Author Topic: My biggest attack ever (Read 13298 times)

mizu · « **on:** April 30, 2005, 03:22:18 PM »

Hi guys, i posted recently and things seemed to go well after.
But no. I got so many attacks, and my firewall is detecting so much outgoing application that i'm beginning to become crazy.

A known virus (1 in a thousand) Vxgame(1,2,3) cannot be erased
(althought i've done it yesterday) it reappear in my windows folder. When i try to stop the process with ctrl +alt + delete; it says that it was disabled by the administrator.

So that's it. I receive at least 15 warning each times i connect to internet, and nothing work with the antivirus. I've made 5 boot scan, archives include. Nothing.

Here is my Hijack this ! Log. Please help !

p.s (i've made a scan with hijack this yesterday. a lot of # 01 and # 04 i erased, but the reappear now too.)

-----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 09:29:33, on 2005-04-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\Sbg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\vxh8jkdq7.exe
C:\WINDOWS\System32\vxgame2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\Documents and Settings\mizu\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guildwars.com/
F2 - REG:system.ini: Shell=Explorer.exe init32m.exe
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com

(part two in next post)

mizu · « **Reply #1 on:** April 30, 2005, 03:22:43 PM »

O4 - HKLM\..\Run: [E-Color Registration] C:\Program Files\E-Color\Registration\SonnReg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Rtc] C:\WINDOWS\Sbg.exe
O4 - HKLM\..\Run: [Cjf] C:\WINDOWS\Bhc.exe
O4 - HKLM\..\Run: [Klh] C:\WINDOWS\Jfm.exe
O4 - HKLM\..\Run: [Rel] C:\WINDOWS\Lhq.exe
O4 - HKLM\..\Run: [Kdt] C:\WINDOWS\Jri.exe
O4 - HKLM\..\Run: [Sgn] C:\WINDOWS\System32\Paa.exe
O4 - HKLM\..\Run: [Huh] C:\WINDOWS\Mlh.exe
O4 - HKLM\..\Run: [Jaq] C:\WINDOWS\System32\Dev.exe
O4 - HKLM\..\Run: [Kea] C:\WINDOWS\Unc.exe
O4 - HKLM\..\Run: [Pnt] C:\WINDOWS\Lfb.exe
O4 - HKLM\..\Run: [Ltb] C:\WINDOWS\Bup.exe
O4 - HKLM\..\Run: [Maq] C:\WINDOWS\System32\Cgi.exe
O4 - HKLM\..\Run: [Ffe] C:\WINDOWS\System32\Bgi.exe
O4 - HKLM\..\Run: [Fcr] C:\WINDOWS\Mnr.exe
O4 - HKLM\..\Run: [Llb] C:\WINDOWS\Tgd.exe
O4 - HKLM\..\Run: [Bnj] C:\WINDOWS\System32\Ejj.exe
O4 - HKLM\..\Run: [Vhv] C:\WINDOWS\Thj.exe
O4 - HKLM\..\Run: [Eht] C:\WINDOWS\Lci.exe
O4 - HKLM\..\Run: [Jdp] C:\WINDOWS\System32\Ieh.exe
O4 - HKLM\..\Run: [Idm] C:\WINDOWS\Nvs.exe
O4 - HKLM\..\Run: [Gth] C:\WINDOWS\System32\Buh.exe
O4 - HKLM\..\Run: [Flp] C:\WINDOWS\All.exe
O4 - HKLM\..\Run: [Mdm] C:\WINDOWS\System32\Rbn.exe
O4 - HKLM\..\Run: [Dsq] C:\WINDOWS\Rbu.exe
O4 - HKLM\..\Run: [Osl] C:\WINDOWS\System32\Rot.exe
O4 - HKLM\..\Run: [Isu] C:\WINDOWS\Ajm.exe
O4 - HKLM\..\Run: [Ntp] C:\WINDOWS\System32\Jcf.exe
O4 - HKLM\..\Run: [Jpg] C:\WINDOWS\System32\Rtf.exe
O4 - HKLM\..\Run: [Gnh] C:\WINDOWS\System32\Tkt.exe
O4 - HKLM\..\Run: [Voi] C:\WINDOWS\System32\Sjg.exe
O4 - HKLM\..\Run: [Ntk] C:\WINDOWS\Tol.exe
O4 - HKLM\..\Run: [Tvo] C:\WINDOWS\Ekb.exe
O4 - HKLM\..\Run: [Ksq] C:\WINDOWS\Sjn.exe
O4 - HKLM\..\Run: [Kbo] C:\WINDOWS\System32\Ujg.exe
O4 - HKLM\..\Run: [Sii] C:\WINDOWS\Tfm.exe
O4 - HKLM\..\Run: [Dmd] C:\WINDOWS\System32\Thm.exe
O4 - HKLM\..\Run: [Omo] C:\WINDOWS\System32\Bsf.exe
O4 - HKLM\..\Run: [Dpl] C:\WINDOWS\Ets.exe
O4 - HKLM\..\Run: [Nss] C:\WINDOWS\Hvg.exe
O4 - HKLM\..\Run: [Anp] C:\WINDOWS\Eld.exe
O4 - HKLM\..\Run: [Hqr] C:\WINDOWS\System32\Ipj.exe
O4 - HKLM\..\Run: [Oar] C:\WINDOWS\Dvb.exe
O4 - HKLM\..\Run: [Dpf] C:\WINDOWS\System32\Tdl.exe
O4 - HKLM\..\Run: [Lkm] C:\WINDOWS\Ofh.exe
O4 - HKLM\..\Run: [Fnl] C:\WINDOWS\System32\Jhf.exe
O4 - HKLM\..\Run: [Trj] C:\WINDOWS\Dfd.exe
