Jump to content

Recommended Posts

Posted

I think I may have found the IP addresses of the people who may be using this trojan to gather passwords and other information! I downloaded a packet sniffer program, and I noticed that the "System" process was sending data. The "System" process is also what the Unlock application said was locking the ZoneAlarm Pro files. Therefore, I think this data that was being sent is from the virus. The two IP addresses that I found were:

 

212.27.63.103

 

and

 

67.15.35.7

 

Both IP addresses lead to an apache server without an index page. Also, the WHOIS information is blocked. This certainly sounds suspicious to me. Does anybody know how I can further trace these IP addresses to see if they could be the people that created this virus?

 

Dak, I ran the Microsoft Malicious Software Removal Tool and it said, "No malicious software was detected."

Posted

Download and Save blacklight to your desktop.

F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Double-click blbeta.exe then accept the agreement.

if the option is there, leave 'scan through windows explorer' checked,

click > scan then > next,

You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there...

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Post the contents of the log in your next reply.

Posted

Dak, when I try to run the F-Secure Blacklight application, I receive an error message. It says:

 

Windows Explorer was not found for the current user. You cannot use Secondary Logon (RunAs) to start F-Secure BackLight.[/Quote]

 

Is the virus blocking it, or is this another problem?

Posted

How inconvieniently bizzare...

 

Could you ctrl+alt+delete to bring up the task manager, find the explorer.exe process, and tell me what it says next to it under the 'user name' colum.

 

And your other questions:

 

Did this virus probably enter as a trojan instead of from the web site I was viewing at the time?

 

I dont know, but i have a test machine... if you could PM me the url you were at at the time, then i can check.

 

I think I may have found the IP addresses of the people who may be using this trojan to gather passwords and other information! I downloaded a packet sniffer program, and I noticed that the "System" process was sending data. The "System" process is also what the Unlock application said was locking the ZoneAlarm Pro files. Therefore, I think this data that was being sent is from the virus. The two IP addresses that I found were:

 

212.27.63.103

 

and

 

67.15.35.7

 

Both IP addresses lead to an apache server without an index page. Also, the WHOIS information is blocked. This certainly sounds suspicious to me. Does anybody know how I can further trace these IP addresses to see if they could be the people that created this virus?

 

Not sure im afraid.

Posted

I just figured out how to delete the virus! :D

 

I used Microsoft Word, and clicked on the "open" button. I went to the system32 folder, and manually typed "avpe32.dll" into the file name box. I got an error message, and it did not work. After that, I typed "avpe64.sys" and Word loaded the file. I pressed ctrl+A to select everything, and then I pressed delete. After that I pressed "Save" and Word asked me if I was sure that I wanted to save because the file may not convert to text correctly. I pressed "Yes" and it saved over the virus file.

 

I repeated the previous steps for "klgcptini.dat", "qz.dll", "qz.sys", and "stt82.ini". After all of those files were resaved as blank files, I restarted my computer. When it loaded again, I went into the System32 folder from My Computer. All of the virus files were now visible, including the "avpe32.dll" file that would not open in Word. I used the Unlock application to delete "avpe32.dll" and I easily deleted all of the other virus files without any problems.

 

Now, ZoneAlarm Pro is working again and my computer isn't showing any other strange behavior. I want to thank everyone here, especially Dak and Cap'n Refsmmat. I couldn't have deleted this virus without your help.

Posted

nice one herme3 :)

 

The infection does some damage to your computer, and enteres regstry entries and the like... so theres still a little more to do to completely fix your computer (tho unrootkitting it was the hard part)

 

If you want a hand finishing off, could you post up a new hjt log and a new rootkit revealer log please.

Posted

I ran Rootkit Revealer again, but nothing showed up in the log. Here is the new Hijack This log:

 

Logfile of HijackThis v1.99.1

Scan saved at 7:19:39 PM, on 12/17/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\HP\KBD\KBD.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\Josh\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155737_mcinfo.exe /insfin

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20031213155738_mcappins.exe /v=3 /cleanup

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120096203296

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup150.cab

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\avpe32.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Posted

Goto 'start > run' and type in 'regedit'.

 

Up the top, under 'file', click 'export' to save a backup copy of your registry.

 

Open up notepad and copy/paste the following into it; make sure that there is no space/blank lines before the 'regedit4' bit.

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpe32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpe32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpe64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpe32.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpe64.sys]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpe32]

 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avpe64]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

"EnforceWriteProtection"=-

 

goto file > save, select 'save as type' 'registry file (*.reg)', call it hdfx, and click save.

 

now, double-click on hdfx.reg to merge its contents with your registry.

 

then, run the kaspersky online antivirus scan, save a log from it and post it up so we know what remenants of haxdoor are knocking about the place.

 

and... Download L2mfix from one of these two locations:

 

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

 

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

 

Do NOT run option #2

 

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition, and then try running option #1 again.

  • 3 weeks later...
Posted

Hi, first of all, I want to thank Dak and the Captain for all their detailed posts, as I had the haxdoor virus, and I've just literally spent 20 hours cleaning my PC (i hope it's clean!), and I couldn't have done it without this thread.

 

I was wondering if i could bug you guys to read my post here: http://www.spywarewarrior.com/viewtopic.php?p=110602#110602

 

and see if you have any input, since you were so intimately familiar with this virus!

 

Thanks for your time!

 

PS I was a science guy back in high school and university, if that counts for anything! ;-)

Posted

It's nice to see that I created a thread that helped someone instead of making everyone angry. :)

 

Dak and Cap'n Refsmmat helped me get rid of Haxdoor too. My computer has worked perfectly since then. Thanks again!

Posted

Hi,

 

Nice method of deleting the virus. I could help you trace the hackers. Go to mcaffee.com and download the trial version of the latest mcaffee. There you have the option to trace down the hacker(also download the security suite.trial version). There you are! You can track down the place and also inform symantec or do things like that to stop the source.

 

gagsrcool

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.