|
|
||
|
|
08-06-2005, 10:34 PM
|
#1 (permalink) |
|
Diamond Member
 
Join Date: Aug 2004
Location: New York
Age: 18
Posts: 1,383
|
Trojan Installer logfile
My friend has Norton AntiVirus, and contracted a trojan called something like installer.trojan, at least thats what he thinks it is. He contracted a lot of other viruses as well from the installer. Here is a logfile. It will take two posts. He could not run the suggested programs (adAware, HouseCall, Spybot etc.) due to a very lagged internet connection.
Logfile of HijackThis v1.99.1 Scan saved at 2:38:19 PM, on 8/6/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\PackethSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe c:\windows\system32\zpdtrtd.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\MMKeybd.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon06.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 1.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\exp.exe C:\WINDOWS\System32\wintask.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\Eileen\LOCALS~1\Temp\sysnet.exe C:\WINDOWS\System32\jaqnnj.exe C:\DOCUME~1\Eileen\LOCALS~1\Temp\wrapperouter.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\America Online 6.0\aoltray.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe C:\PROGRA~1\VBouncer\VBOUNC~1.EXE C:\PROGRA~1\VBouncer\ADDEST~1.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\cbwvosjb.exe C:\WINDOWS\cbwvosjb.exe C:\PROGRA~1\VBouncer\VIRTUA~1.EXE C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE C:\Program Files\CashBack\bin\cashback.exe C:\Program Files\NaviSearch\bin\nls.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\WINDOWS\etb\pokapoka62.exe C:\WINDOWS\system\umlpqsiwu.exe C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Documents and Settings\Eileen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://business.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [BearShare] C:\Program Files\BearShare\BearShare.exe /m O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 1.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Eileen\LOCALS~1\Temp\sysnet.exe O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jaqnnj.exe reg_run O4 - HKLM\..\Run: [tsnT37X] cryfx12n.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [phmpeh] c:\windows\system32\zpdtrtd.exe r O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe O4 - Global Startup: Image Transfer.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
__________________
Athlon 64 3000+ Venice -- MSI K8N Neo4 Platinum
Asus nVidia GeForce 6600 -- Corsair ValueSelect 1024mb Seagate 120GB Barracuda -- Xoxide X-Clear Case FOR SALE http://www.computerforum.com/47630-fs-a64-3000-6600-1gb-ram-w-stuff.html http://video.google.com/videosearch?q=mzvideos |
|
|
|
08-06-2005, 10:34 PM
|
#2 (permalink) |
|
Diamond Member
Join Date: Aug 2004
Location: New York
Age: 18
Posts: 1,383
|
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Corel\Suite8\Programs\CCWin\Aim\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0011.exe O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe __________________________________________________
__________________
Athlon 64 3000+ Venice -- MSI K8N Neo4 Platinum
Asus nVidia GeForce 6600 -- Corsair ValueSelect 1024mb Seagate 120GB Barracuda -- Xoxide X-Clear Case FOR SALE http://www.computerforum.com/showthread.php?t=47630 http://video.google.com/videosearch?q=mzvideos |
|
|
|
|
08-06-2005, 10:56 PM
|
#3 (permalink) |
|
Digaredd
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,613
|
The installer is called Epolvy, can your friend download anything? If not you'll need to download these programs and tranfer them to their comp with a usb stick or cd.
Ewido. Nailfix. Ccleaner. CWShredder. Killbox. Download and update all these programs, don't run anything yet, if your friend has got AdawareSE and Spybot, update them and do full scans in safemode. Reboot and post a new log when you have access to the computer, don't reboot until you hear from myself or Byteman.
__________________
Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi Last edited by Buzz1927; 08-06-2005 at 11:28 PM. |
|
|
|
 |
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Hybrid Mode