O4 - HKLM\..\Run: [Maf] C:\WINDOWS\System32\Fkl.exe
O4 - HKLM\..\Run: [Rvg] C:\WINDOWS\System32\Aht.exe
O4 - HKLM\..\Run: [Acm] C:\WINDOWS\System32\Ltl.exe
O4 - HKLM\..\Run: [Sqp] C:\WINDOWS\Roe.exe
O4 - HKLM\..\Run: [Clo] C:\WINDOWS\Nob.exe
O4 - HKLM\..\Run: [Mdr] C:\WINDOWS\Uab.exe
O4 - HKLM\..\Run: [Omu] C:\WINDOWS\Hlj.exe
O4 - HKLM\..\Run: [Fvm] C:\WINDOWS\Fdi.exe
O4 - HKLM\..\Run: [Poq] C:\WINDOWS\System32\Aep.exe
O4 - HKLM\..\Run: [Sim] C:\WINDOWS\Jth.exe
O4 - HKLM\..\Run: [Msq] C:\WINDOWS\Nqh.exe
O4 - HKLM\..\Run: [Qdr] C:\WINDOWS\Mng.exe
O4 - HKLM\..\Run: [Gso] C:\WINDOWS\Smq.exe
O4 - HKLM\..\Run: [Fmp] C:\WINDOWS\System32\Lid.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Rtc] C:\WINDOWS\Sbg.exe
O4 - HKCU\..\Run: [Cjf] C:\WINDOWS\Bhc.exe
O4 - HKCU\..\Run: [Klh] C:\WINDOWS\Jfm.exe
O4 - HKCU\..\Run: [Rel] C:\WINDOWS\Lhq.exe
O4 - HKCU\..\Run: [Kdt] C:\WINDOWS\Jri.exe
O4 - HKCU\..\Run: [Sgn] C:\WINDOWS\System32\Paa.exe
O4 - HKCU\..\Run: [Huh] C:\WINDOWS\Mlh.exe
O4 - HKCU\..\Run: [Jaq] C:\WINDOWS\System32\Dev.exe
O4 - HKCU\..\Run: [Kea] C:\WINDOWS\Unc.exe
O4 - HKCU\..\Run: [Pnt] C:\WINDOWS\Lfb.exe
O4 - HKCU\..\Run: [Ltb] C:\WINDOWS\Bup.exe
O4 - HKCU\..\Run: [Maq] C:\WINDOWS\System32\Cgi.exe
O4 - HKCU\..\Run: [Ffe] C:\WINDOWS\System32\Bgi.exe
O4 - HKCU\..\Run: [Fcr] C:\WINDOWS\Mnr.exe
O4 - HKCU\..\Run: [Llb] C:\WINDOWS\Tgd.exe
O4 - HKCU\..\Run: [Bnj] C:\WINDOWS\System32\Ejj.exe
O4 - HKCU\..\Run: [Vhv] C:\WINDOWS\Thj.exe
O4 - HKCU\..\Run: [Eht] C:\WINDOWS\Lci.exe
O4 - HKCU\..\Run: [Jdp] C:\WINDOWS\System32\Ieh.exe
O4 - HKCU\..\Run: [Idm] C:\WINDOWS\Nvs.exe
O4 - HKCU\..\Run: [Gth] C:\WINDOWS\System32\Buh.exe
O4 - HKCU\..\Run: [Flp] C:\WINDOWS\All.exe
O4 - HKCU\..\Run: [Mdm] C:\WINDOWS\System32\Rbn.exe
O4 - HKCU\..\Run: [Dsq] C:\WINDOWS\Rbu.exe
O4 - HKCU\..\Run: [Osl] C:\WINDOWS\System32\Rot.exe
O4 - HKCU\..\Run: [Isu] C:\WINDOWS\Ajm.exe
O4 - HKCU\..\Run: [Ntp] C:\WINDOWS\System32\Jcf.exe
O4 - HKCU\..\Run: [Jpg] C:\WINDOWS\System32\Rtf.exe
O4 - HKCU\..\Run: [Gnh] C:\WINDOWS\System32\Tkt.exe
O4 - HKCU\..\Run: [Voi] C:\WINDOWS\System32\Sjg.exe
O4 - HKCU\..\Run: [Ntk] C:\WINDOWS\Tol.exe
O4 - HKCU\..\Run: [Tvo] C:\WINDOWS\Ekb.exe
O4 - HKCU\..\Run: [Ksq] C:\WINDOWS\Sjn.exe
O4 - HKCU\..\Run: [Kbo] C:\WINDOWS\System32\Ujg.exe
O4 - HKCU\..\Run: [Sii] C:\WINDOWS\Tfm.exe
O4 - HKCU\..\Run: [Dmd] C:\WINDOWS\System32\Thm.exe
O4 - HKCU\..\Run: [Omo] C:\WINDOWS\System32\Bsf.exe
O4 - HKCU\..\Run: [Dpl] C:\WINDOWS\Ets.exe
O4 - HKCU\..\Run: [Nss] C:\WINDOWS\Hvg.exe
O4 - HKCU\..\Run: [Anp] C:\WINDOWS\Eld.exe
O4 - HKCU\..\Run: [Hqr] C:\WINDOWS\System32\Ipj.exe
O4 - HKCU\..\Run: [Oar] C:\WINDOWS\Dvb.exe
O4 - HKCU\..\Run: [Dpf] C:\WINDOWS\System32\Tdl.exe
O4 - HKCU\..\Run: [Lkm] C:\WINDOWS\Ofh.exe
O4 - HKCU\..\Run: [Fnl] C:\WINDOWS\System32\Jhf.exe
O4 - HKCU\..\Run: [Trj] C:\WINDOWS\Dfd.exe
O4 - HKCU\..\Run: [Maf] C:\WINDOWS\System32\Fkl.exe
O4 - HKCU\..\Run: [Rvg] C:\WINDOWS\System32\Aht.exe
O4 - HKCU\..\Run: [Acm] C:\WINDOWS\System32\Ltl.exe
O4 - HKCU\..\Run: [Sqp] C:\WINDOWS\Roe.exe
O4 - HKCU\..\Run: [Clo] C:\WINDOWS\Nob.exe
O4 - HKCU\..\Run: [Mdr] C:\WINDOWS\Uab.exe
O4 - HKCU\..\Run: [Omu] C:\WINDOWS\Hlj.exe
O4 - HKCU\..\Run: [Fvm] C:\WINDOWS\Fdi.exe
O4 - HKCU\..\Run: [Poq] C:\WINDOWS\System32\Aep.exe
O4 - HKCU\..\Run: [Sim] C:\WINDOWS\Jth.exe
O4 - HKCU\..\Run: [Msq] C:\WINDOWS\Nqh.exe
O4 - HKCU\..\Run: [Qdr] C:\WINDOWS\Mng.exe
O4 - HKCU\..\Run: [Gso] C:\WINDOWS\Smq.exe
O4 - HKCU\..\Run: [Fmp] C:\WINDOWS\System32\Lid.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{C83B63A2-A53D-425C-A6E4-6CE6714804F8}: NameServer = 206.108.60.11 206.108.60.12
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

DavidR · « **Reply #2 on:** April 30, 2005, 03:31:35 PM »

Both your OS and IE are way out of date and as such more vulnerable to attach, you should get these updated.

Files or processes in use can't be moved or deleted they are protected by windows.
Try the schedule boot-time scan in avast's menu (or try the 'Schedule Boot-Time Scan' using RajZors AEC avast! External Control Tool

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1, if you need any help with any of the analysis let us know.

FreewheelinFrank · « **Reply #3 on:** April 30, 2005, 04:34:28 PM »

Mizu,

Try cleaning your system an avast! boot time scan and Trend Micro Sysclean and TDS-3 (which has a working trial version and id good at pulling Trojans out of memory- don't forget to download the update file) and TrojanHunter and all the good spyware killers, trial and free: Webroot, Ad-aware, Spybot, Yahoo! AntiSpy, MS AntiSpyware and X-Cleaner Free ONE AFTER THE OTHER while you're offline.

This will remove 99% of nasties. (If you're lucky 100%!)

Even so, check all running processes afterwards with Process Explorer and monitor internet traffic for anything suspicious. Warnings from avast! Network Shield can indicate a worm still in memory.

Of course, that 1% can still be a problem!

mizu · « **Reply #4 on:** April 30, 2005, 05:22:48 PM »

Omg that's gonna be thrilling... and a lot of time too ! Thanks for your great reply !

As i said in a previous post, i can't update my Os since i use the same windows xp that my father.

I'll do as you say, and i'll post a fresh hijack log.

whocares · « **Reply #5 on:** May 01, 2005, 12:00:31 AM »

Quote from: mizu on April 30, 2005, 05:22:48 PM

i can't update my Os since i use the same windows xp that my father.

Then you should get a legal copy immediately..

(Incidently, I heard you can apply SP2 also on pirated versions; not that I advise such a procedure..)

mizu · « **Reply #6 on:** May 01, 2005, 09:44:37 AM »

I done exactly what you told me. it tooks me 3 hours and i rebooted... but it seems to be persistent viruses.... My task manger is still blocked.

I need info on theses : VXH8JKDQ7.exe and KERNELS32.exe

Also, windows always pop this up when i restart my os -> cannot find c:\SLINSTALLER.exe

Here is a fresh log with the habitual websites i never heard of :

Logfile of HijackThis v1.99.1
Scan saved at 03:51:25, on 2005-05-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\rasautou.exe
C:\Documents and Settings\mizu\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

anbu · « **Reply #7 on:** May 01, 2005, 10:10:42 AM »

there is trojan causing this problem. this trojan disables task manager more information about this trojan can be found on

http://www.sophos.com/virusinfo/analyses/trojdloaderfc.html

http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=42421

galooma · « **Reply #8 on:** May 01, 2005, 11:24:40 AM »

have you tried removing these files in SAFE MODE?
The letters VX would suggest a VX2 betterinternet infection which is one of those ones that keep morphing and evolving into bigger problems unless you can get a handle on it early. If you want to get nursed through it i suggest going herehttp://www.lurkhere.com/forum768.html and check out all the others who have done the same. Most of your problems will be in System 32 file of windows folder including a guard file that controls/replaces all the others.If your lucky they will all be visible.
good luck

FreewheelinFrank · « **Reply #9 on:** May 01, 2005, 11:51:14 PM »

Task manager may be left broken even after the virus/Trojan has gone, I think?

There's a repair procedure I read somewhere, but can't think where just now.

There is also a much better utility you can download called Process Explorer:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

You need to rest your hosts file to get rid of the websites: find your hosts file and rename it. Windows will create a new one, if I remember correctly.

C:/Windows/System32/drivers/etc

mizu · « **Reply #10 on:** May 02, 2005, 03:37:40 AM »

Hi everybody, i just finished doing the 3 hours scan with 7 programs lol. that time, in safe mode

Everything seems to be okay, here's my hijack log.

Thanks to every of you for sharing some time !!! You're all great !

----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 21:46:39, on 2005-05-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\mizu\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

FreewheelinFrank · « **Reply #11 on:** May 02, 2005, 09:26:17 AM »

You can delete the reference to kernels.exe because it's a Trojan file:

http://www.pcflank.com/art46_2.htm

(04 Run Services)

The file itself seems to have been deleted by one of the anti-virus programs you ran.

Why are some avast! files listed as missing? Maybe one of the avast! experts could comment on this.

You may need to restore some registry entries if Task Manager is not working: if it's not working, it doesn't mean the Trojan is still there.

http://www.pcflank.com/art46_3.htm

http://www.sophos.com/virusinfo/analyses/trojdloaderfc.html

The Sophos link explains how to restore Task Manager. It also mentions that the Trojan responsible may attempt to delete Windows files. Bear this in mind if you experience any problems.

DavidR · « **Reply #12 on:** May 02, 2005, 01:55:05 PM »

Quote

Why are some avast! files listed as missing? Maybe one of the avast! experts could comment on this.

Non-Expert here (Ex=has been{or unknown factor}, spert=a drip under pressure)

Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), this has been mentioned many times in previous threads

mizu · « **Reply #13 on:** May 02, 2005, 02:43:17 PM »

the task manager is working again. I had a trojan that did it.

i will now erase kernels32.exe,

i Really see a difference now. I will somewhat try to buy another legal copy of windows.
I can't update it.

Author Topic: My biggest attack ever (Read 13298 times)

mizu

My biggest attack ever

mizu

Re: My biggest attack ever

DavidR

Re: My biggest attack ever

FreewheelinFrank

Re: My biggest attack ever

mizu

Re: My biggest attack ever

whocares

Re: My biggest attack ever

mizu

Re: My biggest attack ever

anbu

Re: My biggest attack ever

galooma

Re: My biggest attack ever

FreewheelinFrank

Re: My biggest attack ever

mizu

Re: My biggest attack ever

FreewheelinFrank

Re: My biggest attack ever

DavidR

Re: My biggest attack ever

mizu

Re: My biggest attack ever