Backdoor.AFcore.BI

Discussion in 'malware problems & news' started by fritzjr, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. fritzjr

    fritzjr Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    4
    I have been thought a lot of threads on this virus and found some useful info but nothing that has fixed my problem. simply put the virus has in fected a dll file called lowlaz. i have no idea what this file is and does and i have deleted the file, its reg keys and startup items and still it persits. here are the symptoms of this virus. when i start my computer in normal mode(non safe mode) AVG 6.0 tells me i'm infected, the problem lies in the fact that my computer then reboots on its own and will continue this insane cycle untill i either 1. go into safe mode or 2. turn off the computer. what i think is happening is that the virus is flooding my memory because every once and a while in normal mode my computer wont restart but go to a dreaded blue screen(first time i've seen one in XP) and tell me that some windows process has encountered a critical error and that windows had dumped my memory please restart the computer. when i restart the computer i get the same avg message and my computer then restarts on me and the same cycle resumes. i've done just about everything, cwsshredder, avg scan, housecall scan, adaware scan, manual registry key deletes, msconfig startup item deletes.
    and here for your viewing pleasure my HJT log, please remember that i have to run it from safe mode and its missing a ton of proccesses.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:06:20 PM, on 4/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HJT\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...4247453704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho...wflash.cab

    thanks in advance for help and/or advice.

    Fritz Jr.
     
    fritzjr, Apr 23, 2004
    #1
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi fritzjr, and welcome to Wilders.

    Do you recall what name AVG gave the virus? *oops..just noticed the name of the virus in your title: Backdoor.AFcore.BI

    Your hjt log isn't revealing very much as you said it wouldn't while in safemode, but I am seeing two IE restrictions set there:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Did you set these yourself?

    Also, have you tried running your antivirus, the CWShredder, and Ad-Aware while in safe mode? If you haven't, I would try that next and let us know what happens.

    You could also post a Startup list from the HijackThis program.

    Open HijackThis and click on the button down near the right corner called "Config..."
    Then click on "Misc Tools", place a check in the box beside "List also minor sections (full)" and then click on the button "Generate StartupList log".

    Copy & paste the StartupList log here in your next post.

    With more information, we'll at least get a bit of a start to help you.

    Regards,

    snap
     
    snapdragin, Apr 23, 2004
    #2
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first of all re enable everything in msconfig that you have disabled, then once we can see the entry we have a very good chance of fixing it

    we neeed to have a log taken in normal mode, not safe mode to fix this one

    this is about the only virus/trojan that I know of that cannot be fixed in safe mode as the actual file has to be running to be fixed


    It is possible that we can deal with it once we see a start up list

    It's unusual for aflooder ( Backdoor.AFcore.BI) to cause the symptoms you are experiencing, that sounds more like one of the RPCdom worms like blaster that is causing the shutdowns.
     
    Last edited: Apr 23, 2004
    dvk01, Apr 23, 2004
    #3
  4. fritzjr

    fritzjr Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    4
    I some how managed my way into normal mode. instead of restarting this time it tells me the system has recovered from a serious error. here is the signature and files named in the error report.

    BCCode : e8 BCP1 : 825F5718 BCP2 : 82FD0020 BCP3 : 00000000
    BCP4 : 00000000 OSVer : 5_1_2600 SP : 1_0 Product : 256_1

    C:\WINDOWS\Minidump\Mini042104-15.dmp
    C:\DOCUME~1\FRITZJ~1\LOCALS~1\Temp\WERA.tmp.dir00\sysdata.xml

    here also is the normal mode HJT log with startup items re-enbled.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:27:40 AM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\HJT\HijackThis.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\UltraMon\UltraMonTaskbar.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ozkbopyd] C:\WINDOWS\ozkbopyd.exe
    O4 - HKLM\..\Run: [mnslwtet] C:\WINDOWS\mnslwtet.exe
    O4 - HKLM\..\Run: [lowlaz] rundll32 C:\WINDOWS\System32:lowlaz.dll,Init 1
    O4 - HKLM\..\Run: [ejgvmvca] C:\WINDOWS\System32\bylpbvkq.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.4247453704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    and here is the startuplist log you asked for.

