Help - Search - Members - Calendar
Full Version: Problem with ATLEvents
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Naoyuki
Nov 23 2004, 09:40 PM
Help. We scanned with both Spybot and Ad-Aware, and cleaned it multiple times, but after a reboot, the ATLEvents reappears. Here is our HijackThis log file. The .bat file is just a simple batch file to clean out some old temp files.

Logfile of HijackThis v1.97.7
Scan saved at 11:36:07 AM, on 11/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\Tasks\acmp3.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hawaii.edu/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b1y4oay8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b1y4oay8.slt\prefs.js)
O2 - BHO: (no name) - {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3pmca.dat
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [*acmp3] C:\WINNT\Tasks\acmp3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto
O4 - HKLM\..\RunOnce: [*acmp3] C:\WINNT\Tasks\acmp3.exe rerun
O4 - Startup: Shortcut to Clnorsis.bat.lnk = C:\Clnorsis.bat
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.4391319444
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8CDEEB5-7352-45AF-9D58-42E94D0872B3}: NameServer = 128.171.44.44,128.171.3.13


Any suggestions would be appreicated.

Thank you.
Naoyuki
Nov 23 2004, 11:24 PM
Sorry, this is the log with the latest HijackThis.

Logfile of HijackThis v1.98.2
Scan saved at 1:25:31 PM, on 11/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\Tasks\acmp3.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijact\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b1y4oay8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\b1y4oay8.slt\prefs.js)
O2 - BHO: CATLEvents Object - {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3pmca.dat
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [*acmp3] C:\WINNT\Tasks\acmp3.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [*acmp3] C:\WINNT\Tasks\acmp3.exe rerun
O4 - Startup: Shortcut to Clnorsis.bat.lnk = C:\Clnorsis.bat
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8CDEEB5-7352-45AF-9D58-42E94D0872B3}: NameServer = 128.171.44.44,128.171.3.13

Thanks.
Bobbi Flekman
Nov 27 2004, 01:06 PM
Hi Naoyuki,


Your log shows signs of a Vundo trojan infection. This infection is difficult to remove manually but fortunately, Symantec has developed a fix for it.
  • Download Symantec Trojan.Vundo Removal Tool 1.2.4.
  • Save FixVundo.exe to a convenient location, such as your desktop.
  • Close any programs that you may have open.
  • If you are connected to a network and/or a full-time Internet connection, please disconnect your computer now. Failure to do so might prevent the fix from working.
  • Double-click FixVundo.exe to start the Vundo removal tool.
  • Click "Start" to begin the removal process. Remember not to have any programs open.
  • It will scan your computer for signs of Vundo. Depending on the amount of files you have, it might take a long time.
  • Restart your computer.
  • Run the tool with the same instructions to make sure Vundo has been eliminated.
  • You can reconnect your computer to the network and/or full-time internet connection.
  • Restart your computer once more.
  • Post a fresh HijackThis log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.