Nasties and Enigmas - Page 2

P.S. AVG deleted the trojan it found. As to the slew of baddies found at Panda, well, I just don't know. I didn't like the pay as you go at the end of the scan. Perhaps they're still there on the hard-drive; perhaps not. You know better than I. Ran AVG spyware as well and it found nothing. The AVG virus log didn't copy to disk/desktop so I didn't include it. Glad you hung in there with me. Things are better...ennglish

Did you run that last Hijackthis scan after you did panda and AVG antispyware scans?

Panda would have fixed the viruses, correct? Did it fix the rootkit? And yes, they do charge to fix spyware, but there are other tools, and they do identify the targets. Post the panda log.
AVG antispyware is a good scan; I'd not worry about the Trend scan.

Please run CCleaner, and then try these two:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through...
-post their logs too.
I still see that logon.exe startup reg entry there.. now if you ran that last Hijackthis scan AFTER AVG and Panda then we can asuume that logon.exe is being protected.
If so, download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure!!
-unzip it to your desktop and start it; select “Input script manually” and then click the magnifying glass icon. Paste into the box this line:-

C:\WINNT\System32\logon.exe

...and click Done, and finally the green light. Follow promps to reboot your machine.
Do a fresh hijackthis scan and post the fresh log, please. Look for this file and post it also: C:\avenger.txt
Do post the blacklight and kaspersky logs also.

Let me see if I can recall all that happened. I DIDN'T

Let me see if I can recall all that happened. I DIDN'T pay Panda to remove what it found. I wasn't going to pay to clean things up: I just didn't like that type of "service". I downloaded, updated and ran AVG antivirus and spyware. Antivirus found a backdoor trojan and deleted it. AVG spyware found nothing. I then ran HijackThis and it found and deleted logon.exe. That I could get on the internet was pretty significant. I think I downloaded over 40megs in that session and data was not flying out from my computer as it did earlier.

I'll download the programs you suggest and also try to get the scan down at Kaspersky. Get back to you then. Thanks...ennglish

Panda fixes viruses usually for no charge; AVG will get the spyware that Panda would otherwise charge you for. I was mainly interested in seeing the panda log, plus knowing the timing of that last HT scan log...

Panda wanted $13 after scanning for over an hour! I thought it a bit of a rip off. It advertises as if it would clean up what it found. In any case I ran AVG and it deleted the trojan I referenced. The HT scan was the last in line of all I did that day. BTW, it shows winlogon.exe, not logon.exe. lOGON.EXE was deleted. Also, I tried running Revealer again last night and it hangs up everytime. It first did it with that DMJM...EXE file and last night at some registry file HKLM/security (or some such name - I'm a bit fuzzy this morning and didn't write down the entry). See you later...

I am not concerned with winlogon.exe - that is a valid M$ file....
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe
I asked you to fix this one some days ago - it is still there. Either you missed fixing it, or it has been regenerated - one of the littlke knacks some trojans have. Logon.exe is sophisticated - it is not above calling for replacement files. Fix this entry, and see if it reappears. If it does, run Avenger as I advised. If Avenger cannot find the path and assoc keys then it does nothing. It would have removed this key, and any others of that family that do not show in HT.

Been a busy day. Here's some logs for you.

AVG SCAN 2/13:
General properties";""
"Report name";"Complete Test"
"Start time";"2/12/2007 10:24:51 AM"
"End time";"2/12/2007 10:46:45 AM (total: 21:52.1 Min)"
"Launch method";"Scanning launched by scheduler"
"Scanning result";"Threats found"
"Report status";"Scanning completed successfully"
" ";""
"Object summary";""
"Scanned";"12513"
"Threats Found";"2"
"Cleaned";"0"
"Moved to vault";"0"
"Deleted";"2"
"Errors";"0"
"C:\WINNT\System32\winIogon.exe";"";"Deleted"
"C:\WINNT\system32\winIogon.exe";"";"Deleted"

After this did HijackThis. Log follows:
Logfile of HijackThis v1.99.1
Scan saved at 3:24:39 PM, on 2/13/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Hijack\Simplesimon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: KSAWX - Unknown owner - C:\DOCUME~1\student\LOCALS~1\Temp\KSAWX.exe (file missing)
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINNT\system\mside.exe (file missing)
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)
Got to and ran Kaspersky online scanner. Results are:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 13, 2007 6:20:49 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 2 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/02/2007
Kaspersky Anti-Virus database records: 252523
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 8329
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:40:03

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\student\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\student\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\student\Local Settings\History\History.IE5\MSHist012007021320070214\index.dat Object is locked skipped
C:\Documents and Settings\student\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\student\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\student\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\student\ntuser.dat.LOG Object is locked skipped
C:\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\SDFix\backups\backups\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

Scan process completed.

