Problem combination of Trojan and Exploit script

#1 Hi

This problem is a combination of eid_S7.exe file and Exploit/MHtml and something else !

Attached th HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 15:16:53, on 26.03.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\ROXIO\WINONCD\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\ATI2CWAD.EXE
C:\WINDOWS\SYSTEM\ATIPTKAD.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE
C:\WINDOWS\TWAIN_32\A12U16K\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MARMIKO SHARED\MWLAMAS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAMME\TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lycos.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiKey] atiptkad.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\sentstrt.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [T-Online_Software_5\WLAN-Access Finder] C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE /StartMinimized
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A12U16K\WATCH.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\MESSENGER\YHEXBMES.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193a39b22b4a52b50a18/netzip/RdxIE601.cab

************
eScan told me I had the following files affected
msxmidi.exe and init32m.exe

Can I just delete them ??

*************
This was the warning I received when I opened a link to a forum entry on Trojaner_Forum !!. I have already sent them a mail informing them of the problem.

C:\PROGRAMME\AVPERSONAL\INFECTED\62B17720.12F
Enthält Signatur des HTML-Scriptvirus HTML/Exploit.Mhtml

And finally, I have found a very strange registry entry as follows and I don't know if it is linked to all of this

HKEY_L_M_/Software/Microsoft/G)?92921>

Key entry
ù))à Value 4f 4a 4f 4f


Ideas anyone ?


Any help greatly appreciated

Many thanks

kistev

#2 Hi kistev,

welcome on board!
This is basically a German speaking board and some of its users may not be able to follow an English correspondence. So, couldn't you post in German? This seems to be possible because you obviously run a German version of windows and other programmes, and understand their alerts.

As with your problems, you very obviously have done quite a lot of cleaning work beforehand.
Your hjt log file doesn't give much evidence that there is a present heavy infection with malware. The only "evil" entry is
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721306} - (no file)
Fix that with hjt and search registry for remaining entries of {CF021F40-3E14-23A5-CBA2-717765721306} and delete them.
{CF021F40-3E14-23A5-CBA2-717765721306} = Tubby/MakeMeSearch/Spyware.Aran parasite
So, look out for wer1306.dll, qwe8264.dll and max8264.dll if you can find one or all of them on your system.

Download and update Ad-Aware
http://www.lavasoft.de/support/download/
perform a full system scan and delete all critical objects found

Open hjt => Misc Tools => Delete a file on reboot and copy the two files identified as "infected" by eScan into the text window (one after the other and reboot only after you have submitted the second one)

With HTML/Exploit.Mhtml it's an easy job. Open your avpersonal and go to the quarantene section => delete the entry with HTML/Exploit.Mhtml

What the registry entry in question is concerned I unfortunately can't give you any help with that. But, may be some other member has more information.

Post a new hjt log and report about progress

regards
Heron
__________
"Die Welt ist groß, weil der Kopf so klein"
Wilhelm Busch

#3 Hi Heron

Thanks for the reply. I can read and speak German and I also translate from German to English. I just can't write it. I will do what you recommended and post the results.

Thanks

kistev

Further to the above:
Hi all,

Here is the fixed HjT file
Logfile of HijackThis v1.99.1
Scan saved at 15:40:04, on 27.03.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\ROXIO\WINONCD\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ATI2CWAD.EXE
C:\WINDOWS\SYSTEM\ATIPTKAD.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE
C:\WINDOWS\TWAIN_32\A12U16K\WATCH.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MARMIKO SHARED\MWLAMAS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAMME\TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lycos.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\WinOnCD\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] C:\PROGRAMME\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiKey] atiptkad.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\sentstrt.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [T-Online_Software_5\WLAN-Access Finder] C:\PROGRAMME\T-ONLINE\WLAN-ACCESS FINDER\TOWLAACF.EXE /StartMinimized
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A12U16K\WATCH.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAMME\YAHOO!\MESSENGER\YHEXBMES.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193a39b22b4a52b50a18/netzip/RdxIE601.cab

*******
I think everything is cleaned up now except for the result from escan:


[msvLclnt.dll] [0xfffc355b] 27/03/2005 13:01:24:230 :[00000001] File C:\WINDOWS\COMMAND\EBD\EBD.CAB infected by not-a-virus:Tool.DOS.Restart

[msvLclnt.dll] [0xfffc355b] 27/03/2005 14:34:07:250 :[00000001] File E:\EDV\software\WordCount\fb3.exe infected by not-a-virus:Tool.Win32.Reboot

[msvLclnt.dll] [0xfffc355b] 27/03/2005 14:38:31:330 :[00000001] File E:\EDV\software\Pegasus Mail\w32-412a-de1.exe infected by not-a-virus:Tool.Win32.Reboot

I suppose I can just delete the files in E: as the programs have not been installed or unzipped. But what about the file in C: ?

I will put a separate post about the registry question. Once again thanks for all the help. Excellent forum !!

kistev

#4 Hi kistev,

your log looks fine! Everything should run well now.
The three files eScan has marked as "infected" are not really virusses. Tool.DOS.Restart and Tool.Win32.Reboot does usually indicate that these files are belonging to older software on your computer. EScan markes them because they are "unknown" executables. Normally you could delete them all. But, to be on the safe side, just rename them with a different extension and look if there will occur any problems. If not, then delete them.

Did Ad-Aware find any additional malware? It could be possible, that Ad-Aware has identified and removed the registry entry which is not clear to you. So, look up the backup section of the program if the entry is mentioned there.

What you could additionally do is to evaluate your hjt log yourself at www.hijackthis.de and check the entries marked as "unbekannt" if you know them.

Best regards
Heron

edit:
I just remembered that I had a similar incident as regards to the "Tool.Win32.Reboot" marking of files by eScan. When running Win98 on my old machine I had to install a special program from my provider enabling me to have dsl connection. Check if this may be also the case with your files!
__________
"Die Welt ist groß, weil der Kopf so klein"
Wilhelm Busch

#5 Hi Heron

Thanks very much for the help.

Your English is excellent !

Have a nice Easter

Regards

kistev

#6 Pleasure!
Happy Easter to you as well!

Heron
__________
"Die Welt ist groß, weil der Kopf so klein"
Wilhelm Busch