Hello Experts,
My XP based desktop system is not working properly. having some Virus/Trojan etc. and creating a
lot of trouble for me as i am not able to run many softwares.
i just formatted C: and reinstalled XP and the problem started. may be D: is infected.
i am not able to install Visual studio, if i try, when i run SetUP file it does not run.
so i am not able to run silentrunner.vbs file to know which suspecisious activities are running
at background.
i tried HijackThis and it created following log which, apart from it, i found another text file
Yahoopath.txt and log directory with tens of files in it which i was unable to delete.
Also, D:\ Funny UST Scandal.exe file and some folder. which i deleted but were recreated
automatically. i have tried some MalwareRemover, AntiTrojan Software etc also but no use.
i am sending the 4 text files :
- contents of Yahoopath.txt,
- 2 log files created by HiJackThis utility (HiJackThis.txt and Staruptlist.txt)
- one more file has some data which i could somehow get from my system, it contains some registry
entries and some autorun file names etc.
Further, i am not able to run Regedit, MsConfig, Ctrl+Alt+Del and Run->Command, i am not able to
run Internet also. i am sending this mail from my Laptop that by the Grace of God is working
well.
Still Further, i have installed Kaspersky and Avira trial versions antiviri on my desktop. but
this naughty malware gets escaped from them also.
Please suggest me some solution.
Contents of Log file produced by HijackThis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:21 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Oracle\Ora81\BIN\TNSLSN
R.exe
c:\oracle\ora81\bin\ORACLE
.EXE
C:\Oracle\Ora81\bin\oradim
.exe
C:\Oracle\Ora81\BIN\OWASTS
VR.EXE
C:\WINDOWS\system32\wscntf
y.exe
C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\killer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O1 - Hosts file is located at: C:\WINDOWS\System32\driver
s\etc\host
s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH
elper.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec
Shared\OPC\{C86EA115-FACD-
4aa8-BFA2-
398C677D09
36}\SYMCUW
.exe"
-G:{77CCBE0B-A541-49a9-883
E-14F8337E
C861} -T:Config -REBOOT
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O4 - Global Startup: lsass.exe
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-A
A4ACF32ED8
E} - C:\Program
Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} -
C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH -
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program
Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\
LuComServe
r_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSvcHst.exe
O23 - Service: OracleOraHome81Agent - oracle - C:\Oracle\Ora81\bin\dbsnmp
.exe
O23 - Service: OracleOraHome81ClientCache
- Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.
EXE
O23 - Service: OracleOraHome81DataGathere
r - Unknown owner - C:\Oracle\Ora81\bin\vppdc.
exe (file
missing)
O23 - Service: OracleOraHome81TNSListener
- Unknown owner - C:\Oracle\Ora81\BIN\TNSLSN
R.exe
O23 - Service: OracleServiceSOOD - Oracle Corporation - c:\oracle\ora81\bin\ORACLE
.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTS
VR.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMAN
T~1\CCPD-L
C\symlcsvc.exe
--
End of file - 4400 bytes
Contents of StartupList.txt produced by Hijackthis :
StartupList report, 2/19/2008, 11:21:18 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThi
s.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==========================
==========
==========
====
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Oracle\Ora81\BIN\TNSLSN
R.exe
c:\oracle\ora81\bin\ORACLE
.EXE
C:\Oracle\Ora81\bin\oradim
.exe
C:\Oracle\Ora81\BIN\OWASTS
VR.EXE
C:\WINDOWS\system32\wscntf
y.exe
C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\killer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
--------------------------
----------
----------
----
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
lsass.exe
--------------------------
----------
----------
----
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W
indows NT\CurrentVersion\Winlogon
]
UserInit = C:\WINDOWS\SYSTEM32\Userin
it.exe,
--------------------------
----------
----------
----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
ndows\Curr
entVersion
\Run
MSConfig = C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe /auto
avgnt = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton AntiVirus\osCheck.exe"
isCfgWiz = "C:\Program Files\Common Files\Symantec
Shared\OPC\{C86EA115-FACD-
4aa8-BFA2-
398C677D09
36}\SYMCUW
.exe"
-G:{77CCBE0B-A541-49a9-883
E-14F8337E
C861} -T:Config -REBOOT
--------------------------
----------
----------
----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Run
Runonce = C:\WINDOWS\smss.exe
--------------------------
----------
----------
----
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe, killer.exe
SCRNSAVE.EXE=C:\WINDOWS\Sy
stem32\log
on.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------
----------
----------
----
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH
elper.ocx -
{06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3}
--------------------------
----------
----------
----
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation
s: c:\windows\killer.exe|||\
--------------------------
----------
----------
----
Enumerating ShellServiceObjectDelayLoa
d items:
PostBootReminder: C:\WINDOWS\system32\SHELL3
2.dll
CDBurn: C:\WINDOWS\system32\SHELL3
2.dll
WebCheck: C:\WINDOWS\system32\webche
ck.dll
SysTray: C:\WINDOWS\system32\stobje
ct.dll
--------------------------
----------
----------
----
End of report, 4,475 bytes
Report generated in 0.370 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Contents of Yahoopath found in C:
2/17/2008C:\log\YahooMail.
exe
2/17/2008D:\autorun.exe
2/17/2008C:\log\YahooMail.
exe
2/17/2008C:\log\YahooMail.
exe
2/17/2008C:\log\YahooMail.
exe
2/19/2008C:\log\YahooMail.
exe
2/19/2008C:\log\YahooMail.
exe
2/19/2008C:\a4a8761bfce6ea
cf849647a3
f7\empty.e
xe
2/19/2008C:\WINDOWS\win.ex
e
Contents of another file i could collect some information :
c:\windows\system32\new folder.exe
c:\windows\killer.exe
C:\DOCUME~1\Sandeep\LOCALS
~1\Temp\vs
60wiz.exe
C:\DOCUME~1\Sandeep\LOCALS
~1\Temp\Te
mporary Directory 1 for startuplist.zip\StartupLis
t.exe
C:\DOCUME~1\Sandeep\LOCALS
~1\Temp\vs
60wiz.exe
C:\WINDOWS\PCHealth\HelpCt
r\Binaries
\MSConfig.
exe
C:\WINDOWS\system32\wscntf
y.exe
desktop.ini in C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini in C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HKEY_LOCAL_MACHINE\Softwar
e\Microsof
t\Windows NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\System\
CurrentCon
trolSet\Co
ntrol\Sess
ion Manager
HKEY_LOCAL_MACHINE\Softwar
e\Microsof
t\Windows NT\CurrentVersion\WinLogon
UserInit =
userinit.exe,New Folder.exe
HKEY_CURRENT_USER\Software
\Microsoft
\Windows\C
urrentVers
ion\Run
HKEY_LOCAL_MACHINE\Softwar
e\Microsof
t\Windows\
CurrentVer
sion\Run - Newfolder.exe
HKEY_LOCAL_MACHINE\System\
ControlSet
002\Contro
l\Session Manager - BootExecute = autochek autochk*
Thanks.
Start Free Trial