Also ran Avenger and Blacklight: both found nothing.

Stay well. I'm tired...ennglish

pls check your c: root for some strange files with names that seem to refer to photographs, and with extension .scr . But don't dclick them, or otherwise open or start them!!
Delete the SDFix backups folder contents.... the 3 files are at the bottom of your last post.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \mside.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \sys32.exe
-these two subkeys are still showing up as O23 entries.

I do not understand this. AVG AV when it finally ran detected and removed mside.exe. Now a service loader entry has appeared [for the first time in the log].
sys32.exe was detected and quarantined by AVG 7.5, and its helpers removed by SDFix; I asked you to check that it was missing from your system32 folder [it was] and to fix the O23 entry, but it has remained right through.
These two backdoor trojans [the third was logon.exe which you stopped with HT..] should be easy to stop : you remove the start entry [O4, then stop and delete the process, and that should be it]. The damage can then be repaired. But those O23 entries will not go.
I asked you to fix the logon.exe entry: O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\logon.exe - but it pops up in the next scan!
And now another service startup has appeared, prob related to the DMJMGQVAO.EXE earlier - the new one is

O23 - Service: KSAWX - Unknown owner - C:\DOCUME~1\student\LOCALS~1\Temp\KSAWX.exe (file missing)

So please fix that one and these two also.
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINNT\system\mside.exe (file missing)
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

See how you go...

Ran HijackThis and 'fixed' the three 023 entries you listed KSAWX - mside.exe - sys32.exe. (What does 'fixed' mean?) Rebooted, ran Hijack and the 023 entries - mside.exe(file missing) and sys32.exe (file missing) came up in the scan. Is this what you meant by "those two entries will not go?"

Here's the Hijack scan log:
Logfile of HijackThis v1.99.1
Scan saved at 4:05:28 PM, on 2/15/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Hijack\Simplesimon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINNT\system\mside.exe (file missing)
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

I don't understand this instruction: you remove the start entry [O4, then stop and delete the process, and that should be it

Please explain what to remove and how to "stop and delete the process"?

There are two backups in SDFix: one is empty the other contains BackupReg.zip. Should I delete this? When I did a scan on Panda it detected spyware in this folder.

There were no weird .scr files on C:

By the way, I've tried to stop startup for AVG Antivirus and Spyware a number of times. They take up too much memory on the laptop (I'm getting another 128megs soon), but they keep on showing up on startup. I could just delete the run registry entries, right?

At least the 'puter can get back on the internet...ennglish

P.S. Just saw the instructions to delete all of the SDFix backups. Will do...BTW, what are some of the esoteric programs I've been using - Blacklight - SDFix, Revealer? I guess I can do a search on them and learn something new...or more than I ever thought I'd need to know!

...after 30 days AVG stops being a resident checker anyway.... and you just update it and run it on demand -when you have a problem.
Delete the SDfix backup file. It obviously does not contain anything you are missing, so it is okay to delete.
"you remove the start entry [O4, then stop and delete the process, and that should be it" not an instruction, more a dissertation on a train of events that should work. The lower section of the HT logs contains registry keys that are deemed worth checking by the HT author because they are registry locations that are often chosen by malware to initiate their various actions automatically. "Fixing" means that HT removes the selected registry entry, and only that one. An O4 key is a startup key that loads processes etc and runs them at start of windows. Various other specialty softwares eg Avenger, will remove the processes and many keys assoc with those processes.
"Is this what you meant by "those two entries will not go?"". Precisely. Something is regenerating those keys, even though their target files are missing - they can do no harm, but it irks me that something is still resident.
"stopping a process" - most will not let you delete them while they are running. Many malwares load copies of their processes into other areas/folders and when the main running process is removed will, if some other code is remanent, regenerate their functions.
As an example, for that O23 entry for the MS Sata Emulation Service: to stop it you would go Start > run > services.msc, search down the name list for that service and stop it; it should be disabled status.

I am afraid that i am going on vacation now, if you have problems still i hope someone else will come into the discussion.
Cheers, g.

Yeah, a search on those things would be easier .. RKR has a good explanatory web page, it will also be in your RKR folder as a .chm file - dclick it to open it to read.