dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
308
mjkohler
join:2004-07-14
New Zealand

mjkohler

Member

HJT Log - malware and possible trojan infection

Pop ups and ads, plus i.e. explorer keeps opening up on res://xnlog.dll/index.html#96676
antivirus and firewall not installing properly,
tds notes a change detected in the autostart registry, trend micro scan picked up 127 unreparable 'trojan agent.72' infected files - mostly .dll's - have since deleted them all.
Red Sheriff and Alexa deleted.

Ihave tried McAfee Online scan - no results
NAV Online Scan - no results
Trend Micro Online Scan, for first 24 hours would close i.e then on second day managed to get it to work, when it picked up the above mentioned 127 infected files.

Tried CWShredder - no result
Spybot S&D - picked up red sheriff and some other entries am not sure what they were.
At the moment I have system restore turned off so that anything found and deleted does not come back again.
Adaware - changed settings as mentioned - first scan picked up alexa and redsheriff but after that nonesince.

Tried TDS - no trojan detected however Notice that a change has been detected in the registry autostart.

Log as follows:

Logfile of HijackThis v1.98.0
Scan saved at 8:45:49 p.m., on 14/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wincu32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Geek Superhero\GeekSuperhero.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\system32\CH_Utility.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Asus\Asus Hotkey\Hotkey.exe
C:\WINDOWS\system32\msno.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnlog.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xnlog.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnlog.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00B4D9DA-4CA0-9F67-B881-787806788C35} - C:\WINDOWS\addxo32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunOnce: [wincu32.exe] C:\WINDOWS\wincu32.exe
O4 - HKLM\..\RunOnce: [winan.exe] C:\WINDOWS\winan.exe
O4 - HKLM\..\RunOnce: [appjm.exe] C:\WINDOWS\system32\appjm.exe
O4 - HKLM\..\RunOnce: [cryk.exe] C:\WINDOWS\system32\cryk.exe
O4 - HKLM\..\RunOnce: [crld.exe] C:\WINDOWS\crld.exe
O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
O4 - HKLM\..\RunOnce: [netmk.exe] C:\WINDOWS\system32\netmk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Chrontel TV.lnk = C:\WINDOWS\system32\CH_Utility.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: ASUS Hotkey.lnk = C:\Program Files\Asus\Asus Hotkey\Hotkey.exe
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperHeroBugSwat.dll (file missing)
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperHeroSlapdown.dll (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17556588-9364-4899-87C7-8B8BD7D7F89A}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{17556588-9364-4899-87C7-8B8BD7D7F89A}: NameServer = 202.27.158.40 202.27.184.3
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

I would heaps appreciate some help with this:)

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

You are going to have to wait until an expert comes along that is able to help you remove this CWS infection.
alien8
join:2004-03-03
UK

alien8 to mjkohler

Member

to mjkohler

Re: HJT Log - malware and possible trojan infectio

While you wait for an expert to come along... it may be
worth submitting this file:
C:\WINDOWS\system32\xnlog.dll

to this site:
http://virusscan.jotti.dhs.org/

this will check for the type of trojan/malware it is.

Cheers,

Steve

ColdinCbus
Premium Member
join:2002-12-28
Columbus, OH

1 recommendation

ColdinCbus to mjkohler

Premium Member

to mjkohler
here is the fix for your PC

1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. If you followed the FAQ you already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.

3. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online.

4. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnlog.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xnlog.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xnlog.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xnlog.dll/index.html#96676
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00B4D9DA-4CA0-9F67-B881-787806788C35} - C:\WINDOWS\addxo32.dll

O4 - HKLM\..\RunOnce: [wincu32.exe] C:\WINDOWS\wincu32.exe
O4 - HKLM\..\RunOnce: [winan.exe] C:\WINDOWS\winan.exe
O4 - HKLM\..\RunOnce: [appjm.exe] C:\WINDOWS\system32\appjm.exe
O4 - HKLM\..\RunOnce: [cryk.exe] C:\WINDOWS\system32\cryk.exe
O4 - HKLM\..\RunOnce: [crld.exe] C:\WINDOWS\crld.exe
O4 - HKLM\..\RunOnce: [sdkal.exe] C:\WINDOWS\sdkal.exe
O4 - HKLM\..\RunOnce: [netmk.exe] C:\WINDOWS\system32\netmk.exe

and delete the following files if present.

C:\WINDOWS\system32\xnlog.dll
C:\WINDOWS\addxo32.dll
C:\WINDOWS\wincu32.exe
C:\WINDOWS\system32\msno.exe

8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

9. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

10. Scan with Adaware and let it remove any bad files found.

11. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

12. Reboot to normal mode, scan again with Hijack This and post a new log here.

13. NOTE:Two, possibly 3, files were also deleted from your computer and need to be replaced.

Control.exe
hosts (with no extension)
SDHelper.dll (if you are using Spybot Search & Destroy)

If control. exe is missing
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
........................................................
14. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

15. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
mjkohler
join:2004-07-14
New Zealand

mjkohler

Member

many thanks
will get back to here later to let you know how it turns out.