Infected by Blackmal & virus removal tool failed to detect

[pratheesh_prakash]

I thought my system was immune to blackmal for quite sometime till hours ago, when I suprised to find a mail being send BY ME to one of the Yahoo groups in which I am a member. And it showed clealry that it was the infamous blackmal virus, and I downloaded the virus removal tool from the Symantec site and did a full system scan. But the tool failed to detect the virus. What might be the problem?

I am using PC Cillin Internet Security 2006 with latest updates, and it detected the virus in the attachement in the mail I mentioned above. Please tell me what exactly happened? Tell me whether my system is actually affected by the virus?if not then, why did that mail got send into the Yahoo group? If yes then why didnt the Symantec removal tool did not detect it or even the PC Cillin detect it?

Please help me.

 

[rebornrajas700]

YA I also has the same problem.Symantec removal tool did detect .

 

[bit]

If possible scan with Kaspersky or Mcafee enterprise. I am sure that will do the job for you.

 

[champ_rock]

try housecall or some other online antivirus scanning

 

[anandk]

Tell me whether my system is actually affected by the virus?
.

to find this out post your hijackthis logfile here for scrutiny.
else copy-paste this logfile in www.hijackthi.de for instant analysis and solution.

 

[evildeadregeneration]

I think u infected post ur hijackthis logfile ........

 

[pratheesh_prakash]

Logfile of HijackThis v1.99.1
Scan saved at 2:13:12 AM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
H:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\TRENDM~1\Internet Security 2006\PcCtlCom.exe
H:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\Internet Security 2006\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\Internet Security 2006\tmproxy.exe
C:\PROGRA~1\TRENDM~1\Internet Security 2006\TmPfw.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\PowerMenu\PowerMenu.exe
H:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
H:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
F:\Program Files\TechSmith\Camtasia Studio 2\TSCHelp.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Visicom Media\AceFTP 3 Pro\aceftp3.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = *localhost:9100/proxy.pac
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PccIeBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - H:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - H:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PccIeBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] H:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: PowerMenu.lnk = H:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = H:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://h:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://H:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://h:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - H:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41B7AE8-4F99-44D7-BFC5-EFF9B4C4B10A}: NameServer = 218.248.255.145 61.1.96.71
O20 - AppInit_DLLs: "H:\PROGRA~1\Google\Google Desktop Search\GoogleDesktopNetwork3.dll"
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - H:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PcCtlCom.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\tmproxy.exe

 

[kin.vachhani]

hey man u can do one thing u can repair your os with bootable cd......
or the best way is to can your drive from other os... for that dual os is must......

The best way u can know whether your pc has a computer virus or not....
start the internet......then observe on the flashing screen of computer in the system tray....if it keep on blinking that means your pc is infected with internet virus or worm or trojans......

use zone alarm for good results...but again its only a firewall it will not remove virus but will protect from virus which access the internet
.....

 

[pratheesh_prakash]

but I have PC Cillin Internet Security 2006 Installed on my computer....and too has a firewall installed....but you know I suspect Yahoo! messenger...because only when I login to Y! messenger or I activate "remember passoword" feature this thing happens....till now I have been scanning regulalry using PC Cillin, but no viruses were detected.....

 

[aadipa]

This removal tool should do the job.

This warm creates startup processes 'winzip.exe' and 'update.exe' but removal tool should take care of that.

 

[pratheesh_prakash]

but I used the same thing, as I have mentioned in the first post this tool didnt detect anything.

 

[anandk]

but boss, ur hijackthis logfile appears clean !!!

so whats the problem really !? pclin is a good antivirus, and it must have detected and blocked the virus. so ur pc dznt appear to be infected.

 

[eddie]

I thought my system was immune to blackmal for quite sometime till hours ago, when I suprised to find a mail being send BY ME to one of the Yahoo groups in which I am a member. And it showed clealry that it was the infamous blackmal virus, and I downloaded the virus removal tool from the Symantec site and did a full system scan. But the tool failed to detect the virus. What might be the problem?

Do you use webmail or some e-mail client? If you are using webmail then there is no way that e-mail could have been sent by your system. Your e-mail address was just used as a mask and nothing else.

 

[Vyasram]

Try doin it on safe mode

 

[mehulved]

Eddie is right. If you use yahoo mail from your browser there is no way that the infection was at your end. I don't think your computer is infected at all. I have seen such infected mails received on yahoo groups from people who are linux users and trusted members of the group. So, I think you should stop worrying unless you use yahoo mail through POP.