Hjt Log--need Help

falcon24 · January 10, 2006

My System: Dell8200, Win XP Home, Symantec AVC, ZoneAlarm, SpyBot S&D, AdAware, SpyWare Blaster.

Symptoms: Noticed significant delay attempting to run SpyBot and AdAware--Task Manager indicated these were using 99% CPU. Let Spybot run to completion (1.5 hr)---detected "pipas.A" trojan. Removed, but continues to regenerate after reboot. Attempted free on-line scan using Panda and SpywareSweeper---these detected problems, but they could not be removed without purchasing removal tool. Downloaded and ran Ewido malware scanner---detected problems fixed. SpyBot still being significantly delayed by remaining infection. Here's my HJT log---should definately get rid of 017 items, I think, but what about other items? Your advice on how to proceed is needed.

Logfile of HijackThis v1.99.1

Scan saved at 4:41:19 PM, on 1/10/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{453752DE-9C74-446B-98F1-AA145A95EA99}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{629AD2DB-9100-4C42-85DF-530BC00F8389}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS2\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Dragon · January 11, 2006

before we do anything.

Are you located in Ukraine??

mlegg510 · January 11, 2006

Dragon I have been seeing a ton of those IPs in logs from the Ukraine lately, and on a few forums I mod or admin I can clearly see they are US residents. Ask Chappy or BT to look at falcon's IP to locate where he is at, but doubtful is from Belargus Ukraine.

http://www.dnsstuff.com/tools/whois.ch?ip=85.255.113.118

Dragon · January 11, 2006

doh!!!

I didn't even think about looking at the IP. thats what I get for being rushed on this computer because my wife needed it for work.

*Dragon slaps his head*

Falcon24, you can remove those O17 entries using Hijack this.

open Hijack this, click on scan only, next find the following entries and put a check next to them. Then with all browsers and windows closed, including this one, click on Fix Selected

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{453752DE-9C74-446B-98F1-AA145A95EA99}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{629AD2DB-9100-4C42-85DF-530BC00F8389}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS2\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

reboot your computer post a fresh Hijack this log, and let us know how your system is doing.

falcon24 · January 11, 2006

Actions: (1) Ran HJT, fixed all 017 items; reran HJT to verify they were gone--were. (2) rebooted in Safe Mode and ran AdAware. (2) then ran Ewido fast scan which detected several problems--see Log. it is unclear if items labled "error during cleaning" were actually fixed? (3) ran Spybot S&D---something is still inhibiting effeciency of running this software--it took 1 hour 15 min to complete---detected "pipas.A" trojan---fixed. this is a recurring trojan that I have been unable to get rid of. (4) ran SpySweeper which detected a bunch of trojans, adware and cookies---these were not fixable since I haven't purchased the removal tool. QUESTIONS:

(a) Is there any freeware that can detect AND get rid of this SpySweeper-detected malware effectively???

( Is there anything suspicious in the HJT log below?

APPRECIATE YOUR HELP!!

--------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 1:17:13 PM, 1/11/2006

+ Report-Checksum: 5E2476B6

+ Scan result:

[204] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning

[228] VM_00BF0000 -> Downloader.Agent.uj : Error during cleaning

[860] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning

C:\Documents and Settings\John Watson\Cookies\john [email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup

C:\Documents and Settings\John Watson\Cookies\john [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup

C:\Documents and Settings\John Watson\Cookies\john [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup

::Report End