.com/start\")

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.Email Removed.com/s/search?r=minisearch

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.Email Removed.com/s/search?r=minisearch

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/vantaray/Links (http://\"http://www.geocities.com/vantaray/Links\")

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start (http://\"http://www.vtisp.com/start\")

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vtisp.com/start (http://\"http://www.vtisp.com/start\")

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.Email Removed.com/s/search?r=minisearch

 

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe

 

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

 

O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)

 

O3 - Toolbar: Email RemovedBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Email Removed6\Toolbar.dll

 

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

 

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

 

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\Run: [[system]]

C:\WINDOWS\system32\drivers\services.exe (User 'Default user')

 

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.57/uploader2.cab (http://\"http://picasaweb.google.com/s/v/29.57/uploader2.cab\")

 

O16 - DPF: {9A2C58CF-4A4B-48BF-B3C9-0756F0F2FA9B} (ezDICOMX Control) - file://C:\Program Files\DICOM-X-Ray_Digital_Reader\source\activex\ezDICOMax.inf

 

O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

 

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

 

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

 

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

 

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)

 

--

End of file - 4879 bytes

Title: Trojans Reproducing After Being "Deleted"
Post by: guestolo on June 23, 2008, 12:03:15 AM

I only have limited time on the Internet, as I'm on holidays
But can you do the following for me please

Download
[color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save this to your desktop

Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In Safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder  

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

I'll need to see that log later

Back in Windows
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop

Don't run it yet
Physically disconnect the internet cable connection to your computer
Temporarily disable your AntiVirus>Firewall>>Or any Spyware protection software you have running so as it won't interfere with the following

Double click on ComboFix.exe to run the program

Follow the prompts
normally this fix takes anywhere from 10 to 30 minutes
After reboot
 ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later

Note:
[color=\"#4169E1\"]Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]

By default, the location of the combofix log is located at this location
C:\combofix.txt

Reconnect Internet cable
Post the log from ComboFix
 Post the report from SDFix
 and a fresh hijackthis log

NOTE: your last Hijackthis log you posted was way to spaced out
To eliminate the spaces in the above 3 logs, before you copy the logs
Click on FORMAT and UNCheck Word Wrap