|
| ||
| Hacktool.Rootkit Problems Hello, and thanks for your help in advance. I apparently picked up a virus the other day when I opened an email. Whatever it did completely forze up the computer. I couldn't open any program at all. Somehow, by starting in safe mode and restoring to an earlier date, I was able to use my computer, but the virus is still there and I can't get rid of it. My Norton Anti-Virus tells me that I have acquired the Hacktool.Rootkit virus. In searching for ways to get rid of it, I came across this forum. It claims the virus resides in my C:\WINDOWS\system32\hpdriver.sys file. While I saw another post on here for a similar file, it also seems like each system is a little different, so I thought I would start my own thread. Following other people's lead, I downloaded HiJackThis and will attach the log file it came up with below. Thanks for your help. Logfile of HijackThis v1.99.1 Scan saved at 2:52:32 PM, on 12/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\clms.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\msngs.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\Jbzbrx\Bqwcdra.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\System32\sass.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\clsas32.exe C:\WINDOWS\System32\sass.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe C:\Documents and Settings\#1 MOM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.core.com:80 O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe" O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [AutoLoadervsou1ZPQdPXM] "C:\WINDOWS\System32\cnvenh.exe" /HideDir /HideUninstall /PC="CP.CDT3" /ShowLegalNote="nonbranded" O4 - HKLM\..\Run: [Kelub] C:\Program Files\Jbzbrx\Bqwcdra.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Windows System32] clsas32.exe O4 - HKLM\..\Run: [Configuration Loader] sass.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKLM\..\RunServices: [Windows System32] clsas32.exe O4 - HKLM\..\RunServices: [Configuration Loader] sass.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows Services] smsc.exe O4 - HKCU\..\Run: [Windows System32] clsas32.exe O4 - HKCU\..\Run: [Configuration Loader] sass.exe O4 - HKCU\..\RunServices: [Windows Services] smsc.exe O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62...bridge-c15.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013c884d...zip/RdxIE2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{458A4F45-E0BF-4360-B309-06014CDB3B31}: NameServer = 169.207.1.3 209.153.128.4 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe |
| ||
| Re: Hacktool.Rootkit Problems Hello ski38off, welcome to DaniWeb :) Thanks for starting your own thread; you were right in thinking that each person's "fix" is slightly different. In your particular case, you have more than just the hacktool.rootkit infection, so we'll have a bit more work to do. Before we start to remove your infections, there is one thing you have to take care of first: C:\Documents and Settings\#1 MOM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe The log entry above indicates that you are running the HijackThis from within a Temp/Temporary folder. Please do the following: Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do. One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else! Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc. Once you've done the above: You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad. 1. Download and install these utilities (but do not run scans with them yet): ewido Security Suite (trial version) - http://www.ewido.net/en/download/ Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en - Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido. - Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this. - Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated. 2. Download and install the CCleaner utility, but don't run it yet. 3. Run HijackTHis again, put a check mark next to the following entry, and then click the "Fix checked" button. Close HJT once it has finished performing the fix: O4 - HKLM\..\Run: [AutoLoadervsou1ZPQdPXM] "C:\WINDOWS\System32\cnvenh.exe" /HideDir /HideUninstall /PC="CP.CDT3" /ShowLegalNote="nonbranded" O4 - HKLM\..\Run: [Windows System32] clsas32.exe O4 - HKLM\..\Run: [Configuration Loader] sass.exe O4 - HKLM\..\RunServices: [Windows System32] clsas32.exe O4 - HKLM\..\RunServices: [Configuration Loader] sass.exe O4 - HKCU\..\Run: [Windows Services] smsc.exe O4 - HKCU\..\Run: [Windows System32] clsas32.exe O4 - HKCU\..\Run: [Configuration Loader] sass.exe O4 - HKCU\..\RunServices: [Windows Services] smsc.exe O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6.../bridge-c15.cab O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe 4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up). 5. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished. 6. Run Norton, ewido, and MS Antispyware beta consecutively; have the programs fix all malicious items they find. When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK. Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here. 7. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". - Search your entire C: drive for the following files and delete them if found (ewido and MS Antispyware should have deleted at least some of these already): C:\WINDOWS\System32\cnvenh.exe clsas32.exe sass.exe smsc.exe C:\WINDOWS\clms.exe C:\WINDOWS\msngs.exe hpdriver.sys ntfsprotect.exe 8. Empty your Recycle Bin and reboot normally. 9. Run HijackThis again and post the new log. Also post the log that ewido generated. |
| ||
