Limited time offer

0

Days

12

Hrs

3

Min

57

Sec

It started wth a Win32 Trojan(Gen)

Posted 4/3/2005 12:27 PM
#12144
User avatar

Hirve Valued member

Date Joined Nov 2016
Total Posts: 21
Been an avid viewer of this forum for quite a while but I now need your help, please.

Friend has PC with multi-operating system (hyper-OS)

Went to see what was wrong on Friday (1st Apr) and found



C, E & F are system drives.

D is unused hyper-OS area

G: is purely a data drive, no O/S



C: is clean (unused unless reinstall/re-image)

E: is Stuarts - misbehaving today

F: infected (log below )





Have followed initial procedure as per 'Emilio (SVK)' posts

i.e.

1.DISABLE SYSTEM RESTORE
2.REBOOT TO THE SAFE MODE
3.SHOW HIDDEN FILES
4.RUN HIJACKTHIS:




Would appreciate assistance identifying problems in the following log

thanx b

Hirve





Logfile of HijackThis v1.99.1
Scan saved at 12:34:14, on 03/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\windows\System32\smss.exe
F:\windows\system32\winlogon.exe
F:\windows\system32\services.exe
F:\windows\system32\lsass.exe
F:\windows\system32\svchost.exe
F:\windows\system32\svchost.exe
F:\windows\Explorer.EXE
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.tiny.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - F:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (disabled by BHODemon)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - F:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - F:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HyperOS Agent] c:\hyper\QUICKSYS.EXE
O4 - HKLM\..\Run: [HyperOS Active System Reporter] c:\hyper\ACTIVSYS.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WinMove] c:\hyper\WINMOVE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpyBot - S&D] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IW ControlCenter] F:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [snpstd] F:\windows\vsnpstd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zSPGuard] f:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - F:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://www.supanet.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098699610203
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - F:\WINDOWS\system32\ZONELABS\vsmon.exe
If all time is relative, there can be no such concept as being. Discuss.
Posted 4/3/2005 3:12 PM
#12155
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
[blue][3]PROCEDURE:[/3][/blue]
1.TURN OFF SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN HIJACKTHIS:
Check:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (disabled by BHODemon)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

[red]these items looks suspicious(so check if you don´t recognize these files)
O4 - HKLM\..\Run: [HyperOS Agent] c:\hyper\QUICKSYS.EXE
O4 - HKLM\..\Run: [HyperOS Active System Reporter] c:\hyper\ACTIVSYS.EXE
O4 - HKLM\..\Run: [WinMove] c:\hyper\WINMOVE.EXE[/red]

O4 - HKLM\..\Run: [snpstd] F:\windows\vsnpstd.exe
O14 - IERESET.INF: START_PAGE_URL=https://www.supanet.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098699610203
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
FIX CHECKED...........

5.RUN ADVANCED PROCESS TERMINATION:

F:\windows\vsnpstd.exe
select and then press "ALL" button in PROCES CONTROL OPTIONS

6.FIND AND DELETE THESE FILES:(use Dr.Delete)
C:\WINDOWS\System32\blank.htm
F:\windows\vsnpstd.exe

[red](ONLY IF YOU DON´T RECOGNIZE THESE FILES)
C:\hyper\QUICKSYS.EXE
C:\hyper\ACTIVSYS.EXE
C:\hyper\WINMOVE.EXE (also folder hyper)[/red]

7.SCANS:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot
run scan with ScanSpyware (do complete scan)
run scan with Stinger
run scan with Mwav (all scan options)
run scan with SysClean
run scan with TDS-3 (choose all choices to scan in SCAN CONTROL)

8.CLEANING
run CCleaner (analyze---run cleaner)

9.ENABLE SYSTEM RESTORE

10.REBOOT


let me know if it worked...post new log after that....thx
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
Posted 4/3/2005 3:25 PM
#12158
User avatar

Hirve Valued member

Date Joined Nov 2016
Total Posts: 21
Hi Emilio, Thaks for reply.
will try & post result or new log.

FYI:-
c:\hyper\*.* files recognised as multi-op system files.
they're ok.
they handle all O/S drives similar to XP dual-boot systems only you can have as many O/S as you like.
just make a partition, install & go.
annyhoo, I digress.
Off to apply solution (which I reckon will work, given your hundreds of prior successes).

I really appreciate this assistance.
many, many thanks
hirve
If all time is relative, there can be no such concept as being. Discuss.
Posted 4/4/2005 1:42 PM
#12209
User avatar

Hirve Valued member

Date Joined Nov 2016
Total Posts: 21
K Emilio, here's the result.
Have id'd some (NOT USED or (no name & no file), the three hyperOS files are fine,
Do you see anything else?

Drive is fine, browser looks fine apparently, loads google search page & works, accesses internet ok.

Just curious about these few oddments & the DPF

Look forward to hearing from you.

diolch yn fawr ( ta very much )
Hirve


Logfile of HijackThis v1.98.2
Scan saved at 14:00:58, on 04/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\windows\System32\smss.exe
F:\windows\system32\winlogon.exe
F:\windows\system32\services.exe
F:\windows\system32\lsass.exe
F:\windows\system32\svchost.exe
F:\windows\system32\svchost.exe
F:\windows\Explorer.EXE
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Documents and Settings\Stuart\My Documents\Dls\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - F:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - F:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - F:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HyperOS Agent] c:\hyper\QUICKSYS.EXE
O4 - HKLM\..\Run: [HyperOS Active System Reporter] c:\hyper\ACTIVSYS.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WinMove] c:\hyper\WINMOVE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpyBot - S&D] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IW ControlCenter] F:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [snpstd] F:\windows\vsnpstd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zSPGuard] f:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [mwavscan] "C:\mwavscan.com" /s
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - F:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - F:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - F:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
If all time is relative, there can be no such concept as being. Discuss.
Posted 4/4/2005 2:01 PM
#12210
User avatar

Emilio (SVK) Advanced member

Date Joined Nov 2016
Total Posts: 1162
the "bad" item is still there...ok try this progress:

>click here for download KillBox<

1.DISABLE SYSTEM RESTORE

2.REBOOT TO THE SAFE MODE

3.SHOW HIDDEN FILES

4.RUN KILLBOX:

a./check "Delete file on reboot"
b./check "End Explorer Shwll While Killing File"

c./browse and select F:\windows\vsnpstd.exe

d./then press "Delete file" (red button with white cross)

e./merge:Reboot now? -> press NO -> pending for reboot

5.RUN ADVANCED PROCESS TERMINATION:(some may not exists)
F:\windows\vsnpstd.exe
use kill button "ALL" for terminate process

6.RUN HIJACKTHIS:
Check:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - F:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [snpstd] F:\windows\vsnpstd.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
FIX CHECKED.........

7.CLEANING
run CCleaner (analyze-run cleaner)

8.ENABLE SYSTEM RERSTORE

9.REBOOT

post new log after that......
Emilio[sup]29[/sup]

>Hijackthis<>FireFox<
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, November 20, 2017, 3:24 AM (GMT +1)
There are a total of 61,465 posts in 13,522 threads.
In the last 3 days there were 1 new threads and 8 reply posts.

Who's online

This forum has 38,130 registered members. Please welcome our newest member, ReeceWhit.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.