herme3 Posted December 15, 2005 Share Posted December 15, 2005 One of my computers have been infected with a virus or worm that got past Symantec AntiVirus Corporate Edition, and ZoneAlarm Pro. In fact, the virus has disabled my ZoneAlarm Pro firewall, and I'm trying to figure out how to fix it. The virus automatically downloaded itself into my computer from a web site. It only took a few seconds to download, so I didn't have time to press the Cancel button. While it was downloading, I saw the following window: Then a file named 0.exe was on my hard drive. Before ZoneAlarm Pro was disabled, it warned me that 0.exe was trying to act like a server. It also warned me that 0.exe was attempting to send e-mail messages. At first, I tried to delete 0.exe but I received an error message that said, "Access Denied". After that, I restarted my computer to find that ZoneAlarm Pro was disabled. Although I was able to delete 0.exe, I have a feeling that the virus/worm is still somewhere in my computer. I would appreciate it if anyone could tell me something about this virus. I don't even know what it is called, and I can't get any good information by searching for "0.exe". I have compressed the 0.exe file and placed it at http://www.bluealan.com/virus.zip so if there are any virus experts here, maybe they could figure out how it works. Link to comment Share on other sites More sharing options...
5614 Posted December 15, 2005 Share Posted December 15, 2005 I don't wish to take that file because I don't have too much time to spend if I start infecting myself. However I can help a bit. If you think the virus may still be in your computer (which is a reasonable thought) then try getting Avast antivirus (free home edition) and then running the boot time scan, ensure that Thorough Scan and Scan Archive Files are both chosen. Also if you have the file then upload here: http://virusscan.jotti.org/ and get it scanned by like 30 (or sumin like that) different AVs and spyware scanners. Also it sounds more of a home made virus than one of the biggies because, well, what professionally written virus would bring up a standard IE script prompt (that's purely my opinion). Remember that some viruses can hide in the WinXP System Restore Poins so delete all of those. Why is it that you think you may still be infected? Also if you use a program like Process Viewer: http://www.teamcti.com/pview/ Can you see the virus running? More to the point can you see anything that shouldn't be there or you don't know what it is? (If there's a process you're not sure of what it is then post it here and I'll see if I can tell you) Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted December 15, 2005 Share Posted December 15, 2005 I'd suggest you reboot into safe mode (go to Run and type in msconfig), update Norton's virus definitions, then do a full scan. If nothing turns up, you should be fine. In any case, send the zip file to Symantec (http://securityresponse.symantec.com/avcenter/submit.html) if you can, or any other a/v firm. They'll be able to tell you what it is, or if it's new. And I'm desperately resisting making a crack to you about using Internet Explorer... Link to comment Share on other sites More sharing options...
herme3 Posted December 15, 2005 Author Share Posted December 15, 2005 I'm sure that this virus is still in my computer, and the most updated definitions of Symantec AntiVirus won't find it. I've checked all the processes, and I don't see anything unusual. I am unable to reinstall ZoneAlarm Pro because it says that the file is opened by another process. This still comes up even after a restart. Due to this problem, I am unable to reinstall ZoneAlarm Pro. I don't believe that script prompt window was part of Internet Explorer. I've never seen it before, and it is called, "Explorer User Prompt". This doesn't seem to be part of Explorer.exe and Microsoft is always careful to label every part of Internet Explorer as "Internet Explorer", not just "Explorer". That prompt must have been a downloader that is part of the virus. Also, I am unable to start the Windows firewall or the security center that came with Service Pack 2. When I try to start the firewall, I get a message that says, "Due to an unidentified problem, Windows cannot display Windows Firewall settings." I ran a scan on the 0.exe file at http://virusscan.jotti.org/ and I got the following results: BitDefender Found BehavesLike:Trojan.WinlogonHook (probable variant) NOD32 Found a variant of Win32/Haxdoor VBA32 Found Trojan-Downloader.Agent.87 (probable variant) What does that mean? Link to comment Share on other sites More sharing options...
RyanJ Posted December 15, 2005 Share Posted December 15, 2005 What does that mean? Its probably a VBA type coded trojan, if your virus scans are not picking it up then its probably no longer there. Assuming you have deleted the files and deleted all previous restore points it should be gone which is what the virus scanner seems to confirm. Cheers, Ryan Jones Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted December 15, 2005 Share Posted December 15, 2005 If the file is being used by another process (I presume you're trying to delete your current installation so you can reinstall Zone Alarm), then it's still deletable. Try this. And I think it's likely that Internet Explorer accidentally allowed the virus in, but I'll quit nagging about that. Link to comment Share on other sites More sharing options...
