Request for help

Discussion in 'Malware Help (A Specialist Will Reply)' started by cesnur, Jan 6, 2006.

  1. cesnur

    cesnur Private E-2

    Problems started with Norton repeatedly calling attention on a trojan.zlob.d it claimed it was not able to delete. Originally trojan.zlob.d generated repeatedly msnsearchnet.exe files which in turn caused messages advertising various rogue anti-spyware pseudo-protector to appear. Once a Lavasoft firewall was installed these messages were blocked. Norton however keeps telling me every five minutes or so that trojan.zlob.d is there and it cannot delete it. I have faithfully (I believe) followed all the steps in READ & RUN ME FIRST without finding very much. I attach the Bitdefender and Panda logs and enclose the HJT log. I didn't notice the dialers because this computer only uses a LAN connection. I didn't notice before reading the HJT log that the default page is www.ssesso.it (a pornographic page) because Internet Explorer opens by displaying the start page, but www.ssesso.it keeps re-installing itself as the default page even after downloading Microsoft's today update. I believe mscornet.exe detected by Bitdefender is evidence that trojan.zlob.d is still there

    Bitdefender log

    BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
    Scan report generated at: Thu, Jan 05, 2006 - 16:58:43

    Scan path: A:\;C:\;D:\;

    Statistics
    Time00:54:33
    Files478367
    Folders2831
    Boot Sectors3
    Archives8022
    Packed Files52398

    Results
    Identified Viruses 1
    Infected Files 1
    Suspect Files 0
    Warnings0
    Disinfected0
    Deleted Files0

    Engines Info
    Virus Definitions250407
    Engine buildAVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
    Scan plugins13
    Archive plugins39
    Unpack plugins4
    E-mail plugins6
    System plugins1

    Scan Settings
    First ActionDisinfect
    Second ActionDelete
    HeuristicsYes
    Enable WarningsYes
    Scanned Extensions*;
    Exclude Extensions
    Scan EmailsYes
    Scan ArchivesYes
    Scan PackedYes
    Scan FilesYes
    Scan BootYes

    Scanned File Status
    C:\WINDOWS\system32\mscornet.exeInfected with:
    BehavesLike:Win32.ExplorerHijack
    C:\WINDOWS\system32\mscornet.exeDisinfection failed
    C:\WINDOWS\system32\mscornet.exeDelete failed




    Panda ActiveScan Log

    ncident Status Location

    Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\mscornet.exe
    Adware:adware/windowenhancer Not disinfected C:\WINDOWS\SYSTEM32\SBUtils
    Adware:adware/sgrunt Not disinfected C:\Documents and Settings\Luca\Dati applicazioni\sgrunt
    Dialer:dialer.akd Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TTUNIM
    Dialer:dialer.dne Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Luca\Cookies\luca@2o7[1].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Luca\Cookies\luca@apmebf[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Luca\Cookies\luca@atdmt[2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Luca\Cookies\luca@doubleclick[1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Luca\Cookies\luca@mediaplex[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Luca\Cookies\luca@tribalfusion[1].txt
    Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Luca\Cookies\luca@2o7[1].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Luca\Cookies\luca@apmebf[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Luca\Cookies\luca@atdmt[2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Luca\Cookies\luca@doubleclick[1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Luca\Cookies\luca@mediaplex[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Luca\Cookies\luca@tribalfusion[1].txt

    HJT log
    Attached

    Thanks in advance for your help

    Best

    CESNUR
     

    Attached Files:

    cesnur, Jan 6, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 6, 2006
    #2
  3. cesnur

    cesnur Private E-2

    cesnur, Jan 7, 2006
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Attached Files:

    bjgarrick, Jan 7, 2006
    #4
  5. cesnur

    cesnur Private E-2

    Many thanks. I did as instructed and was able to dlete a SpySheriff.folder and the start page www.ssesso.it I attach the logs - Panda tells me there is still bothering material.
    Do I really need to try to delete it - and how?
    Thanks
    Massimo
     

    Attached Files:

    cesnur, Jan 7, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 7, 2006
    #6
  7. cesnur

    cesnur Private E-2

    I did as instructed and here are the Ewido and a new HJT log
    Do I need to do anything else?
    Thanks
    CESNUR
     

    Attached Files:

    cesnur, Jan 8, 2006
    #7
  8. cesnur

    cesnur Private E-2

    PS "pulito con backup" means "cleaned with backup". Ewido offered to me the alternative between German and English but somewhat automatically downloaded an Italian version
     
    cesnur, Jan 8, 2006
    #8
  9. cesnur

    cesnur Private E-2

    PS2 Here is a second Ewido log. After Ewido cleaned up some malware I disabled system restore, rebooted still in safe mode, repeated the scan and here is the new log
     

    Attached Files:

    cesnur, Jan 8, 2006
    #9
  10. cesnur

    cesnur Private E-2

    PSĀ£ I have manually eliminated the "tribalfusion" cookies and files. I have no idea what these are - this is a computer used by an employee who reported troubles with some delay
     
    cesnur, Jan 8, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

    Boot in safe mode and delete the below (the may be folders):
    C:\WINDOWS\SYSTEM32\SBUtils
    C:\Documents and Settings\Luca\Dati applicazioni\sgrunt

    Now get a new Panda log and tell me how things are working.