    StartupList report, 4/23/2004, 9:30:37 AM
    StartupList version: 1.52
    Started from : C:\Program Files\HJT\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HJT\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\fritz jr\Start Menu\Programs\Startup]
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ozkbopyd = C:\WINDOWS\ozkbopyd.exe
    mnslwtet = C:\WINDOWS\mnslwtet.exe
    lowlaz = rundll32 C:\WINDOWS\System32:lowlaz.dll,Init 1
    ejgvmvca = C:\WINDOWS\System32\bylpbvkq.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Steam = "c:\program files\steam\steam.exe" -silent
    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.4247453704

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\swflash.ocx
    CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 5,531 bytes
    Report generated in 0.047 seconds
     
    fritzjr, Apr 23, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    lets deal with that first
    click Start->Run and paste this:

    rundll32 C:\WINDOWS\System32:lowlaz.dll,Uninstall

    you should get a done message then

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [ozkbopyd] C:\WINDOWS\ozkbopyd.exe
    O4 - HKLM\..\Run: [mnslwtet] C:\WINDOWS\mnslwtet.exe
    O4 - HKLM\..\Run: [lowlaz] rundll32 C:\WINDOWS\System32:lowlaz.dll,Init 1
    O4 - HKLM\..\Run: [ejgvmvca] C:\WINDOWS\System32\bylpbvkq.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\ozkbopyd.exe
    C:\WINDOWS\mnslwtet.exe
    C:\WINDOWS\System32\bylpbvkq.exe

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R299 22.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left


    AVG will continue to warn you about a virus as it probably has been put into the system restore folder & settings, this will cure that.
    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.
     
    dvk01, Apr 23, 2004
    #5
  6. fritzjr

    fritzjr Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    4
    i get un error stating the access is denied for C:\WINDOWS\System32:lowlaz.dll.

    i've also tried this as administrator in safe mode
     
    fritzjr, Apr 23, 2004
    #6
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Gavin - DiamondCS, Apr 23, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think that it's because you deleted the lowlaz.dll yourself or that's what I think it says in the first post

    it would be wise to follow gavin's advice and download TDS3 trial version to see if it is still on the system somewher
    download
    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt and we can tell you which ones to get the stream that Gavin wants to see
     
    dvk01, Apr 23, 2004
    #8
  9. fritzjr

    fritzjr Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    4
    Scan Control Dumped @ 16:13:02 23-04-04
    Positive identification (DLL): DragonZap IRC FSMEM 1.02 (dll)
    File: c:\program files\mirc\hix\scripts\systeminfo\fsmem.dll

    Positive identification (DLL): DragonZap IRC Registry 1.05 (dll)
    File: c:\program files\mirc\hix\scripts\systeminfo\registry.dll

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: c:\windows\unstsa2.exe

    it looks like to me that some how this thing has disapeared. i'm going to reboot and run HJT again and edit, posting the new HJT log.

    here is the newest HJT log. i didn't get a AVG message on startup but i did when windows was shutting down.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:23:45 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\program files\steam\steam.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Program Files\HJT\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.4247453704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    fritzjr, Apr 23, 2004
    #9
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    this is part of the blazsfind hijacker
    c:\windows\unstsa2.exe
    the 2 mirc scripts are not necessarily bad but have the potential to be used for bad things, they are often dropped by a hacker so he can take over the system. If you did install them yourself then ignore them otherwise fix them with tds as well

    to fix with tds right click any item in bottom window and select delete or which ever option it gives to fix it
     
    dvk01, Apr 23, 2004
    #10
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    as you have rebooted it will take too long to run tds to fix the blaze find entry so do this

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete c:\windows\unstsa2.exe

    then reboot & then
    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    that should get rid of the avg virus warning.

    If it isn't in the lhjt log and tds hasn't found the aflooder then I think it's gone, if avg keeps warning , make a note of uit's location and we'll try something different
     
    dvk01, Apr 23, 2004
    #11
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...