|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
March 25th, 2005, 11:50 AM
|
|||
|
|||
Possible Virus
I have a zonealarm pro firewall which shows me that a program called "leks.exe" is trying to work as server, and then another one saying that leks.exe is trying to access internet to address 2XX.XXX.XXX.XXX,
I went to regedit, and in Soft/Microsoft/Win/CurrentVersion/Run(in simple words, startup entries), I found, entry written "leak leks.exe" This program was supposed to, reside at %systemroot% but after finding it on my computer, I find no file with leks.exe or leak. Now when I try to go to http://www.symantec.com/, I am taken to url http://localhost/(it's my personal mirror web site hosted by IIS on my computer) but in title bar url is http://www.symantec.com/ I have no problems, in running computer, internet, I don't get shutdown signs or anything malacious But by all these symptoms, it definately seems virus or any of it's cousin. I have completely up to date AVG Free 7 antivirus, which couldn't find any virus, and when I search leks.exe in google I get nothing. Can anyone tell me which one is it, and how can I cure it. Regards Last edited by ruab; March 25th, 2005 at 11:52 AM. 
|
|
#2
March 26th, 2005, 03:12 AM
|
||||
|
||||
|
Hi ruab. Lets see what is running on your PC. Go here and download the latest version of Hijack This. Unzip it and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.
|
|
#3
March 26th, 2005, 10:07 AM
|
|||
|
|||
Look @ the log
Logfile of HijackThis v1.99.1
Scan saved at 2:40:57 PM, on 3/26/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Program Files\Sify Broadband\BBClient.exe C:\Program Files\Free Download Manager\fdm.exe C:\Program Files\Opera 8 Beta\Opera.exe C:\Program Files\Pinnacle\PCTV Stereo\Vision\Vision.exe C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe C:\PROGRA~1\Pinnacle\SHARED~1\Filter\VBI_SE~1.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh Light 5\iMeshBHO.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Response Class - {81A99149-F047-4090-8AAD-D11FF4EFB734} - C:\WINDOWS\System32\dae.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [leak] leks.exe I SUSPECT THIS ONE IS VIRUS OR SOMETHING LIKE THAT O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Pinnacle Scheduler.lnk = C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe O4 - Global Startup: Pinnacle Scheduler.lnk = C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C41183-CA38-4974-8409-72127DE29D55}: NameServer = 202.144.155.4,202.144.66.6 O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - C:\Program Files\Offline Commander\ssp.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe Last edited by ruab; March 26th, 2005 at 10:09 AM.
|
|
#4
March 26th, 2005, 11:59 PM
|
||||
|
||||
|
Hi ruab, firstly can you confirm that you have Offline Commander installed?
Regarding leks.exe, it may well be a malware file. Go here and submit it. Copy and paste the result in this thread. You have a couple of other problems showing in your log but we might as well clean up the lot in one hit.
|
|
#5
March 27th, 2005, 11:22 AM
|
|||
|
|||
Virus Cured
I went to the site you told me,
and it told that this is virus, it was Win32/Agobot's varient, so I downloaded, removal tool from ca.com, and removed it. Now I can, see symantec.com, viruslist.com but removal tool at ca.com didn't remove leks.exe, should I delete on my own? Any other precautions, should I take, any other software should I download ( I already have AVG Free edition which didn't recognize this virus, and ZoneAlarm Pro) I have installed offline commander.
|
|
#6
March 28th, 2005, 01:31 AM
|
||||
|
||||
|
Hi ruab, there are still a couple or three entries to fix in your log. Close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.in/0SEENIN/SAOS01 O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh Light 5\iMeshBHO.dll O2 - BHO: Response Class - {81A99149-F047-4090-8AAD-D11FF4EFB734} - C:\WINDOWS\System32\dae.dll O4 - HKLM\..\RunServices: [leak] leks.exe When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) make sure that you can view hidden files and folders (and System Files)and run a search for and delete leks.exe. Reboot and post a new log.
|
|
#7
March 28th, 2005, 01:21 PM
|
|||
|
|||
Reposting Log
Logfile of HijackThis v1.99.1
Scan saved at 5:57:06 PM, on 3/28/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Sify Broadband\BBClient.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Pinnacle\PCTV Stereo\Vision\Vision.exe C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe C:\PROGRA~1\Pinnacle\SHARED~1\Filter\VBI_SE~1.EXE C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Program Files\Opera 8 Beta\Opera.exe C:\Program Files\Sify Broadband\HBSBeat.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\PCTV Stereo\Remote\Remoterm.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C41183-CA38-4974-8409-72127DE29D55}: NameServer = 202.144.155.4,202.144.66.6 O18 - Protocol: ssp - {1E8068DE-05AD-11D4-ACC8-EF447469245C} - C:\Program Files\Offline Commander\ssp.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe Anything wrong, or I would love to have any other tip from you?
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Win32myd virus, how to check any trace of virus, urgent | stars_l | Malware Removal | 1 | November 19th, 2011 06:48 PM |
| Virus preventing anti virus software working | quicklee99 | Malware Removal | 5 | October 23rd, 2009 01:40 PM |
| Virus made desktop dissappear and blocking anti virus | ducttape | Malware Removal | 26 | October 20th, 2009 12:25 AM |
| Removal of Winfixer 2006, Win Anti Virus Pro & Black Worm Virus | flyladiebugs | Malware Removal | 28 | April 21st, 2006 02:06 AM |
| Virus Hoax: Microsoft Debugger Registrar for Java (Jdbgmgr.exe) Is Not a Virus | squirekat | Malware Removal | 3 | March 19th, 2003 04:25 AM |
All times are GMT +1. The time now is 12:39 AM.