RyanJ Posted December 15, 2005 Share Posted December 15, 2005 And I think it's likely that Internet Explorer accidentally allowed the virus in' date=' but I'll quit nagging about that.[/quote'] Accidentally? It would not be surprising if Microcrap left the hole there - they do it all the time. Using IE is asking for doom, I woul not trust it at all... Best advice is too change browsers so this will not occur again. Cheers, Ryan Jones Link to comment Share on other sites More sharing options...
Klaynos Posted December 15, 2005 Share Posted December 15, 2005 Accidentally? It would not be surprising if Microcrap left the hole there - they do it all the time. Using IE is asking for doom' date=' I woul not trust it at all... Best advice is too change browsers so this will not occur again. Cheers, Ryan Jones[/quote'] I second this but am aware of the IE/other browser argument history here so wont comment more. I would say that the only way you will ever know you have a "secure" or "safe" system again is if you reinstall your OS... Link to comment Share on other sites More sharing options...
herme3 Posted December 16, 2005 Author Share Posted December 16, 2005 I wish I could join all of the people that are blaming this on IE. Unfortunately, I must admit that I was using a web browser that I created... I'm not sure how many other browsers would be affected by this virus. I have been using my own browser for several months, and this is the first security problem I have ever had. I had many more virus problems when I used IE, but Symantec AntiVirus always detected them and deleted them. Symantec won't even detect this one. I have already started my computer in safe mode, and I still couldn't delete ZoneAlarm Pro so I can install it again. It appears that the security engine of ZoneAlarm is still running, but it isn't working as a firewall. It is almost like the virus has hijacked ZoneAlarm Pro so it can't be deleted and reinstalled. I will try the link that Cap'n Refsmmat posted, and let you know if it works. This virus seems to target firewalls. I can't get the Windows firewall to work either. Everything else on my computer seems to be working correctly. Link to comment Share on other sites More sharing options...
Klaynos Posted December 16, 2005 Share Posted December 16, 2005 The one that uses the IE engine, and infact is IE just with a slightly modified frontend? As it's alot of work to write a rendering engine :| Your AV scanner is probably being fooled by the virus if it is still running, this sometimes happens :| A "good" trojan/worm/virus will try to take down or trick your security programs so I restate my advice of a reinstall :| Link to comment Share on other sites More sharing options...
Dak Posted December 16, 2005 Share Posted December 16, 2005 ---Jotti scan of 0.exe AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found BehavesLike:Trojan.WinlogonHook (probable variant) ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/Haxdoor Norman Virus Control Found nothing UNA Found nothing VBA32 Found Trojan-Downloader.Agent.87 (probable variant) --- Looks like most AV's are still having trouble with haxdoor. Herme3... I'd suggest downloading HijackThis from here (scroll down and click the button with a flashing green light next to it). Extract the program, run it, and select 'scan system and make a log'. Post the log up in this thread so we can see what we're dealing with. Link to comment Share on other sites More sharing options...
5614 Posted December 16, 2005 Share Posted December 16, 2005 It is almost like the virus has hijacked ZoneAlarm Pro so it can't be deleted and reinstalledMaybe, but it also sounds to me like you partially remove ZA and haven't fully removed it, so can't reinstal it.... this is nothing to do with the virus. Why do you think the virus is still on your computer? ("I am" is not an answer to a 'why' question!) Link to comment Share on other sites More sharing options...
herme3 Posted December 16, 2005 Author Share Posted December 16, 2005 Dak, here is the log from HijackThis: Logfile of HijackThis v1.99.1Scan saved at 11:20:49 AM, on 12/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155737_mcinfo.exe /insfin O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155738_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120096203296 O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe 5614, the computer is acting different in several ways besides the problem with ZoneAlarm Pro. First, the Windows firewall is disabled and will not start. Second, the computer will not connect to my home network. Third, explorer.exe will crash when I try to access the Control Panel. When this happens, my taskbar will disappear. It will come back after a few seconds. After that, I will be able to access the Control Panel normally until the next time I start my computer. Link to comment Share on other sites More sharing options...
herme3 Posted December 16, 2005 Author Share Posted December 16, 2005 I was able to completely remove ZoneAlarm Pro using the Unlocker that Cap'n Refsmmat recommended. I also reinstalled ZoneAlarm Pro, and the installation was successful. However, ZoneAlarm Pro still won't work. The actual security engine of ZoneAlarm Pro is vsmon.exe and that process is immediately terminated when I try to start ZoneAlarm Pro. When I tried to manually click on vsmon.exe I received an error that said, "Another program is currently using this file." I don't understand why I am receiving this error. Vsmon.exe is not running in my list of processes. Although I am not sure what all of the processes are, I do not see think any of them are the virus. 0.exe has been deleted from the computer. Which process could be stopping the vsmon process from running? Link to comment Share on other sites More sharing options...
