3 replies to this topic

[wszarmach]

AVG detected that a trojan virus was installed (unfortunately I thought loging was on but it wasnt so I dont know the name). I got the latest AVG and ran a scan - found nothing.

Sometime later I rebooted my machine. My firewall (outpost) detected that explorer.exe was attempting a connection to www.the911site.net every 30 seconds.

Running a full avg scan again found nothing.
I than got the latest adaware and spybot and ran those - found around 16 diallers and I quarantined them.

Rebooted my machine and outpost detected that rundll.exe was trying to connect to the same website. Few more scans and reboots and back to explorer.exe trying to make the connection.

I tried to replace the explore.exe file with an older version but I suspect it was never actually infected.

Here is the hijackthis log. Hope you can spot something.

Logfile of HijackThis v1.97.7
Scan saved at 20:49:55, on 03-Apr-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Tools\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
D:\PROGRA~1\Tools\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
D:\Program Files\Tools\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Tools\Active SMART\ActiveSMART.exe
D:\Program Files\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Tools\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Tools\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] D:\PROGRA~1\Tools\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Tools\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ryateb] "C:\WINNT\system32\ryateb.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Active SMART.lnk = D:\Program Files\Tools\Active SMART\ActiveSMART.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Tools\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZyXEL ADSL.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7911.5937731481
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

[LoPhatPhuud]

Check the following items in HijackThis.
If you do not recognize the first entry 'ryateb.exe', then go ahead and remove it.I can find nothing on it. If we do need it, the HJT backup will allow us to restore.
O4 - HKLM\..\Run: [ryateb] "C:\WINNT\system32\ryateb.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Close all windows except HijackThis and click Fix checked:

Reboot in Safe Mode and delete the following: (you may need to show hidden files**)
C:\WINNT\system32\ryateb.exe (only if removed above)
C:\WINNT\system32\internat.exe


**Show hidden files/folders as per the instructions here http://www.tacktech....ay.cfm?ttid=190

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot. (not necessary, but recommended)

Post another HiJackThis log in this thread for final review.

[wszarmach]

Thanks!! That seems to have done the trick. The outgoing connections appear to have stopped. There was also a ryateb.dll which I got rid of.

Thanks again.

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 11:04:00, on 04-Apr-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Tools\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
D:\PROGRA~1\Tools\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
D:\Program Files\Tools\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
D:\Program Files\Tools\Active SMART\ActiveSMART.exe
D:\Program Files\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Tools\Adobe Reader 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Tools\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] D:\PROGRA~1\Tools\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Tools\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Active SMART.lnk = D:\Program Files\Tools\Active SMART\ActiveSMART.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Tools\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZyXEL ADSL.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7911.5937731481
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft...ols/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F15BE9D2-6851-4D7A-8257-624E46C877E1}: NameServer = 194.230.1.168 194.230.1.200

[LoPhatPhuud]

Great news, your system is clean at last.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacools...areblaster.html
SpywareGuard: http://www.wildersse...ywareguard.html


IE/Spyad places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
http://www.staff.uiu...es/resource.htm



NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.