| Re: Hacktool.Rootkit Problems Ok, I think I have gone through everything suggested here. There were, however, a couple of things I had questions about. First, the Norton Antivirus wouldn't run in safe mode. I have had this problem earlier when trying to fix this virus. It comes up with the following error: Symantec Integrator Symantec Integrator has encountered a problem and needs to close. I was able to copy and save some of the error message. If this is needed, please let me know. Another question I had was when I was in step 7, and deleting certain files. When I searched for sass.exe, I came up with four responses. I erased 2 of them, but the other 2 were lsass.exe, which I did not remove. Should have I? Thanks for your help so far, and look forward to your reply. Below are the Ewido Report, and the HiJackThis log file. Ewido Report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 6:36:26 PM, 12/26/2005 + Report-Checksum: 804B590E + Scan result: HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Cleaned with backup HKLM\SOFTWARE\WhenUSave\Partners\EEPE -> Spyware.SaveNow : Cleaned with backup HKU\S-1-5-21-72185382-3615762775-2885428501-1012\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-21-72185382-3615762775-2885428501-1012\Software\salm -> Spyware.180Solutions : Cleaned with backup C:\a0h311i.exe -> Worm.Opanki.ao : Cleaned with backup C:\aimg0xx.exe -> Worm.Opanki.ao : Cleaned with backup C:\aimg1xx.exe -> Worm.Opanki.ao : Cleaned with backup C:\aimgxx.exe -> Worm.Opanki.ao : Cleaned with backup C:\aimn1ghtf34.exe -> Worm.Opanki.ao : Cleaned with backup C:\aimr1xx.exe -> Worm.Opanki.ao : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjkoklcpmco.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjkoohcpskp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjliqhcpicp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjlyelcpmdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjny-1ndpah.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyencpkeq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyslazekp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyuic5waq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@e-2dj6wjnyumdpidq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\MasterMike\Cookies\mastermike@stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\MasterMike\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wfkyekd5wfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjk4qmdzwkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjkocnajoeo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjlyclcpckq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjnyepazido.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjnyqndzsgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@e-2dj6wjnyslc5aco.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Cookies\thomas lausten@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup C:\Documents and Settings\Thomas Lausten\Local Settings\Temp\temp.fr840D\actalert.exe -> Downloader.Dyfuca.dp : Cleaned with backup C:\ninja1m.exe -> Worm.Opanki.ao : Cleaned with backup C:\njnaim1.exe -> Worm.Opanki.ao : Cleaned with backup C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup C:\Program Files\CxtPls -> Spyware.AproposMedia : Cleaned with backup C:\Program Files\Jbzbrx\Bqwcdra.exe -> Trojan.Small.cy : Cleaned with backup C:\WINDOWS\clms.exe -> Trojan.Pakes : Cleaned with backup C:\WINDOWS\system32\clsas32.exe -> Backdoor.Rbot : Cleaned with backup C:\WINDOWS\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup ::Report End HiJackThis Log File: Logfile of HijackThis v1.99.1 Scan saved at 7:25:49 PM, on 12/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\HiJackThis\ewido anti-malware\ewidoctrl.exe C:\HiJackThis\ewido anti-malware\ewidoguard.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Canon\MultiPASS\MPTBox.exe C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE C:\WINDOWS\wt\updater\wcmdmgr.exe C:\WINDOWS\System32\FxRedir.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe C:\HiJackThis\MicrosoftSpyware\gcasServ.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\RAMASST.exe C:\HiJackThis\MicrosoftSpyware\gcasDtServ.exe C:\HiJackThis\HijackThis.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe" O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [Kelub] C:\Program Files\Jbzbrx\Bqwcdra.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [gcasServ] "C:\HiJackThis\MicrosoftSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013c884d...zip/RdxIE2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ewido security suite control - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoguard.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing) O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe |
| ||
| Re: Hacktool.Rootkit Problems 1. Quote:
2. Quote:
3. Did you intentionally install any Wild Tangent games? Your HJT logs shows a Wild Tangent component running as a Windows startup item; if you didn't knowingly install any Wild Tangent programs, that entry should be deleted. Give us feedback on the above questions and we'll continue from there. |
| ||
| Re: Hacktool.Rootkit Problems Thanks for your prompt reply. First, Norton seems to run alright when Windows is booted normally. I have found that it works best when I am connected to the internet (we have dial-up here). The links on the IE toolbar work great, but the shortcuts on the desktop don't. I was thinking that since we have Norton Internet Security, and the antivirus is part of that, that there might be a connection there. Frankly, the Norton Anti-Virus hasn't seemed to work very well ever since we got it. Second, 1 of the lsass.exe files is in C:\WINDOWS\system32, and the other in C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989. Hopefully, those are where they should be. Finally, I have not intentionlly installed any Wild Tangent games, so apparently these should not be there either. Not sure how to fix all of these things. Hope that helps. |
| |||||
| Re: Hacktool.Rootkit Problems 1. Quote:
2. Quote:
3. Quote:
4. Quote:
5. Quote:
