Other > Viruses and worms
SOS!! Virus and Spyware attack!!
Nature:
Hiya!
There is actually "maleviv" and "malevia." Maybe they are the same. I don't know.
The Symantec scan was online and did not clean the infected files. It simply reported.
It is possible that i clean the infected areas with another software but...why do these suspicious entries/files reappear?
Yes, i believe i tried to use Spy Catcher once. It was the free trial version that only reported the infections but did not clean them.
mauserme:
--- Quote ---It is possible that i clean the infected areas with another software but...why do these suspicious entries/files reappear?
--- End quote ---
I don't think we have files reappearing - maybe just some old HJT this entries that haven't been fixed (ie removed) yet. But I need a little more investigation.
eTrust points to the possibility of System Surveillance Pro keylogger with these files
http://www3.ca.com/br/securityadvisor/pest/pest.aspx?id=453101898
C:\WINDOWS\spinsavc.exe
C:\WINDOWS\runprf32.exe
but Prevx calls spinsavc.exe a dropper
spinsavc.exe is in quarantine but we may still need to deal with runprf32.exe
Symantec identified Spylantern keylogger (according to the on line scan) in
C:\WINDOWS\system32\maleviv.exe is infected with Spyware.SpyLantern
C:\WINDOWS\system32\sahydulv.exe is infected with Spyware.SpyLantern
C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
Realistically, if keyloggers have been installed by someone who can access your computer there is no way to prevent their re-installation. If they were installed by a dropper we may be more successful. Do you have any feelings on which may be the case?
Aside from that, many google hits show interceptor.dll as a trojan but Castlecops associates it with Spy Catcher which you say might have been installed on your computer.
http://www.castlecops.com/o20list-154.html
Since malevi.dll and suhydula.dll are in the 020 entry with interceptor.dll I think we should assume for now they are related to the Spy Catcher installation.
So, let's do this
Open an explorer window and click Tools, click Folder Options, click View.
Under Hidden Files and Folders make sure Show Hidden Files and Folders is checked.
Scroll down and make sure Hide Extensions for Known File Types and Hide Protected Operating System Files are not checked.
Click OK
Search you computer for the following files:
C:\WINDOWS\spinsavc.exe
C:\WINDOWS\runprf32.exe
C:\WINDOWS\system32\maleviv.exe
C:\WINDOWS\System32\malevi.exe
C:\WINDOWS\system32\sahydulv.exe
C:\WINDOWS\system32\sahydul.exe
C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe
C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe
If any of these are found rename them to a .old extension. Keep track of and post which were found and which were successfully renamed (some may need to be renamed in safe mode).
Close any other applications and run HJT this again. Put a check mark next to these entries (if present) and fix them.
O4 - HKLM\..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll
O23 - Service: Malevi Service (MaleviSrv) - Unknown owner - C:\WINDOWS\System32\malevi.exe (file missing)
O23 - Service: Sahydul Service (SahydulSrv) - Unknown owner - C:\WINDOWS\system32\sahydul.exe (file missing)
Reboot, then post another hjt log.
One more question. This line
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AE2FD39-5FAF-4E98-9455-640018EDE7E4}: NameServer = 216.226.64.9 216.226.64.8
points to Newcom International in Miami. Is that your isp?
Nature:
1. "Realistically, if keyloggers have been installed by someone who can access your computer there is no way to prevent their re-installation. If they were installed by a dropper we may be more successful. Do you have any feelings on which may be the case?"
I suspect they had been installed manually by someone with access to the comp. >:(
2. "One more question. This line
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AE2FD39-5FAF-4E98-9455-640018EDE7E4}: NameServer = 216.226.64.9 216.226.64.8
points to Newcom International in Miami. Is that your isp?"
Interesting. This should not be my isp because i am very far from Miami! ??? ??? >:(
3. "If any of these are found rename them to a .old extension. Keep track of and post which were found and which were successfully renamed (some may need to be renamed in safe mode)."
Interestingly, i have searched (manually) for the entries u listed and i cannot find them. In fact, "Application Data" does not even have a "System Key" or "Winkey" as HJT showed. (That is after i have uncheked the boxes u suggested." However, i did find "rundll32.exe" This is strange because i have used two different software products to remove it and it persists!
I am working on your recommendations.
New HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 2:10:45 PM, on 1/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AE2FD39-5FAF-4E98-9455-640018EDE7E4}: NameServer = 216.226.64.9 216.226.64.8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
When i tried fixing the suggested entries (that persist), i got this message:
"An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan."
Hey! I did another Symantec online scan and got a clean bill of health. Yep! Symantec nows says it "appears" that there are no known infections on the comp.!! ;D Of course, this message still leaves me confused about the presence of the suspicious-looking files in the HJT logs. I really think that there is some other entry/file that causes them to reappear. I can fix that entry/file the, maybe they will disappear 4ever!?!? BTW, how do i track and kick out that hacker from Miami? >:(
mauserme:
--- Quote ---However, i did find "rundll32.exe" This is strange because i have used two different software products to remove it and it persists!
--- End quote ---
Be carefull what you delete! rundll32.exe is a valid, necessary Windows file that should be located in C:\Windows\System32. If you find instances of this file in other locations we need to investigate that.
The 04 entry that has a reference to rundll32.exe is normally a method of running a program when Windows starts. So mswbar.dll is actually the suspect in that line assuming mswbar.dll is even present on your computer (I think it is not). I think the reason you're getting the HJT error and the reason this line won't go away is because mswbar.dll is a My Web Search BHO. BHOs are normally 02 entries and tool bars are 03's. I don't know why this is shown as an 04 but I think it's wrong. I'm guessing HJT can't remove it under these circumstance and you get the error (which simply means HJT can't make a backup up) for the same reason.
The people at My Web Search say removal by anti-spyware program can cause problems and suggest using the uninstaller in add/remove programs as the best method. They also say re installation/uninstallation of My Web Search is one way to get rid of the problems but I don't think this 04 entry will hurt anything if you leave it, so I'll leave that up to you.
--- Quote ---Hey! I did another Symantec on line scan and got a clean bill of health.
--- End quote ---
Thanks. I was going to ask you to do that because I had a feeling Spy Lantern might be gone but I wasn't sure.
I don't think the things we've done removed it so I wonder if whoever installed it noticed they were "busted" and saved you the trouble. This is a good argument in favor of open, honest communications with the person or people who might have been the installer. Since it was probably done out of concern for your well being, good communications might go a long way toward keeping it off your computer in the future. Honestly, even though I understand your frustration with having had this on your computer, I wouldn't want to be in the middle of that anyway.
--- Quote ---BTW, how do i track and kick out that hacker from Miami?
--- End quote ---
Let's not jump to conclusions on this. Newcom international appears to be a legitimate business that, in part, provides internet service to rural areas. Does that make any sense?
Here's their home page
http://www.newcom-intl.com/cms/
So at this point the trojan that was causing your problems seems to be gone even if HJT hasn't been able to remove the associated registry entries. You could try deleting the current hijackthis.exe, re-extracting, and running a new scan. Maybe a new copy would be more successful. If you want to extra sure about the trojan run a full scan with AVG Antispyware. A scan with F-Secure Blacklight would be good too since we've been working on some stealthy programs
http://www.f-secure.com/blacklight/
When you use Blacklight make sure no other programs are open and don't surf. You want your computer to be as static as possible.
Regarding this line
O20 - AppInit_DLLs: malevia.dll,sahydula.dll,interceptor.dll
I'm still guessing this is related to Spy Catcher. Is it possible Spy Catcher is still installed on your computer?
Well, even more reason to try AVG and Blacklight just in case, and a fresh hijackthis.exe
One other thing. Upload ares.exe (C:\Program Files\Ares\Ares.exe) to Jotti and/or Virus Total just to double check
http://virusscan.jotti.org/
http://www.virustotal.com/en/indexf.html
Its likely just your P2P but it can't hurt to have a look.
Nature:
Thanks 4 the advice, bud! I will update u on thehappenings after i have done as u suggested.
Big thanks.
Regarding the isp and Newcom, i do not live in the United States, nor do i reside in a rural area. So, i am still vewwwwy suspicious about Newcom and my computer!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version