Options
SSPMyDoom.cih - here is my log!!!!
Can anybody tell me which applications in my log are related to this virus?
Thanks a lot to everybody
Logfile of HijackThis v1.99.1
Scan saved at 11.53.33, on 24/02/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\Programmi\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\ORL\VNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\desk95.exe
C:\Programmi\NavNT\vptray.exe
C:\WINNT\system32\winvh.exe
C:\WINNT\system32\internat.exe
C:\WINNT\winas.exe
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\Programmi\Microsoft Office\Office\Winword.exe
C:\Programmi\Microsoft Office\Office\EXCEL.EXE
C:\WINNT\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\dw15.exe
J:\campcfin.exe
C:\Eudora\Attach\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.amm.uniud.it/amm-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.amm.uniud.it:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {138BBD1D-DFD1-EB1D-6766-7A8D87618F9C} - C:\WINNT\appkq.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [vptray] C:\Programmi\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winvh.exe] C:\WINNT\system32\winvh.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7AE9D90-00C2-4A24-B23F-630CEA0F6DB8}: Domain = amm.uniud.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7AE9D90-00C2-4A24-B23F-630CEA0F6DB8}: NameServer = 158.110.1.7,158.110.104.233,130.186.1.53
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\NavNT\defwatch.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Programmi\NavNT\rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmi\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINNT\winas.exe
Thanks a lot to everybody
Logfile of HijackThis v1.99.1
Scan saved at 11.53.33, on 24/02/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\Programmi\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\ORL\VNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\desk95.exe
C:\Programmi\NavNT\vptray.exe
C:\WINNT\system32\winvh.exe
C:\WINNT\system32\internat.exe
C:\WINNT\winas.exe
C:\Programmi\Qualcomm\Eudora\Eudora.exe
C:\Programmi\Microsoft Office\Office\Winword.exe
C:\Programmi\Microsoft Office\Office\EXCEL.EXE
C:\WINNT\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\dw15.exe
J:\campcfin.exe
C:\Eudora\Attach\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.amm.uniud.it/amm-proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.amm.uniud.it:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {138BBD1D-DFD1-EB1D-6766-7A8D87618F9C} - C:\WINNT\appkq.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [vptray] C:\Programmi\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [winvh.exe] C:\WINNT\system32\winvh.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7AE9D90-00C2-4A24-B23F-630CEA0F6DB8}: Domain = amm.uniud.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7AE9D90-00C2-4A24-B23F-630CEA0F6DB8}: NameServer = 158.110.1.7,158.110.104.233,130.186.1.53
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programmi\NavNT\defwatch.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Programmi\NavNT\rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmi\ORL\VNC\WinVNC.exe" -service (file missing)
O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINNT\winas.exe
0
Comments
When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders.
Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nybso.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {138BBD1D-DFD1-EB1D-6766-7A8D87618F9C} - C:\WINNT\appkq.dll
O4 - HKLM\..\Run: [winvh.exe] C:\WINNT\system32\winvh.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - C:\WINNT\winas.exe
Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.
To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.
Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.
While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them):
C:\WINNT\system32\winvh.exe
C:\WINNT\winas.exe
Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log).