Backdoor AZU virus???

Unknown

Hi. You guys have helped me out a couple other times which I REALLY appreciated, so I'm hoping you can help with this new problem. It's on a co-worker's computer. Apparently, there was a virus in an e-mail message. It said something about Osama bin Laden being captured and click here for pictures. It was a zip file. He downloaded the zip file to a floppy, so he could scan it first. The virus scan didn't detect anything. But right after that (I'm a little hazy on what happened here), his computer started acting weird. It takes forever for anything to come up, like opening any programs. He also is getting a message about virtual memory being very low, even though there isn't much running. I can try to get him to post a hijack log if necessary, but he has a copy of what the log was before this all happened, and he said it is exactly the same now as it was then. Thanks so much.

Shadow2018

Have him run panda software's activescan. This is an online scan and should detect and disinfect his virus. Have him save the scan results and post it here with a Hijack This log.

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

jenerik9

I ran the Panda active scan. It didn't detect anything. Here is the latest hijack this log. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 5:10:39 PM, on 8/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
c:\lotus\organize\org5.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R3 - Default URLSearchHook is missing
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [^JUHyfbtdhMIaYLMKOP] C:\WINNT\system32\huozwjbnyzbuha.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
O4 - Global Startup: Map Network Drives.lnk = C:\LOGON.BAT
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.wqa.org/CFIDE/classes/CFJava.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/135aa49c0a61f0237a06/netzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26F0A885-8EC0-4E35-9498-002CD541FE40}: NameServer = 64.255.96.2,64.255.96.3
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust InoculateIT Admin Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shadow2018

Place a checkmark next to these entries and click Fix Checked. Be sure to close all other open windows before proceeding:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [^JUHyfbtdhMIaYLMKOP] C:\WINNT\system32\huozwjbnyzbuha.exe


Delete this file:

C:\WINNT\system32\huozwjbnyzbuha.exe

I suggest removing "spykiller" from your system. It is of questionable quality and repute. Get Ad-aware SE 1.06 to replace it.

http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html

If you do not use the "my search Bar" then remove it as well.

Run two of these online scans:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://www.bitdefender.com/scan8/ie.html

http://housecall.trendmicro.com/

There may be files that cannot be removed/disinfected by these scans. Please include this information in your next post with a new Hijack This log.

jenerik9

Ok. He ran two scans. The panda software scan found over 1,000 viruses. It said it disinfected them all. Then the bitdefender scan found more. That one said it deleted them all. Here is the newest log. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 3:44:10 PM, on 8/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\lotus\organize\easyclip.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
O4 - Global Startup: Map Network Drives.lnk = C:\LOGON.BAT
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.wqa.org/CFIDE/classes/CFJava.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/135aa49c0a61f0237a06/netzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26F0A885-8EC0-4E35-9498-002CD541FE40}: NameServer = 64.255.96.2,64.255.96.3
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust InoculateIT Admin Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoNmSrv.exe
O23 - Service: eTrust InoculateIT RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Shadow2018

Great. His log is now clean. Does the system seem to be running a bit more smoothly? Having anymore problems?

jenerik9

The only problem he seems to be left with has to do with defrag. He tried to start it with start=programs=accessories=system tools. It gave him an error message about a certificate not being valid or something. But he found the dfrg.msc file in the system32 folder and opened that. Then defrag worked fine. Do you have any idea why the first way no longer works? Thanks.

jenerik9

I just got additional info on the defrag error. It says "the certificate stores could not be enumerated. the system cannot find the file specified." that then takes him to the certificates window.

He also had something else happen this morning. He has Spybot. He removed and reinstalled it because he was getting a message saying "no disk" and wanting him to insert disk into drive /device/harddisk1/dr1

He ran it after reinstall and got a message while it was running - but the message was in German!! It said xuron55(date; c:/winnt/win.ini kann nicht geoffnet worden. The process cannot access the file.

Shadow2018

I cannot get a reasonable translation into english for that phrase.

Have him run activescan again and post the results. I can tell from that if he is having a virus issue.

Uninstall spybot and then delete the spybot folder in the C: directory.
Download Spybot once again and try it. Let me know the results.

Shadow2018

O.K. After a bit more research I have found that this is an issue that seems to happenwith spybot on older versions of windows. This should not be treated as a security threat just yet but go ahead and run activescan just to be sure.

After re-installing spybot make sure it is updated with the latest definitions and try running it again. Let me know if the same error message comes up.