|
Click to See Complete Forum and Search --> : Can anyone help me please? sam225 July 29th, 2004, 03:03 PM I have this virus that only AVG catches. It says it's a Backdoor.HaxDoor.2.T and it is found in C:\\WINDOWS\system32\debugg.dll I'll wait to post my HiJackThis log. I am such a moron when it comes to PC security. NooNoo July 29th, 2004, 03:10 PM Welcome to Windrivers sam225 this what norton says about it (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.html) Hope you didn't keep your passwords on that machine! Removal instructions are there, read the whole document. GrandDad July 29th, 2004, 03:12 PM Welcome to Windrivers sam225 http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.htmlthis what norton says about it Hope you didn't keep your passwords on that machine! Removal instructions are there, read the whole document. ;) well I see you fixed it. :) sam225 July 29th, 2004, 03:39 PM I tried what NAV suggested first thing this morning. I'm unable to find this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\MPRServices\ TestService\MPRServices\TestServices or the JSDAPI.exe in the process. or SMTAPI.SYS in the \system32\ folder. I tried deleting it in SAFE mode (couldn't get to it) and I've tried Trojan Hunter and Tauscan. Nothing finds it other than AVG but AVG doesn't have any info about it on Grisoft.com Any other suggestions? Does it matter when it's... HaxDoor.2.T as compared to that on the Symantec site ...Kaxdoor.i ? I have this virus that only AVG catches. It says it's a Backdoor.HaxDoor.2.T and it is found in C:\\WINDOWS\system32\debugg.dll I'll wait to post my HiJackThis log. I am such a moron when it comes to PC security. NooNoo July 29th, 2004, 04:23 PM yes, its a variant, so some things will be different... got that hijack log yet? sam225 July 29th, 2004, 04:33 PM yes, its a variant, so some things will be different... got that hijack log yet? I'm sorry. Her is my Log. Logfile of HijackThis v1.98.0 Scan saved at 4:32:40 PM, on 7/29/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\program files\support.com\client\bin\tgcmd.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/welcome.htm?ver=4448& R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O4 - Global Startup: Verizon Online Dialer.lnk = F:\bin\Components\ConnectionManager\Verizon Online.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O15 - Trusted Zone: *.mt-download.com O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.shscares.org/lawson/msxml4.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O21 - SSODL: System - {1D2EB6E0-89EE-42C2-AC3E-4BA2690FBD84} - C:\WINDOWS\system32\system32.dll (file missing) NooNoo July 29th, 2004, 05:53 PM ok you still have trojans taumon.exe (http://securityresponse.symantec.com/avcenter/venc/data/trojan.downloader.aphe.html) Go to http://housecall.antivirus.com and run the online scan.... will run up a list of stuff to delete with hijack in a few. NooNoo July 29th, 2004, 06:04 PM R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O15 - Trusted Zone: *.mt-download.com O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab ouch! (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.AK) this is not a trojan guard at all! O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" Get rid of that lot by running hijack this in safe mode. The processes are hidden which is why you cannot track it down.... go find and delete the files using explorer. If you cannot delete them, then check task manager in safe mode, see if they show up. sam225 July 30th, 2004, 08:59 AM R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O15 - Trusted Zone: *.mt-download.com O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab ouch! (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.AK) this is not a trojan guard at all! O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" Get rid of that lot by running hijack this in safe mode. The processes are hidden which is why you cannot track it down.... go find and delete the files using explorer. If you cannot delete them, then check task manager in safe mode, see if they show up. First off, "Thank you so much for taking the time to help me with this problem! I truly appreciate it!" I ran the "Housecall" and it didn't find anything. Should I run HiJack in safe mode and then delete all of the things you have listed that you picked out of my log? I'm pretty smart when it comes to some things, but I am a complete idiot when it comes to this stuff. Sorry. sam225 July 30th, 2004, 09:05 AM First off, "Thank you so much for taking the time to help me with this problem! I truly appreciate it!" I ran the "Housecall" and it didn't find anything. Should I run HiJack in safe mode and then delete all of the things you have listed that you picked out of my log? I'm pretty smart when it comes to some things, but I am a complete idiot when it comes to this stuff. Sorry. What was that taumon.exe? I clicked the link and read what Symantec has to say about it, but I can't find it on my computer. Do I have it? NooNoo July 30th, 2004, 10:23 AM You do have it, it shows up in the hijack this log. Yes go to safe mode, run hijack this, make a note of the log, tell it to fix the stuff I listed. Now go look for any of the file names listed in the hijack log - for instance O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll hijack this tells you precisely where it is - it may be a hidden and/or system file, it may be set to read only. Allow viewing of hidden and system files by opening my computer, tools, folder options - under hidden files and folders uncheck every box and check the radio button "show hidden files and folders" XP will warn you - accept the warning. To unset readonly on a file right click the file, properties, uncheck the read only box and apply. If the system is not using the file you can now delete it. If it is, start task manager and go to the process tab... see if you can find the file listed there, if you do, right click and end process tree. Now try and delete the file again. It is important to do these in safe mode because most of the processes and drivers are not running and it makes it easier to search and destroy the baddies. sam225 July 30th, 2004, 03:08 PM You do have it, it shows up in the hijack this log. Yes go to safe mode, run hijack this, make a note of the log, tell it to fix the stuff I listed. Now go look for any of the file names listed in the hijack log - for instance O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll hijack this tells you precisely where it is - it may be a hidden and/or system file, it may be set to read only. Allow viewing of hidden and system files by opening my computer, tools, folder options - under hidden files and folders uncheck every box and check the radio button "show hidden files and folders" XP will warn you - accept the warning. To unset readonly on a file right click the file, properties, uncheck the read only box and apply. If the system is not using the file you can now delete it. If it is, start task manager and go to the process tab... see if you can find the file listed there, if you do, right click and end process tree. Now try and delete the file again. It is important to do these in safe mode because most of the processes and drivers are not running and it makes it easier to search and destroy the baddies. Ok, I deleted most of what you said, except for the FlashGet things. Some of the other items I couldn't find when in safe mode. Can I go to HiJackThis OUT of safe mode and fix them? How do I know what the processes are? How do I get rid of the "debugg.dll" file that is the haxdoor virus? Thank you again. sam225 July 31st, 2004, 12:13 PM Ok, I deleted most of what you said, except for the FlashGet things. Some of the other items I couldn't find when in safe mode. Can I go to HiJackThis OUT of safe mode and fix them? How do I know what the processes are? How do I get rid of the "debugg.dll" file that is the haxdoor virus? Thank you again. Ok NooNoo Sir: I did exactly what you said for me to do. But I still can't get rid of the debugg.dll or the w32_ss.exe files that are said to be viruses? What should I do now? Thanks again. NooNoo July 31st, 2004, 12:15 PM Do another hijack this in safe mode and post it please. Need to see the processes running... windrivers.com
Copyright WebMediaBrands Inc., All Rights Reserved. |
|