1. Hey Guest Did you know you can win an Honor 10 phone worth ₹33,000 and an additional ₹70,000 in paytm vouchers, just by replying to some threads and taking part in the discussions happening in the Honor Hub?

    What are you waiting for? Start commenting and start winning! Remember to read the instructions posted here.

    Dismiss Notice

Infected by Blackmal & virus removal tool failed to detect

Discussion in 'Software Q&A' started by pratheesh_prakash, Feb 23, 2006.

Thread Status:
Not open for further replies.
  1. pratheesh_prakash

    pratheesh_prakash New Member

    Joined:
    Nov 9, 2004
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Quilon, Kerala
    I thought my system was immune to blackmal for quite sometime till hours ago, when I suprised to find a mail being send BY ME to one of the Yahoo groups in which I am a member. And it showed clealry that it was the infamous blackmal virus, and I downloaded the virus removal tool from the Symantec site and did a full system scan. But the tool failed to detect the virus. What might be the problem?

    I am using PC Cillin Internet Security 2006 with latest updates, and it detected the virus in the attachement in the mail I mentioned above. Please tell me what exactly happened? Tell me whether my system is actually affected by the virus?if not then, why did that mail got send into the Yahoo group? If yes then why didnt the Symantec removal tool did not detect it or even the PC Cillin detect it?

    Please help me.
     
  2. YA I also has the same problem.Symantec removal tool did detect .
     
  3. bit

    bit Banned

    Joined:
    Feb 13, 2006
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    0
    If possible scan with Kaspersky or Mcafee enterprise. I am sure that will do the job for you.
     
  4. champ_rock

    champ_rock champ_rock

    Joined:
    Jun 15, 2005
    Messages:
    750
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Somewhere on the earth , near the equator
    try housecall or some other online antivirus scanning
     
  5. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    to find this out post your hijackthis logfile here for scrutiny.
    else copy-paste this logfile in www.hijackthi.de for instant analysis and solution.
     
  6. evildeadregeneration

    evildeadregeneration New Member

    Joined:
    Feb 23, 2006
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    0
    I think u infected post ur hijackthis logfile ........
     
  7. OP
    OP
    pratheesh_prakash

    pratheesh_prakash New Member

    Joined:
    Nov 9, 2004
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Quilon, Kerala
    Logfile of HijackThis v1.99.1
    Scan saved at 2:13:12 AM, on 3/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    H:\WINDOWS\System32\smss.exe
    H:\WINDOWS\system32\winlogon.exe
    H:\WINDOWS\system32\services.exe
    H:\WINDOWS\system32\lsass.exe
    H:\WINDOWS\system32\svchost.exe
    H:\WINDOWS\System32\svchost.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    H:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\TRENDM~1\Internet Security 2006\PcCtlCom.exe
    H:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\Internet Security 2006\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\Internet Security 2006\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\Internet Security 2006\TmPfw.exe
    H:\WINDOWS\Explorer.EXE
    H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
    H:\WINDOWS\system32\ctfmon.exe
    H:\Program Files\PowerMenu\PowerMenu.exe
    H:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    H:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
    F:\Program Files\TechSmith\Camtasia Studio 2\TSCHelp.exe
    H:\Program Files\Internet Explorer\iexplore.exe
    H:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Opera\Opera.exe
    H:\Program Files\Internet Explorer\iexplore.exe
    H:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Visicom Media\AceFTP 3 Pro\aceftp3.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
    O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PccIeBar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - H:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar3.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - H:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PccIeBar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
    O4 - HKLM\..\Run: [DSLAGENTEXE] H:\Program Files\Huawei\MT882\dslagent.exe
    O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - Global Startup: PowerMenu.lnk = H:\Program Files\PowerMenu\PowerMenu.exe
    O4 - Global Startup: Run Google Web Accelerator.lnk = H:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O8 - Extra context menu item: &Google Search - res://h:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: &ieSpell Options - res://H:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Translate English Word - res://h:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://h:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://h:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Check &Spelling - res://H:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Save Flash - res://H:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
    O8 - Extra context menu item: Similar Pages - res://h:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://h:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - H:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - H:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
    O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - H:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D41B7AE8-4F99-44D7-BFC5-EFF9B4C4B10A}: NameServer = 218.248.255.145 61.1.96.71
    O20 - AppInit_DLLs: "H:\PROGRA~1\Google\Google Desktop Search\GoogleDesktopNetwork3.dll"
    O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - H:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\PcCtlCom.exe
    O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\Internet Security 2006\tmproxy.exe
     
  8. kin.vachhani

    kin.vachhani Dreaming Future

    Joined:
    May 29, 2005
    Messages:
    177
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    \internet\home
    hey man u can do one thing u can repair your os with bootable cd......
    or the best way is to can your drive from other os... for that dual os is must......

    The best way u can know whether your pc has a computer virus or not....
    start the internet......then observe on the flashing screen of computer in the system tray....if it keep on blinking that means your pc is infected with internet virus or worm or trojans......

    use zone alarm for good results...but again its only a firewall it will not remove virus but will protect from virus which access the internet
    .....
     
  9. OP
    OP
    pratheesh_prakash

    pratheesh_prakash New Member

    Joined:
    Nov 9, 2004
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Quilon, Kerala
    but I have PC Cillin Internet Security 2006 Installed on my computer....and too has a firewall installed....but you know I suspect Yahoo! messenger...because only when I login to Y! messenger or I activate "remember passoword" feature this thing happens....till now I have been scanning regulalry using PC Cillin, but no viruses were detected.....
     
  10. aadipa

    aadipa New Member

    Joined:
    Feb 12, 2004
    Messages:
    997
    Likes Received:
    2
    Trophy Points:
    0
    Location:
    Palghar, Mumbai
    This removal tool should do the job.

    This warm creates startup processes 'winzip.exe' and 'update.exe' but removal tool should take care of that.
     
  11. OP
    OP
    pratheesh_prakash

    pratheesh_prakash New Member

    Joined:
    Nov 9, 2004
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Quilon, Kerala
    but I used the same thing, as I have mentioned in the first post this tool didnt detect anything.
     
  12. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    but boss, ur hijackthis logfile appears clean !!! :)

    so whats the problem really !? pclin is a good antivirus, and it must have detected and blocked the virus. so ur pc dznt appear to be infected.
     
  13. eddie

    eddie El mooooo

    Joined:
    Jan 26, 2006
    Messages:
    1,414
    Likes Received:
    14
    Trophy Points:
    0
    Location:
    India
    Do you use webmail or some e-mail client? If you are using webmail then there is no way that e-mail could have been sent by your system. Your e-mail address was just used as a mask and nothing else.
     
  14. Vyasram

    Vyasram The pWnster

    Joined:
    Oct 10, 2004
    Messages:
    841
    Likes Received:
    2
    Trophy Points:
    0
    Location:
    Karaikudi,TN
    Try doin it on safe mode
     
  15. mehulved

    mehulved 18 Till I Die............

    Joined:
    Jul 15, 2004
    Messages:
    5,790
    Likes Received:
    44
    Trophy Points:
    0
    Location:
    India, Mumbai, Marine Lines
    Eddie is right. If you use yahoo mail from your browser there is no way that the infection was at your end. I don't think your computer is infected at all. I have seen such infected mails received on yahoo groups from people who are linux users and trusted members of the group. So, I think you should stop worrying unless you use yahoo mail through POP.
     
Thread Status:
Not open for further replies.

Share This Page