    Don't waste your time worrying about the cookies. They will come back each time you surf. You can just clean any cookies you want and select which to keep using CCleaner. Most cookies are not really even a problem.
     
    chaslang, Jan 8, 2006
    #11
  12. cesnur

    cesnur Private E-2

    I did as instructed and attach the Panda log. It seems only cookies remain.
    If you confirm this we can close this thread. No problems seem to remain.
    Many thanks
    CESNUR
     

    Attached Files:

    cesnur, Jan 9, 2006
    #12
  13. cesnur

    cesnur Private E-2

    Supplementary Request

    I received a request gfor help from another employee with similar problems. Her computer is not part of the same network of the original computer discussed here.
    I ran the "Read & Run Me First" procedure, the "Smitfraud Removal" procedure, and the "Running Ewido" procedure before doing a final Panda scan.
    Attached hereto are the HJT, smitfile, panda and ewido logs. Is this computer now clean? Or are the files mentioned by Panda ActiveScan still a problem?
    Best
    CESNUR
     

    Attached Files:

    cesnur, Jan 9, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's finish with this first computer before moving to a second.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 9, 2006
    #14
  15. cesnur

    cesnur Private E-2

    I did proceed to disable/enable System Restore and have circulated the instructions among employees, although we do keep Symantec Norton and IE as a general corporate policy.
    Best
    CESNUR
     
    cesnur, Jan 9, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay onto the second PC.

    You have multiple software firewalls running. One from Lavasoft and one from Norton. You must use only one software firewall so you need to uninstall on of these. Also make sure you do not have the WinXP SP2 firewall enabled.

    You have some signs of HSA hijacker problems. You should run about:Buster
    twice and attach the log later.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [sdknw32.exe] C:\WINDOWS\system32\sdknw32.exe
    O4 - HKLM\..\Run: [d3dk.exe] C:\WINDOWS\d3dk.exe

    The below is a dialer for pornographic websites and should be fixed. See: http://securityresponse.symantec.com/avcenter/venc/data/pf/dialer.newdial.html
    O4 - HKCU\..\Run: [menu12] C:\WINDOWS\_DlrApps\menu12.exe /astart

    O16 - DPF: {00000000-0023-0000-5400-320020040070} - http://www.storage-tasp.com/gs/gsa0808.exe
    O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://www.pixaco.it/static/download/iedropupload.cab
    O16 - DPF: {31F11DFA-3A23-4BC0-89B4-2FB3FB43525B} (Pro_Web016.ProWeb016) - http://67.15.5.151/ProWeb016.CAB
    O16 - DPF: {C7CF4846-0324-4B83-B810-C4BF61029E02} (Pro_Web04.ProWeb604) - http://67.15.5.151/ProWeb604.CAB
    O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://195.225.169.17/access/dia/adult.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if still found):
    C:\WINDOWS\system32\sdknw32.exe
    C:\WINDOWS\d3dk.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
    Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back
    to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and
    select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel),
    Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like
    www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log along with the about:Buster log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the
    READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jan 9, 2006
    #16
  17. cesnur

    cesnur Private E-2

    I did as instructed and attach the first Buster log (the second scan didn't find anything) and the latest HJT log.
    I made sure the Win XP SP2 firewall is disabled.
    The computer seems to be OK (however, please have a look at the latest HJT log and confirm this) except that (and I apologize if the question seems stupid) it is unclear how uninstall the Norton firewall without uninstalling the antivirus as well. I did disable the anti-spyware protection but the only uninstall option I found is for uninstalling the whole thing.
    I am quite happy about Lavasoft and would prefer not to uninstall that one.
    Thanks a lot and best
    Massimo
     

    Attached Files:

    cesnur, Jan 10, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log still shows the below lines:
    O4 - HKLM\..\Run: [sdknw32.exe] C:\WINDOWS\system32\sdknw32.exe
    O4 - HKLM\..\Run: [d3dk.exe] C:\WINDOWS\d3dk.exe

    Did you forget to fix these with HJT? Or did they come back?
    Do any of your protection tools like Security Task Manager or other popup to notify you of system or registry changes when trying to fix them? If so, you need to allow the changes to occur.
    Did you locate the associated files and delete them?

    Good question about Norton. It is rather strange that they don't have the process name something just calling it a Firewall. But rather they are calling it Norton AntiVirus Firewall Monitor Service. No one seems to provide any info on exactly what this means. Is it really just a monitor? Does it only monitor for a Norton Firewall? Or does it monitor any firewall? Is is just like a security center program to make sure one is running? What did the software you installed say on the box? Did it come with a real firewall.

    If you cannot uninstall it, maybe it can just be disabled. Do your provisioning screens look something like THIS

    Use that as a guide and disable the firewall.
     
    chaslang, Jan 10, 2006
    #18
  19. cesnur

    cesnur Private E-2

    I may have inadvertently skipped the two files when running HJT but sure as hell they didn't show up when searching through Windows Explorer even by use the "look in hidden files" and "look in system files" options. At any rate here is the new HJT log: they seem to have been cleaned up.
    As for Norton, the "Security Monitor" and "Block Traffic" parts do not show up in the upper part of the screen; it really seems this computer has only the antivirus.
    Can you confirn the HJT log does not show any additional problem?
    Best and thanks
    Massimo
     

    Attached Files:

    cesnur, Jan 11, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're HJT log is now clean.

    I still would like to know what the below service is supposed to be doing:

    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe

    If it is a firewall, it needs to be removed. It it is actually a tool to monitor a firewall, I would have two questions:
    1) monitor for what? Just to see if it is running??
    2) Is it monitoring firewalls by other companies or does it expect the Symantec firewall to be running. If the later, why isn't it complaining about no Symantec firewall running.

    Unless you can determine from Symantec what the heck it is supposed to be, I personally would remove this service.
     
    chaslang, Jan 11, 2006
    #20
  21. cesnur

    cesnur Private E-2

    I did remove the service ann apparently the Norton antivirus is running normally.
    I think we can close this thread.
    Many thanks
    CESNUR
     
    cesnur, Jan 12, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     
    chaslang, Jan 12, 2006
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds