Help - Search - Members - Calendar
Full Version: Dropper.Delf 3L
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
angel
Oct 5 2004, 09:41 AM
I have run AVG - which keeps finfing the drooper delf 3 virus. Move to virus vault and then picked it up again in scan a few hours later. Have also run ad-aware, but can seem to shift it - HELP.

Have downloaded and run Hijack this - log below - please help!!!

Logfile of HijackThis v1.98.2
Scan saved at 10:29:21, on 05/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mark & Lesley\My Documents\downloads\sync.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack this\HijackThis.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\WINDOWS\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yxnooavtgczygpdojhhhjff.org/H3g...9L3bHimV4V.html
O2 - BHO: (no name) - {04E70F91-1CA1-159D-FE39-D054DBB9C0BA} - C:\PROGRA~1\OPTION~1\WAVEBYTE.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [4 Data] C:\PROGRA~1\JOYROA~1\Bib list regs.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [idledoesbindcomp] C:\Documents and Settings\All Users\Application Data\Cashmixidledoes\FastWarn.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 5\PcSync2.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: YO_ZQ-P20H Synchronization Software.lnk = C:\Documents and Settings\Mark & Lesley\My Documents\downloads\sync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

Also if I needed to delete any with C as the start of the line, how do I get to them, they didnt list on the scan I can see - only the scan I copied to send to you. Hijack this is in it own file - help!!!

Angel
Bobbi Flekman
Oct 5 2004, 10:48 AM
Hi angel,

Spyware Begone is listed on the Rogue/Suspect Anti-Spyware Products & Web Sites. Please uninstall this program.
Good and free alternatives are Ad-aware SE and Spybot Search And Destroy.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yxnooavtgczygpdojhhhjff.org/H3g...9L3bHimV4V.html

O4 - HKLM\..\Run: [4 Data] C:\PROGRA~1\JOYROA~1\Bib list regs.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [idledoesbindcomp] C:\Documents and Settings\All Users\Application Data\Cashmixidledoes\FastWarn.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer and delete the following folders in red (it could be that they are deleted already):

C:\Program Files\Windows SyncroAd
C:\Documents and Settings\All Users\Application Data\Cashmixidledoes

Restart your computer and post a new log.

Have you downloaded this program? Do you know what this program is?

O4 - Global Startup: YO_ZQ-P20H Synchronization Software.lnk = C:\Documents and Settings\Mark & Lesley\My Documents\downloads\sync.exe

QUOTE
Also if I needed to delete any with C as the start of the line, how do I get to them, they didnt list on the scan I can see - only the scan I copied to send to you.  Hijack this is in it own file - help!!!
I do not understand your question. Are you asking how to delete a file?
angel
Oct 5 2004, 11:13 AM
Hi Bobbi,

Thanks for the help - its driving me mad.

Have done as you asked, scan below:

Logfile of HijackThis v1.98.2
Scan saved at 12:09:32, on 05/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Mark & Lesley\My Documents\downloads\sync.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: (no name) - {04E70F91-1CA1-159D-FE39-D054DBB9C0BA} - C:\PROGRA~1\OPTION~1\WAVEBYTE.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 5\PcSync2.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: YO_ZQ-P20H Synchronization Software.lnk = C:\Documents and Settings\Mark & Lesley\My Documents\downloads\sync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab


Yes I do know what

04 - Global Statup: YO_ZQ-P20H Syncronisation Software.Ink - C:/Ducumens and Settings\Mark & Lesley\My Documents\downloads\sync.exe is. I have a PDA and this is the syncronisation software for the PC.

Do I need to do anything more?

Angel
xxx
Bobbi Flekman
Oct 5 2004, 11:28 AM
Hi angel,

As I said before I would uninstall Spyware Begone. This is from the web page I posted
QUOTE
aggressive advertising (1); poor scan reporting; false positives work as goad to purchase [A: 6-26-04 / U: 6-26-04]


I would place the synchronization software in another folder. This looks as if it got installed without your knowledge.

For the rest your log is clean.

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts.

Please post back if you are still having any problems....
angel
Oct 5 2004, 11:36 AM
Hi Bobbi,

Thanks for your help, I did remove the spyware begone - sorry forgot to say - was it still in the log then?

We have Ad-aware Personal SE and AVG Anti-virus and zone alarm - are these ok to protect computer. This is the first thing we have had in ages - think it was my daughter - kids eh.

Have removed the syncronisation package at moment, will see if need to reload

Angel

xxx
Bobbi Flekman
Oct 5 2004, 11:55 AM
Hi angel,

Spyware Begone is in your log.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Delete the following folders in red (it could be that they are deleted already):

c:\freescan

Restart your computer.

The three programs you mentioned should suffice, but I would add IE-SpyAds, Spybot and Spyware Blaster anyway. IE-SpyAds and Blaster put a lot of sites in your registry to prevent installing malware, and in my opinion Spybot is a perfect complement to AdAware.
Bobbi Flekman
Oct 30 2004, 11:23 AM
This topic is closed due to lack of activity.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.