Jump to content


Photo

Unidentified files


  • Please log in to reply
2 replies to this topic

#1 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 12 June 2004 - 11:49 AM

I believe that one of my computers is infected with some trojan or spyware application, but none of my anti-spyware programs are finding anything, except PestPatrol finds VirtuMonde and Savenow, which regenerate after they are deleted. I am now manually searching for suspicious files. Is there a site where I can find a glossary of file types?

(For more information, see other posts under Chevyfan1. I've had problems for weeks now.

Here is my HJT log. Deleting config.ini doesn't work:

Logfile of HijackThis v1.97.7
Scan saved at 2:16:53 AM, on 2/6/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\PESTPATROL\PESTPATROL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Service Manager] C:\WINDOWS\dxsound.exe
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

#2 thyme

thyme

    Full Member

  • Full Member
  • Pip
  • 93 posts

Posted 12 June 2004 - 01:17 PM

Hi

not sure if this is what you are looking for about file types, here is a link

http://www.kephyr.com/filedb/index.php

is a bit hit & miss sometimes, however symantec has this to say about savenow.exe which appears to be connected to kaaza

http://securityrespo...p.spreda.b.html

i cant find anything about virtumonde?

#3 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 13 June 2004 - 07:43 PM

The site you mentioned has the type of information I am looking for, but most files I need to know about are not listed. The files and registry entries associated with the savenow virus, which Symantec lists, are not on my computer (they are not found with either updated NAV, any anti-spyware program, or a manual search by me), so I believe a different worm or trojan is causing Savenow, Virtumonde, and possibly others, to regenerate, as well as causing other problems (see some of my other threads for details, if necessary). Maybe I could post the names of some suspicious files on this thread to see if anyone recognizes them. I used to check some of them with PestPatrol's online glossary (which isn't working now), and some turned out to be trojan-related, although no trace of other files associated with the trojans could be found by any program or myself.

By the way, I believe that Virtumonde is a program which downloads ads and other content to an affected computer (I am experiencing similar problems).

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button