Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
We have been having trouble with most of our computers getting infected with trojans and programs we dont want. Today I reloaded a system from an image I made 2 years ago.

It is Windows 2000, SP2
After loading the image, I loaded SP 4 from a cd with the file on it I downloaded from the internet a few months ago. I then installed IE6 with SP1 from files I had on our server that I downloaded in October of 2004. Up untill this point I did not have the computer pluged into the network.

After the reboot I got a error about Bargans and I beleve salm.

I rebooted into safe mode and found on the c drive these files:
c:\prot.exe
c:\sahagent.log
c:\winnt\elitetoolbar.

then in add/remove programs I had these programs:
Active Alert
Deskad Service
EliteBar Internet Explorer tool Bar
Internet Optimizer
IST SVC
Search Relevancy
Shopathome Select Agent
Sidefind
The Bullseye Network
unistall180 Search
Webrebates(by Toprebates.com)
WSEM Update

On a nother system I loaded exactly the same way just before this it loaded ok without any of the extra programs or files. Plus there are other systems in the bulding that are not effected.

On the other 2000 systems on the network I have run:
Norton AntiVirus
AVG Free AntiVirus
Ad-Aware
Adware filter
Spybot S&D
Trojan Hunter
and they show all clear.

On the Windows 98 machine in the office I have run:
Norton AntiVirus
Ad-Aware
Spybot S&D
Trojan Hunter
and they now show all clear.

Some of these programs that were added we have been fighting with all week. This started last Monday about 15:30 Eastern Time.

Here is the Hijackthis log from the system:

Logfile of HijackThis v1.99.0
Scan saved at 5:54:33 AM, on 1/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Virus\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem302.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [Windows Media Player] msams.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Bbc2p] C:\WINNT\iupcys.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvvpi32.exe
O4 - HKLM\..\Run: [ityrkt] C:\WINNT\ityrkt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\system32\SahAgent.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Windows Media Player] msams.exe
O4 - HKCU\..\Run: [Windows Media Player] msams.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ecpalb.easterncopy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ecpalb.easterncopy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ecpalb.easterncopy.com
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

Also attached is a sheet I made to try and clean the other infected machine.

Thanks

Charles Wallace
 

Attachments

·
Registered
Joined
·
3,181 Posts
Go to control panel, add/remove programs and remove these if they are listed

MessengerPlus3

ViewMgr
BullseyeNetwork
WebRebates

WeatherOnTray

WinAdTools

Myway or Mybar
WinSurferHelper
180Solutions (or 180Search)
Windows AdControl
Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.subratam.org/?page=removal
Spybot - Search & Destroy from http://security.kolla.de
Download Adaware SE http://www.lavasoftusa.com/support/download/

then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you have all of Microsoft security updates

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
then post a new hijackthis log
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Thanks for the info.

I am looking for more info on what to look for on the other computers in the office (over 30 of them) that is causing all of this to be added back to most of the systems once they are pluged back into the network. Over 12 meg of files are added per the file size in add remove programs.

Every time we try and clean a system we find more files that have been added to it.

Thanks

Charles Wallace
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top