Dak Posted December 16, 2005 Share Posted December 16, 2005 Herme3, I think you might have a root-kited variant of haxdoor. Please download rootkit revealer, scan with it, and after the scan has completed goto 'file > save' to save the report. Post the rootkit revealer report up for me to see please. I'd also like to point out that the newer haxdoor variants have a keylogger with them, so I'd advise refraining from online-banking for now. Link to comment Share on other sites More sharing options...
herme3 Posted December 16, 2005 Author Share Posted December 16, 2005 Here is the report from the rootkit revealer: HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 12/16/2005 12:32 PM 80 bytes Data mismatch between Windows API and raw hive data. C:\Documents and Settings\Owner\Local Settings\Temp\W01804300\3124.tmp 12/16/2005 12:31 PM 320 bytes Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6T07I5A5\CA6789AB.html 12/16/2005 12:31 PM 5.49 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HJFT7T7O\showthread[1].html 12/16/2005 12:31 PM 105.17 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 12/16/2005 12:31 PM 64.00 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\system32\avpe32.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API. C:\WINDOWS\system32\avpe64.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\klgcptini.dat 12/15/2005 1:07 PM 0 bytes Hidden from Windows API. C:\WINDOWS\system32\qz.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API. C:\WINDOWS\system32\qz.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\stt82.ini 12/16/2005 11:19 AM 320 bytes Hidden from Windows API. C:\WINDOWS\system32\subrange.uce 8/29/2002 7:00 AM 91.51 KB Hidden from Windows API. C:\WINDOWS\system32\subrange.x 8/29/2002 6:00 AM 91.51 KB Visible in Windows API, but not in MFT or directory index. I used the Unlock application to see what process was locking vsmon.exe. It said that the file was locked by the "System" process. I thought that process was part of Windows. Why would it be locking vsmon.exe? Also, I found some strange temporary files in the temp folder. There is a folder named "W01804300" and it contains all of the source codes of the web sites I have visited since the virus entered the computer. Could this be part of a spyware program? If so, why won't my AntiSpyware program detect it? Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted December 16, 2005 Share Posted December 16, 2005 Some viruses are very clever about not being detected. I had one that would freeze any spyware or a/v program the instant that program got to it while scanning. Took me a while to figure out, but fortunately it didn't do any damage. Link to comment Share on other sites More sharing options...
herme3 Posted December 16, 2005 Author Share Posted December 16, 2005 Cap'n Refsmmat, how did you remove the virus from your computer? Do you know how I could remove the virus from my computer and get ZoneAlarm Pro to work again? Does anybody see anything that could be the virus in the rootkit revealer report I posted? Isn't avpe32.dll and avpe64.sys part of Haxdoor? Should I try to manually delete those files? What about the other files that it listed? Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted December 16, 2005 Share Posted December 16, 2005 I went into Safe Mode, which allowed me to do a virus scan without the virus being active to disable Norton. Try that to see if Norton/Symantec finds any files related to it during that scan. Link to comment Share on other sites More sharing options...
5614 Posted December 16, 2005 Share Posted December 16, 2005 A well programmed virus could still start in safe mode... I like avast's boot time scan. Also a standard thing if you have a virus which could be opening your computer to hackers, downloading unwanted things, sending private data etc. is to simply disconnect that computer from any network (incl. internet) that way the most damage it can do is to harm a single computer, it cannot spread to other computers nor download/upload data. Link to comment Share on other sites More sharing options...
Cap'n Refsmmat Posted December 16, 2005 Share Posted December 16, 2005 Indeed. Haxdoor is a backdoor virus, meaning if you think it's still there, unplug that computer immediately or you risk even more problems. Link to comment Share on other sites More sharing options...
Dak Posted December 16, 2005 Share Posted December 16, 2005 I think this is the variant that you have: http://www.sophos.com/virusinfo/analyses/trojhaxdooram.html Troj/Haxdoor-AM is a Trojan for the Windows platform. Troj/Haxdoor-AM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. Troj/Haxdoor-AM includes functionality to: - stealth its files, processes, registry entries and services - prevent itself being terminated - prevent itself being deleted - disable other software, including anti-virus, firewall and security related applications - log keystrokes and steal password information - intercept banking information - download and execute files from a remote location - change the default browser startpage and similar information When Troj/Haxdoor-AM is installed the following files are created: <System>\avpu32.dll <System>\avpu64.sys <System>\klgcptini.dat <System>\qz.dll <System>\qz.sys <System>\stt82.ini klgcptini.dat and stt82.ini are clean log files. The other files are detected as Troj/Haxdoor-AM. Troj/Haxdoor-AM may attempt to inject avpu32.dll into the process explorer.exe. Troj/Haxdoor-AM attempts to delete a number of registry entries under the following location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ Registry entries may be created at one of the places to run code exported by avpu32.dll on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32 HKLM\System\CurrentControlSet\Control\MPRServices\TestService The file avpu64.sys may be registered as a new system driver service named "avpu32", with a display name of "TCPIP2 Kernel32" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\avpu32\ The file avpu64.sys may be registered as a new system driver service named "avpu64", with a display name of "TCPIP2 Kernel". Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\avpu64\ Troj/Haxdoor-AM may set entries at the following locations to allow its components to be run in Safe Mode: SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ Does anybody see anything that could be the virus in the rootkit revealer report I posted? Isn't avpe32.dll and avpe64.sys part of Haxdoor? Should I try to manually delete those files? What about the other files that it listed? No, dont delete everything from the RKR log; some of it might be legit. Link to comment Share on other sites More sharing options...
Dak Posted December 17, 2005 Share Posted December 17, 2005 Try this: You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. Could I also have a new rootkit revealer log please. Link to comment Share on other sites More sharing options...
herme3 Posted December 17, 2005 Author Share Posted December 17, 2005 Thanks, Dak. I will download that file and post the log files. Did this virus probably enter as a trojan instead of from the web site I was viewing at the time? Link to comment Share on other sites More sharing options...
herme3 Posted December 17, 2005 Author Share Posted December 17, 2005 Here are the contents of the log.txt file: Log of AproposFix v1 ************ Running from directory: C:\Documents and Settings\Owner\Desktop\aproposfix ************ Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! Here is the new HighjackThis log: Logfile of HijackThis v1.99.1Scan saved at 8:12:15 PM, on 12/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\My Documents\Josh\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155737_mcinfo.exe /insfin O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155738_mcappins.exe /v=3 /cleanup O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120096203296 O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Here is the new Rootkit Revealer log: C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\change.log 12/16/2005 8:15 PM 9.71 KB Visible in Windows API, but not in MFT or directory index. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\change.log.15 12/16/2005 8:40 PM 9.71 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP654\drivetable.txt 12/16/2005 8:40 PM 310 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655 12/16/2005 8:40 PM 0 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\A0086804.ini 12/16/2005 8:05 PM 320 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\change.log 12/16/2005 8:45 PM 714 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\RestorePointSize 12/16/2005 8:40 PM 8 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\rp.log 12/16/2005 8:40 PM 536 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot 12/16/2005 8:40 PM 0 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SAM 12/16/2005 8:40 PM 28.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SECURITY 12/16/2005 8:40 PM 60.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SOFTWARE 12/16/2005 8:40 PM 25.62 MB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_MACHINE_SYSTEM 12/16/2005 8:40 PM 5.72 MB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_.DEFAULT 12/16/2005 8:40 PM 272.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 12/16/2005 8:40 PM 232.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 12/16/2005 8:40 PM 232.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3849222359-1686840940-1901974871-1003 12/16/2005 8:40 PM 3.62 MB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-3849222359-1686840940-1901974871-500 12/16/2005 8:40 PM 768.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3849222359-1686840940-1901974871-1003 12/16/2005 8:40 PM 8.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-3849222359-1686840940-1901974871-500 12/16/2005 8:40 PM 256.00 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\ComDb.Dat 9/8/2005 5:41 PM 23.39 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\domain.txt 12/16/2005 8:40 PM 28 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository 12/16/2005 8:40 PM 0 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\$WinMgmt.CFG 12/16/2005 8:11 PM 20 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\export 12/16/2005 8:40 PM 0 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS 12/16/2005 8:40 PM 0 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\INDEX.BTR 12/16/2005 5:53 PM 1.52 MB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\INDEX.MAP 12/16/2005 8:40 PM 816 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING.VER 12/16/2005 8:40 PM 4 bytes Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING1.MAP 12/16/2005 8:40 PM 3.75 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\MAPPING2.MAP 12/16/2005 8:24 PM 3.75 KB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\OBJECTS.DATA 12/16/2005 5:53 PM 5.82 MB Hidden from Windows API. C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP655\snapshot\Repository\FS\OBJECTS.MAP 12/16/2005 8:40 PM 2.96 KB Hidden from Windows API. C:\WINDOWS\system32\avpe32.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API. C:\WINDOWS\system32\avpe64.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\klgcptini.dat 12/15/2005 1:07 PM 0 bytes Hidden from Windows API. C:\WINDOWS\system32\qz.dll 12/15/2005 1:07 PM 40.20 KB Hidden from Windows API. C:\WINDOWS\system32\qz.sys 12/15/2005 1:07 PM 21.33 KB Hidden from Windows API. C:\WINDOWS\system32\stt82.ini 12/16/2005 8:45 PM 320 bytes Hidden from Windows API. C:\WINDOWS\system32\subrange.uce 5/23/2004 6:14 PM 91.51 KB Hidden from Windows API. C:\WINDOWS\system32\subrange.x 8/29/2002 7:00 AM 91.51 KB Visible in Windows API, but not in MFT or directory index. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now