Help - Search - Members - Calendar
Full Version: OmEgA-X1's Log...
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
OmEgA-X1
Mar 20 2004, 02:26 PM
Well the symptoms are classic, some virus is closing out regedit, msconfig, and task manager. I ran Pc-cillin and Ad-aware with no results, Spybot crashes when I try to update definitions. Heres the log...

Logfile of HijackThis v1.97.7
Scan saved at 9:21:13 AM, on 3/20/2004
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\PC-Cillin\Tmntsrv.exe
D:\PC-Cillin\tmproxy.exe
D:\PC-Cillin\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
G:\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [run=] IEXPLORE.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AceGain LiveUpdate] D:\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\RunOnce: [run=] IEXPLORE.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

I dont quite get it, Tmntsrv/Tmproxy/PccPfw is all part of Pc-Cillin, devldr32 is part of my sound card, and theres not much else, im lost to be honest.
OmEgA-X1
Mar 20 2004, 02:27 PM
ohh and that AceGain live update is part of Battlefield Vietnam I installed after Ive had this virus.
CalamityJane
Mar 20 2004, 02:53 PM
:huh: I don't see devldr32.exe in your startups (odd). Did you disable it from starting up perhaps? If so, try re-enabling it and scan again then post a new log.

I would like to see what app it is running as since there is one virus that does masquerade as devldr32.exe:

http://www.sysinfo.org/startuplist.php?fil...32&count=&type=

To be sure, you can also run a single file check at Kaspersky's free online virus check on that file:

C:\WINDOWS\system32\devldr32.exe <---check this file

Go here
Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html

Copy the report and paste the results back here.
CalamityJane
Mar 20 2004, 02:56 PM
Almost missed this too. This one do a file check also:

C:\WINDOWS\system32\IEXPLORE.EXE

The legitimate Iexplore.exe would be located in your Program files not the system32 folder.
OmEgA-X1
Mar 20 2004, 03:08 PM
yea that devldr is weird, Ive used this Sound Blaster PC512 since '98 and its been the same way, no way to disable it without uninstalling the card either, but that IExplorer was a good find, its obviously a virus, in my system32 folder as a hidden file... Pc-cillin says its alright, Im gonna check it on PCpitstop...
OmEgA-X1
Mar 20 2004, 03:16 PM
still nothing, gonna try to download mcafee
OmEgA-X1
Mar 20 2004, 03:31 PM
success! No anti-virus found it, so I went into regedit in safe mode, found "run= iexplore.exe" in the Run and RunOnce, deleted "iexplore.exe" in the system32 folder, and viola! All working, thanks again for noticing that Calamity, wouldnt of caught it myself.
CalamityJane
Mar 20 2004, 03:36 PM
You're welcome. It's a tricky one using a legitimate file name but in the wrong folder.

Did you use the Kaspersky online file check? I would be curious to know which virus or trojan it was.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.