Jump to content


Photo

BKDR Sandbox infection


  • Please log in to reply
2 replies to this topic

#1 rickfijn

rickfijn

    Member

  • New Member
  • Pip
  • 2 posts

Posted 02 July 2004 - 07:38 AM

Hello dear people.

I send this topic for a friend who is not as computertechnical as some others are and his internet is not working properly anymore.

He is in the USA i am in Holland.
Now here is the problem, he had Jetsearch downloaded and it really messed his computer up, we kinda removed it from his computer at least we thought we did, but now an online virusscan came up with a BKDR Sandbox infection. We scanned now because a few hours after the removing if Jetsearch problems started again.

I woild like to have info on the removal of his problems, but please try to make as clear as possible how to do it because it will be difficult enough for him.
I want to thank already for the effort before we get the answer, its much appreciated.

Here is his Hijackthis log.

Logfile of HijackThis v1.98.0
Scan saved at 8:33:00 AM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
S:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
S:\PROGRA~1\Norton AntiVirus\navapw32.exe
S:\Program Files\D-Tools\daemon.exe
S:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
S:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
S:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
S:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\NDrv.exe
S:\Program Files\Belkin Bulldog Plus\MUPS.exe
S:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\System32\MsPMSPSv.exe
S:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc.../search.php?qq=
R3 - URLSearchHook: (no name) - - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - S:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - S:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - S:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SuperBar - {A6B47CBB-9484-4759-8E15-9B12425CE3FB} - S:\Program Files\_SUPERBAR\_SUPERBAR.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] S:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] S:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NAV Agent] S:\PROGRA~1\Norton AntiVirus\navapw32.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "S:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WFXSwtch] S:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTAvTray] S:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [slohafwh] C:\WINDOWS\slohafwh.exe
O4 - HKLM\..\Run: [QuickTime Task] "S:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [CTAVTray] S:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "S:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] S:\PROGRA~1\Symantec\LiveUpdate\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] S:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Ecet] C:\Documents and Settings\Jeff\Application Data\osac.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: MUPS.lnk = S:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = S:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &NeoTrace It! - S:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://S:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///S:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///S:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - S:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - S:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - S:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4E1F7F-811D-41E1-94A6-704EF8C9F782}: NameServer = 64.246.130.9 64.246.131.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F4E1F7F-811D-41E1-94A6-704EF8C9F782}: NameServer = 64.246.130.9 64.246.131.9

Greetz.
Rick

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 02 July 2004 - 04:41 PM

Please download CWShredder
This was written to deal with Coolweb and all its variants.

Download and run the program. Let it fix everything it finds, and reboot.

Run Hijack this again, and post a fresh log so we can deal with whatever is left.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 rickfijn

rickfijn

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 July 2004 - 06:07 AM

Hi Dave

We seemed to be able to clean the sandbox but to be sure here is the Hijackthis log, i hope you can confirm it:

Logfile of HijackThis v1.98.0
Scan saved at 7:00:05 AM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
S:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
S:\Program Files\D-Tools\daemon.exe
S:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
S:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
S:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
S:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\NDrv.exe
S:\Program Files\Belkin Bulldog Plus\MUPS.exe
S:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\WINDOWS\System32\MsPMSPSv.exe
S:\Program Files\Messenger\msmsgs.exe
S:\Program Files\Belkin Bulldog Plus\upsd.exe
S:\Program Files\WinMX\WinMX.exe
C:\Program Files\WINMXBOT\MXChat.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jetsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jetsearch.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc.../search.php?qq=
R3 - URLSearchHook: (no name) - - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - S:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SuperBar - {A6B47CBB-9484-4759-8E15-9B12425CE3FB} - S:\Program Files\_SUPERBAR\_SUPERBAR.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] S:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] S:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "S:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WFXSwtch] S:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTAvTray] S:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [slohafwh] C:\WINDOWS\slohafwh.exe
O4 - HKLM\..\Run: [QuickTime Task] "S:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [CTAVTray] S:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "S:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] S:\PROGRA~1\Symantec\LiveUpdate\SNDMon.EXE
O4 - HKCU\..\Run: [SpyKiller] S:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Ecet] C:\Documents and Settings\Jeff\Application Data\osac.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - Global Startup: MUPS.lnk = S:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = S:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &NeoTrace It! - S:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://S:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///S:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///S:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - S:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - S:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - S:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4E1F7F-811D-41E1-94A6-704EF8C9F782}: NameServer = 64.246.130.9 64.246.131.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F4E1F7F-811D-41E1-94A6-704EF8C9F782}: NameServer = 64.246.130.9 64.246.131.9

Greetz.
rick.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button