6. Close all open programs, run HijackThis again, put a check mark next to the following entries, and then click the "Fix checked" button: O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [Kelub] C:\Program Files\Jbzbrx\Bqwcdra.exe O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing) O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing) - In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: clmss - Repeat the above step for this service also: msnmgs - Close HijackThis. 7. Reboot into Safe Mode and: - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". - Search for the following files and verify that they have really been deleted; if not, delete them now: C:\WINDOWS\clms.exe C:\WINDOWS\msngs.exe - Delete the following folders entirely: C:\WINDOWS\wt C:\Program Files\Jbzbrx 8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. |
| ||
| Re: Hacktool.Rootkit Problems Ok...sorry for the lengthy delay but I got drawn out of town since the last post here. Unfortunately, my brother has been using the computer since then, which hopefully has not attracted any other less than desirable pests to the computer. Nonetheless...I have taken the steps perscribed in the last reply, and will post the HiJackThis log file below. One thing to note, the computer seems to be running much better already, and the Norton stuff hasn't been acting up lately, at least that my brother has been able to tell. Thanks for your help so far, and in advance for anything that might crop up this time. Here's the hijackthis file: Logfile of HijackThis v1.99.1 Scan saved at 12:51:48 AM, on 1/13/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\HiJackThis\ewido anti-malware\ewidoctrl.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Canon\MultiPASS\MPTBox.exe C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe C:\WINDOWS\System32\FxRedir.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe C:\Program Files\AIM\aim.exe C:\HiJackThis\MicrosoftSpyware\gcasDtServ.exe C:\WINDOWS\system32\RAMASST.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\AOL\1128366424\ee\AOLServiceHost.exe C:\HiJackThis\HijackThis.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe" O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128366424\ee\AOLHostManager.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [gcasServ] "C:\HiJackThis\MicrosoftSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe" O4 - HKCU\..\Run: [Windows System32] clsas32.exe O4 - HKCU\..\Run: [Configuration Loader] sass.exe O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013c884d...zip/RdxIE2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ewido security suite control - ewido networks - C:\HiJackThis\ewido anti-malware\ewidoctrl.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing) O23 - Service: MPService - Canon Information Systems - C:\Program Files\Canon\MultiPASS\mpservic.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe |
| ||
| Re: Hacktool.Rootkit Problems Not much seems to have changed in the new log. Almost all of the original malicious entries are still present, and as a matter of fact, one new piece of adware has been installed as well. Please follow these instructions fully and completely: 1. Open your Add/Remove Programs control panel and uninstall WeatherCast and any programs you find that are related to "WhenU". 2. Visit at least two of the following sites for an online virus scan: BitDefender Free Online Virus Scan http://www.bitdefender.com/scan/licence.php Make sure you tick AutoClean under Scan Options. Panda ActiveScan http://www.pandasoftware.com/active...n_principal.htm Make sure you tick Disinfect automatically under Scan Options. Housecall at TrendMicro http://housecall60.trendmicro.com/e...orp.asp?id=scan Make sure you tick Auto Clean. eTrust Antivirus Web Scanner http://www3.ca.com/securityadvisor/virusinfo/scan.aspx Also run this online trojan scanner: TrojanScan 3. Update ewido, MS Antispyware, and Spyware Doctor. DOn't run scans yet, though; just close the programs after doing the updates. 4. Open the Services utility in your Administrative Tools control panel. * In the list of services, locate the service named Content List Management Sub System or clmss and double-click on it. * In the General tab of the Properties window that opens, click the Stop button. * Once the service is stopped, choose Disabled drop-down menu and then click in the Startup TypeOK. * Repeat the above steps for the service named Microsoft Message Service XP or msnmgs. * Close the Services utility. 5. Run HJT again and have it fix: O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe" O4 - HKCU\..\Run: [Windows System32] clsas32.exe O4 - HKCU\..\Run: [Configuration Loader] sass.exe O4 - HKCU\..\RunServices: [Windows System32] clsas32.exe O23 - Service: clmss (Content List Management Sub System) - Unknown owner - C:\WINDOWS\clms.exe (file missing) O23 - Service: msnmgs (Microsoft Message Service XP) - Unknown owner - C:\WINDOWS\msngs.exe (file missing) * In HijackThis' main window, click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens, enter the following in the deletion box and press OK: clmss * Repeat the above step for this service also: msnmgs * Close HijackThis. 6. Reboot into Safe Mode again. * Run ewido, MS Antispyware, and Spyware Doctor; have them fix all malicious items they find. As before, save the ewido log. * Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". - Search for the following files and verify that they have really been deleted; if not, delete them now: C:\WINDOWS\clms.exe C:\WINDOWS\msngs.exe - Delete the following folders entirely: C:\Program Files\WeatherCast C:\Program Files\Save 8. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the new ewido log. |
| All times are GMT -4. The time now is 10:52 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC