Messages

1

Tech Clinic / Worms Win32.Alcan.D, Win32.Alcan.F, Trojans & more! :(

« on: January 10, 2006, 03:09:02 AM »

Hi and thanks!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />  You make this all seem so much easier than the days of hell I just went through. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

I can run task manager again! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' /> Boy was my system ever hijacked! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />  

Ewido and that P2P script together found some really nasty stuff!   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />

Here are the logs you requested:  I hope they look cleaner but I still have some doubts about a couple of files!  

Logfile of HijackThis v1.99.1
Scan saved at 2:41:08 AM, on 1/10/2006
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CNTX\VPCSRVC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\VPCMap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\CNTX\VPCUSrvc.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VPCUserServices] C:\WINNT\CNTX\VPCUSrvc.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136184893562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Virtual PC Services Application (1-vpcsrvc) - Connectix - C:\WINNT\CNTX\VPCSRVC.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Virtual PC Shared Folder Mapper (VPCMap) - Connectix - C:\WINNT\System32\VPCMap.exe

Ewido's file:


 ewido anti-malware - Scan report

 + Created on:         12:54:54 AM, 1/10/2006
 + Report-Checksum:      85212752

 + Scan result:

   HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   C:\WINNT\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINNT\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINNT\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINNT\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINNT\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup


 ::Report End

~~~

I followed your careful instructions; and no more trojans!  The P2P script blased xz.exe.  Plus Ewido found spyware. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

Several suspicious folders remain: the earlier-mentioned C:\WINNT\system32\ called apptmgmt with a folder in it called S-1-5-21-52315564-243925014-1286765776-500   Two folders remain that were there prior to the scans and running Ewido, etc. (before we began repairing my system, it replicated itself when I tried to manually delete it):  C:\FOUND.000 and C:\FOUND.001 which claim to contain "file fragments."  However no mention was made about them in the scans as far as them being infected. Can I just get rid of them including their registry entries?  Also, can I delete that "radio" key coming up in Hijack this? (03)  Is it spyware related?

Ewido is great.  It says my RealTime Protection is inactive; can I activate it safely?  

Thanks again! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

2

Tech Clinic / Worms Win32.Alcan.D, Win32.Alcan.F, Trojans & more! :(

« on: January 09, 2006, 04:45:52 AM »

Help; I am normally a Mac user.  I have Virtual PC running Windows 2000 Professional on my Mac and I downloaded some zip files and stupidly opened them, and now I am infected.  I began noticing pop-ups, and my computer slowed down; so I began to try to sort through it.

Anyway I am so glad you guys are here! I did some reading on this forum, and I hope I've done a few things right to prepare.

I did an online virus scan with ETrust Antivirus webscanner http://www3.ca.com/securityadvisor/virusinfo/scan.aspx  (I tried Kaspersky but it took too long-12 hrs and it was only 72% done!) and it said I had WormsWin.32.AlcanF and Worm Win.32.AlcanD.  It talks about them here http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=43266 and here:  http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=47335  It also said I had a third Backdoor IRC Trojan; I forgot the name of it. But, although it would find the files, it wouldn't delete them!  I forced it to delete some of them, then I manually went in and removed the others, and tried to remove some registry entries; evidently not enough, because upon reboot it was all still there.

At least some of the infected files are in two invisible folders:  C:\Program Files\winupdates (contains three-four infected files; a.tmp , a.zip which contains a movie.exe inside it, and winupdates.exe ), and this one is also invisible and all files infected:  C:\Program Files\MsUpdates\ (contains three-four more infected files; a.tmp, a.zip and MSUpdate.exe - the a.zip file has a movie.exe file inside of it as I found when I moved it to the Mac desktop), and C:\xz.exe - those were from the ETrust online scan.  I may have more; I am unsure as the online scan seemed faulty.  I pulled the a.tmp file over to my Mac desktop and it opens as a "text" file (not really; looks more like a script of some sort) and makes reference to MSVBVM60.DLL.  Other dlls it references are kernel32.dll, advapi32.dll, bszip.dll, wininet.dll, VBA6.DLL and there is a reference to a well-known website, imdb.com and a command about msupdate.azip.

I went into C:\WINNT\system32\ and deleted the following which the worm had created itself -- and now they are back again. I only knew they were bad by reading about them at this link; apparently they hijack my system.  

%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com

But when I rebooted, everything came back!  I looked at the Properties of the above files and all of them are set to execute c:\system root\system32\AUTOEXEC.NT and c:\system root\system32\CONFIG.NT.

There is a suspicious looking folder (key date: Jan 6 2006) under C:\WINNT\system32\ called apptmgmt with a very suspicious-looking folder in it called S-1-5-21-52315564-243925014-1286765776-500

I had a dialer I think I got rid of, Bullseye Network, but I'm not sure. I doubt it! At one point I had a file called MC-110-12-000014.EXE and I manually deleted it but don't think I got rid of all the references. Then I have a persistent file called xz.exe that keeps showing up on reboot even though I deleted it and related files.

Also it has definitely hijacked my taskmanager. I cannot get to it; meaning I get a message when I attempt to run it from the Start/Run menu that "Another program is currently using this file." And when I attempt online virus scans it quits IE Explorer on me. I also am suspicious because I have three different Task manager files! I have C:\WINNT\TASKMAN.EXE 35 KB, and C:\WINNT\system32\taskman.exe 35KB and C:\WINNT\system32\TASKMGR.EXE 86 KB.

Kaspersky's partial scan didn't like my svchost.exe file; but I thought that it was supposed to be there in Windows 2000 in the system32 folder; what I am confused about is that from the Hijack This log it looks like there may be two of them running. I am also suspicious because my system32 folder was "hidden" from me and I don't know when that happened. There is both a "System32" and a "system32" folder listed in Hijack This log, but I can only see the system32 folder (lowercase) when I enable seeing system folders.

I read a bit around here, and I have ready in case you ask me to have them Evido's Security/Malware Suite ready to install; I will go ahead and download it and wait to hear from you for further instructions before installing. The Hijack this log below is before I downloaded Evido. I also have Windows Cleanup 4.0 but haven't run it yet (some of my games use Download folders as a default); I also downloaded pzpnetwork.zip and BFU.zip, unzipped them and put their contents in a folder called BFU. In case you ask me to have them. But I'm not going to do anything as I've been reading more and you give very custom answers to each problem. I got some ideas from this thread even though it isn't mine; it seemed to have some good places to start!

Connectix is the name of the company that made Virtual PC, so I believe/hope those log entries (the ones specific to Connectix) are okay.

I have been fighting this for a few days. Any help would be appreciated! I am worn out. I am very afraid it has been logging my passwords, etc. and sending to unknown websites. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />  Thanks in advance!


Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:55 AM, on 1/9/2006
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CNTX\VPCSRVC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\VPCMap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\CNTX\VPCUSrvc.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MsUpdate\MsUpdate.exe
C:\WINNT\System32\scvhost.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VPCUserServices] C:\WINNT\CNTX\VPCUSrvc.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MsUpdate] C:\Program Files\MsUpdate\MsUpdate.exe /auto
O4 - HKLM\..\Run: [ms-update] scvhost.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136184893562
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Virtual PC Services Application (1-vpcsrvc) - Connectix - C:\WINNT\CNTX\VPCSRVC.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Virtual PC Shared Folder Mapper (VPCMap) - Connectix - C:\WINNT\System32\VPCMap.exe