new here. help with virus..

Discussion in 'Trojan Defence Suite' started by rsxtreme, May 21, 2004.

Thread Status:
Not open for further replies.
  1. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    i caught a virus this morning ..some trojan dialer.. avg took care of it..
    now i ran adaware to check for spyware.. and avg pops up with "java/byteverify virus".. i run avg and it dont even show up.. help?..

    here is my scan..
    Logfile of HijackThis v1.97.7
    Scan saved at 7:41:37 PM, on 5/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\****\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    help..? :) o_O :blink:
     
  3. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
  4. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    thanks.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome!
    early morning here when you wrote :)

    Is there a specific reason why you posted in the TDS forum, are you using TDS too? If so, make sure it's fully updated and do a full system scan with all scanoptions checked and other unnecessary programs closed and most of all other scanners like your AVG: open the AVG console, uncheck all the options so the icon will turn to grey and let TDS do it's scan.
    The same for your Norton scanner, also the resident protection out.
    BTW: did you scan with AVG with Norton up? Chances you don't find much then, as the one scanner protects the other and access to files might be blocked.

    If you don't run TDS yet, get a free evaluation version at www.diamondcs.com.au, after install back to that download page for an update of the latest definitions whichj you just put in that TDS directory and reboot your system before you do the scanning.
    When that scan is done you should have results in the bottom console, rightclick one of the finds, choose for "save to text" and that scandump.txt is what we would like to see here in your next posting. Don't do anything with the alerts yet, just give us your scan results in your next posting.

    Did you have the SpybotS&D and Ad-aware anti-spy programs installed as well? In the same thread where the HijackThis explanation and download link is, are those two important programs. Talking about those later. As they should be able to find this as well, configure them on deep scanniong so you see in Spybot the registrykeys involved as well.

    Now first let's look at what the experts have to say about your HJT log.

    I'm no expert, but googled for this file ALCXMNTR.EXE. Can you please be so kind as to send that in to submit@diamondcs.com.au (zipped if you can or change the exe into tmp) This you can do even before any of your scans or i expect TDS to alarm on it too.
    It might be spyware; RealTek AC97 Event Monitor, i see advice to fix these two
    C:\WINDOWS\ALCXMNTR.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    reboot into SAFEMODE and delete
    C:\WINDOWS\ALCXMNTR.EXE
    but don't yet till real experts tell you.

    EDIT:
    I see you opened a new thread https://www.wilderssecurity.com/showthread.php?p=181315#post181315
    (we could have moved your thread so you wouldn't have had to post again, but ok......)
    For the HJT log part guess best to keep that discussion there in that thread, if you get TDS (which i surely would advice as an extra layer in your detection and defense) keep that part of the discussion here.
     
    Last edited: May 22, 2004
  6. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    thanks for your time for helping.. im running the tds scan right now.. so far so good.?hm it scanned past the ALCXMNTR.EXE and no signs of anything..should i go into safemode and delete the alcxmntr.exe
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wait with deleting it. Can you please be so kind as to send a copy of it to submit@diamondcs.com.au so they can decide if it's needed to be added to the detection databases?
    And you can also visit www.kaspersky.com/remoteviruschk.html where you can upload it on the page and in a few seconds you see what KAV has to say about it on line.
    Also SpybotS&D would find and delete it for you (including the regkey if you have that on deep detection)
    Did TDS find other things on your system? As that bytecode stuff is not related to this one (i think).
    Did the experts in the HJT forum tell you to fix this thing in the mean time?
    If so, do get rid of it without hesitation!
     
  8. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    it found 5 minor things.. like misread file. etc. not sure how to fix it.. i closed it :doubt: :blink:
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can rightclick on one of the alarms in the bottom console and save as text, so we could have told you from your posting how to deal with them. But first of all congratulations you found only a few things!
    You did grab the latest database i hope, so you should have [34619 references - 13190 primaries/9775 traces/11654 variants/other]
    in the display, right?
    If you rightclick on a file you have a few choices: save the names in a textfile, submit the file to the address i just gave with one buttonclick (works if you configured your email address and outbox in the configuration top left), look deeper into the file or delete it.

    A read error i wonder........ was it that files were locked? That can happen if another scanner is still running and blocks access to the file for instance.
    What to look for are "suspicious" "possible....." and "positive identification" with some indication. If you would rightclick on a file you can delete it.
    You're on XP so system restore; if you cleansed real nasties from your system, you can disable system restore, reboot, enable system restore and make a new restore point manually, so the nasty stuff stays really away from your system.

    The other adware thing i mentioned you can fix easy with the HJT by closing all the other programs, run HJT again and check the things to fix (so you can wait with the reboot and system restore disable/reboot/enable etc till that is done too).
    Might be necessary to delete it in safe mode indeed if it would not go otherwise.
     
  10. rsxtreme

    rsxtreme Registered Member

    Joined:
    May 21, 2004
    Posts:
    28
    i sent a copy about the alcxtmer.exe .. no response yet..
     
  11. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, rsxtreme

    Weekend! So you MIGHT not hear from DiamondCS untill Monday.

    TheQuest :cool:
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oh sorry! should have mentioned that. The quick seconds work is via the KAV online check, i love that thing as a second opinion, even though it misses some nasties at times, but i think 98% (?) of the time it is right.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the meantime i saw Snapdragin posted in the other thread about that same file i mentioned which was fortunately the same i wrote.
    To fix in HijackThis is just open HJT again and let it run, close all other applications except HJT itself and put a checkmark for that line indicated, press the "fix" button and it is removed from your registry in the safest way.
    To get rid of the file itself -- in most cases you'll have to reboot into safe mode to be able to delete it.
    In TDS you might have seen it in the running processes list where you can kill it and delete it or maybe it was in the windows tasklist as well where after killing it's process it could be deleted, or if it would connect to the outside world you would have seen traffic in Port Explorer on it where you could kill it, etc.
    Many ways to deal with it.
     
Thread Status:
Not open for further replies.