StarDestroyer.Net BBS

Get your fill of sci-fi, science, and mockery of stupid ideas
http://stardestroyer.dyndns-home.com/

Some sort of pif virus help required... (HijackThis log)

http://stardestroyer.dyndns-home.com/viewtopic.php?f=24&t=40095

Page 1 of 1

Some sort of pif virus help required... (HijackThis log)

Posted: 2004-02-18 08:38pm
by El Moose Monstero
Picked up a virus today, product.zip with a product.txt.pif file inside, which then proceeded to copy several files from the list of progams seen in the Bereb.B viruses, things like sex sex sex.exe etc. Now, have AVG updated and running, it finds the files, deletes them, and then the virus puts them back on again.

Code: Select all

Have run HijackThis - log posted

Logfile of HijackThis v1.97.7
Scan saved at 16:38:07, on 18/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\System32\diagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\MozillaFirebird\MozillaFirebird.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Paul Ayris\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Diagnostic Agent] diagent.exe
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\RunServices: [Diagnostic Agent] diagent.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/017b344310588e0c6e01/netzip/RdxIE601.cab
O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} - http://www.swissquake.ch/chumbalum-soft/files/MS3DViewerOCX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Is there anything on there which could account for the self maintaining thing? I've been searching high and low for the virus type and removal instructions, but am so far having no luck[/list]. Has anyone had similar problems or know the virus type?[/u]

Posted: 2004-02-18 09:38pm
by El Moose Monstero
Update - Virus has modified services.exe in my Windows directory, does anyone now how I can restore this file, as I believe this is the file which is causing the recopying of the files as it appears as a process being run by my username and system, which it doesnt on anybody elses... this is urgent here, people, any help would be very appreciated.

Posted: 2004-02-18 10:06pm
by El Moose Monstero
Ok, scratch that problem, that one wasnt too hard, now, how the hell do I repair what I think it's done to my _default.bat which appears to be some critical file which doesnt exist? Anyone at all here? I've been at this for 5 hours and am getting a little cranky, I fear... :)

Posted: 2004-02-18 10:49pm
by El Moose Monstero
Ah well, after 4 hours of me wrestling with it, Symantec have released a patch, maybe it was there all along but they hadnt updated their virus lists, gits...

The virus is W32.Netsky.B@MM, for future reference, and I suppose this thread can now be locked...

Posted: 2004-02-19 02:25am
by Vertigo1
Better check the registry while you're at it. Virii tend to modify the entires in the startup area so that if you delete something it generates, when you restart it'll just generate another one with a different name.

This, folks, is EXACTLY why you suspect you're infected with a bug you scan from SAFE MODE. That way, its very unlikely any program it generates is running, and if it is its easy to kill and delete. And you can scan at your leisure. This is also why if you don't already know someone is going to send an e-mail with an attachment, you delete any e-mail you recieve that has a funny named attachment. Remember the "I Love You!" debacle? Matter of fact, unless you have prior knowlege of that person sending you an attachment, don't even open it. Stick it in the trash bin until you verify with that person what it is. Thats always been my policy and I've yet to get infected with any virus or worm.

Posted: 2004-02-19 02:30am
by El Moose Monstero
Vertigo1 wrote:Better check the registry while you're at it. Virii tend to modify the entires in the startup area so that if you delete something it generates, when you restart it'll just generate another one with a different name.

This, folks, is EXACTLY why you suspect you're infected with a bug you scan from SAFE MODE. That way, its very unlikely any program it generates is running, and if it is its easy to kill and delete. And you can scan at your leisure. This is also why if you don't already know someone is going to send an e-mail with an attachment, you delete any e-mail you recieve that has a funny named attachment. Remember the "I Love You!" debacle? Matter of fact, unless you have prior knowlege of that person sending you an attachment, don't even open it. Stick it in the trash bin until you verify with that person what it is. Thats always been my policy and I've yet to get infected with any virus or worm.
Yep, all sorted now, but the gist of the thing was that my mate does computer programming and I wasnt quite thinking when I recieved the email from him and assumed he'd written a program for some reason, its been years since I've recieved a virus through email and hotmail didnt catch it, so I tried extracting it.

The thing itself copied a file called services into Windows main directory pretending to be the one in system32, then put something in the registry which meant you couldnt terminate it as it thought it was a critical system process, it also did something with _default.bat, as even after removing system, the thing continued to reinstall all the files. I went into safe mode to remove the services file and ran a virus scan and it seemed clear, but it came back as soon as I went back to normal - in the end, I needed the removal tool to sort it out. Lesson learned again I think... :)
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited