Jump to content
xisto Community
Jeune

Iexplore.exe is a virus i think

By Jeune, in Security issues & Exploits

Recommended Posts

bluedragon    0

bluedragon
Posted (edited)

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

that was the trojan file :lol:.. Thats somehow removed now
C:\Program Files\DNA\btdna.exe >> Are u using bittorrent 6.0 ?


Don't know what these are .. >>

--------------------------------------------------------O4 - HKLM\..\Run: [skyTel] SkyTel.EXE ----------- Is this related to your Internet service provider ?
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE ----------- Are you using ALC soundcard ?
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE ------ Is it realtek ALC97 ?
--------------------------------------------------------

These Look more like a Trojan infections to me..

---------------------------------------------------------
O4 - HKLM\..\Run: [zzzHPSETUP]D:\Setup.exe
O4 - HKLM\..\Run: [Winupdates] sjjp5.exe
O4 - HKCU\..\Run: [WintelUpdate] c:\jghp.exe

---------------------------------------------------------

Please check them before you remove the entry.. they may be legit..

>> go to path specified alongside and try to find out what these are (right click and properties) if it doesn't look normal.. (I mean you should look for the versions tab under properties; if its a legit file it will have information like original name, company, version etc; if its not there then the file is not legit, i'll suggest you delete these unless you created them)

to remove the entry, Boot in Safe mode, run HijackThis and click on the 'checkbox' beside the item.. now click 'fix Checked'.


If possible (they get deleted automatically sometimes) while in safe mode, go to the path specified in the HijackThis log and delete the files manually.

P.S. Don't forget to show all your hidden files/system files while looking for these files, they are generally hidden.
Edited by jlhaslip (see edit history)

Share this post

Link to post
Share on other sites

Jeune    0

Jeune
Posted

Well at least you got your IE problem fix, and as for your firefox problem, you can't do anything about the memory leaks unless you install and run firefox 3. Depending on how many extensions and tabs you have open the amount of memory will keep on increasing in firefox 2, however, if you just hae on tab open and you spend a few hours on firefox 2 the memory will increase over time. So the best solution is to close out firefox and then run it again to refresh the memory that way.

That's exactly what heppens, I have one tab open and the memory reaches to 100k +. Would you really advice I install firefox 3?

Mr Bluedragon, I'll get back to the hijack this in a while, the dsl in part of the world is so crappy. :lol:

Share this post

Link to post
Share on other sites

Saint_Michael    3

Saint_Michael
Posted

It is up to you really as I have like 5 different browsers installed and use them for various things, and unless you don't have a ton of extensions that you use on firefox, which also increases memory, then move on to FF3 beta 5 as it is stable and pretty much the final beta that I am aware of before final release.

Share this post

Link to post
Share on other sites

Hagebyhemdata    0

Hagebyhemdata
Posted

I used to work with Spybot and Adaware, but both have a limited rate of success. For an almost-perfect fully-automated malware solution I personally recommend the one that is called "Superantispyware". Yes, I know, it has a name that might remind those scams that are actually malware. However, it is very good. They have two flavors of their software: a commercial one and a free one. The free one is good enough for a one-time disinfection.

Thanks lefehe for recommending this superb software! When working with customers computer security I always use Spybot - Search & Destroy, Lavasofts Ad-Aware 2007 Free and Microsoft own Windows Defender. It's three different types of spyware/removal tools that makes a good complement to each other. By running these three program I have thought it would be enough to keep the computer safe from harm. If the damage is already done, then I also use HiJackThis.
Yeah, Superantispyware, sounds like a scam or malware program, but seems to be a really good program, which I plan to use for my customer. Thanks again! By the way, when the subject is up concerning spyware/malware/Hijacking I have read an interesting article preventing being hijacked and by tweaking the Browser Appliance using linux os in VMware's Player. Since Linux are built with more security it's not a bad idea. Read about it more - http://forums.xisto.com/no_longer_exists/

Share this post

Link to post
Share on other sites

Jeune    0

Jeune
Posted

Dear Bluedragon,

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

this is a program from apple,though i can't recall installing itunes. I don't even have an ipod! What I do remember is that my sister plugged hers into my pc to get some mp3s. Could it be that mDNSResponder.exe came from there? i already deleted the said file, should I now remove it completely from the registry?

O4 - HKLM\..\Run: [skyTel]SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE



Everything above is legit. All Realtek stuff.


O4 - HKLM\..\Run: [zzzHPSETUP]D:\Setup.exeO4 - HKLM\..\Run: [Winupdates] sjjp5.exe
O4 - HKCU\..\Run: [WintelUpdate] c:\jghp.exe


There are no traces of these files in my system. My folders have "show hidden files" in them set already and I already used search.

I think D:\Setup.exe is part of my HP Scanner Program so I am going to put it there.

The others I just deleted via normal mode. Is that ok? Here's my new HiJackthis log (lemme know if you find something new):


Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:51:36 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Jose\My Documents\Tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\2.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon]RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [skyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Winupdates] sjjp5.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [superAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - re http://forums.xisto.com/
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: icq5s.dll
O20 - Winlogon Notify: !SABWinLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6703 bytes


Share this post

Link to post
Share on other sites

bluedragon    0

bluedragon
Posted

Hi Jeune O4 - HKLM\..\Run: [Winupdates] sjjp5.exeI am still confused with this .. This doesn't look legit.Just check if the "Hide protected operating system files" is UnChecked and then look for this ..And then check the details for this file.. i don't think Microsoft would name an updater like this file :lol:except for this ur system looks clean..I am really sorry for the delay.. was busy with something .. You can mail me if you get stuck somewhere mail: blue.dragon.rulz@gmail.com :)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept