0

Greetings All,

I am new to the forums. I am a tech and I have a stumper on my hands....

I've beaten my head all day on this one. Working from home, this came out of nowhere today and is actually preventing me from working because it is so annoying. I think it might be a new variant of the VX2. I am posting my FindIt Output log and also HiJack This. Thanks for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:13 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\windows\winsysban8.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.my.yahoo.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wyoqao.exe reg_run
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\j4p0le7m1h.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

***************************************************************

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\FindIt\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4CD5-D77F

Directory of C:\WINDOWS\System32

02/14/2006 10:52 PM <DIR> ..
02/14/2006 10:52 PM <DIR> .
02/14/2006 10:48 PM 236,819 guard.tmp
02/14/2006 10:46 PM 233,660 h62o0gf3e62.dll
02/14/2006 09:55 PM 236,819 j4p0le7m1h.dll
02/14/2006 08:01 PM 236,819 KRDPL1.DLL
02/14/2006 02:59 PM 0 cmd.com
02/14/2006 02:59 PM 0 tasklist.com
02/14/2006 02:59 PM 0 taskkill.com
02/14/2006 02:59 PM 0 regedit.com
02/14/2006 02:59 PM 0 tracert.com
02/14/2006 02:59 PM 0 ping.com
02/14/2006 02:59 PM 0 netstat.com
09/07/2005 08:26 AM <DIR> DLLCACHE
12/20/2004 10:25 PM <DIR> Microsoft
08/04/2004 06:00 AM 175,104 winlog.exe
12 File(s) 1,119,221 bytes
4 Dir(s) 25,448,517,632 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4CD5-D77F

Directory of C:\WINDOWS\System32

02/14/2006 10:52 PM <DIR> ..
02/14/2006 10:52 PM <DIR> .
02/14/2006 02:59 PM 0 cmd.com
02/14/2006 02:59 PM 0 tasklist.com
02/14/2006 02:59 PM 0 taskkill.com
02/14/2006 02:59 PM 0 regedit.com
02/14/2006 02:59 PM 0 tracert.com
02/14/2006 02:59 PM 0 ping.com
02/14/2006 02:59 PM 0 netstat.com
09/07/2005 08:26 AM <DIR> DLLCACHE
08/10/2004 02:03 PM 488 logonui.exe.manifest
08/10/2004 02:03 PM 488 WindowsLogon.manifest
08/10/2004 02:02 PM 749 nwc.cpl.manifest
08/10/2004 02:02 PM 749 cdplayer.exe.manifest
08/10/2004 02:02 PM 749 sapi.cpl.manifest
08/10/2004 02:02 PM 749 ncpa.cpl.manifest
08/10/2004 02:02 PM 749 wuaucpl.cpl.manifest
08/04/2004 06:00 AM 175,104 winlog.exe
15 File(s) 179,825 bytes
3 Dir(s) 25,448,513,536 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4CD5-D77F

Directory of C:\WINDOWS\System32

02/14/2006 10:48 PM 236,819 guard.tmp
1 File(s) 236,819 bytes
0 Dir(s) 25,448,513,536 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4CD5-D77F

Directory of C:\WINDOWS\System32

02/14/2006 10:50 PM 1,688 TRJ_NTAUTO.TMP
02/14/2006 10:48 PM 236,819 guard.tmp
2 File(s) 238,507 bytes
0 Dir(s) 25,448,513,536 bytes free

------------------ User Agent ----------------


------------- Keys Under Notify -------------


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cmd.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K
guard.tmp Tue Feb 14 2006 10:48:20p ..S.R 236,819 231.27 K
h62o0g~1.dll Tue Feb 14 2006 10:46:12p ..S.R 233,660 228.18 K
j4p0le~1.dll Tue Feb 14 2006 9:55:30p ..S.R 236,819 231.27 K
krdpl1.dll Tue Feb 14 2006 8:01:58p ..S.R 236,819 231.27 K
netstat.com Tue Feb 14 2006 2:59:04p ..SH. 0 0.00 K
ping.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K
regedit.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K
taskkill.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K
tasklist.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K
tracert.com Tue Feb 14 2006 2:59:06p ..SH. 0 0.00 K

11 items found: 11 files, 0 directories.
Total of file sizes: 944,117 bytes 921.99 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: (AsPack2k)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack2000
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\NTDLL.DLL: .aspack
C:\WINDOWS\SYSTEM32\sschk.trb: .aspack
C:\WINDOWS\SYSTEM32\trjscan.trb: .aspack
C:\WINDOWS\SYSTEM32\trupd.trb: .aspack

-------------- HKLM Run Key ----------------


Thanks! Joel

3
Contributors
4
Replies
5
Views
11 Years
Discussion Span
Last Post by DMR
0

Hey, sry for the delay, BUT, run HJT and place checks next to these:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

Hmm, so try that, tell me if it's still having problems, and post another log.
thanks.

0

Thanks, but this is a solved issue. It took 10 days but the system is all clean, and thankfully without having to format/restore.

Joel

0

Heh my bad.. :o . Last thing then, could ya mark the thread as 'solved' (there should be a button near the top).
Thanks.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.