PDA

View Full Version : Leox.B Virus



heaton
07-01-2006, 03:11 PM
WindowsXp. Zone alarm Pro. AVG pro.
Browsing through the alarms log of Zone Alarm I noticed some items labelled SYCHOST.EXE.
I did a google on this and it told me the alarms were generated by the above virus. AVG scan have not detected it and neither has Zone Alarm except tell me it has blocked some traffic.
Now how do I get rid of this and has anybody got any more info on same please.

Speedy Gonzales
07-01-2006, 03:17 PM
Here (http://www.sarc.com/avcenter/venc/data/w32.hllw.leox.b.html) and here (http://www.sarc.com/avcenter/venc/data/pf/w32.hllw.leox.b.html)

info: W32.HLLW.Leox.B is a variant of W32.HLLW.Leox. It is a worm that sends a URL using QQ, a Chinese instant messaging program. The URL points to a site that hosts the worm.

The worm also emails password and equipment information from the game, Legend of Mir, to an email address at tom.com.

heaton
07-01-2006, 03:41 PM
Here (http://www.sarc.com/avcenter/venc/data/w32.hllw.leox.b.html) and here (http://www.sarc.com/avcenter/venc/data/pf/w32.hllw.leox.b.html)

info: W32.HLLW.Leox.B is a variant of W32.HLLW.Leox. It is a worm that sends a URL using QQ, a Chinese instant messaging program. The URL points to a site that hosts the worm.

The worm also emails password and equipment information from the game, Legend of Mir, to an email address at tom.com.

Sorry but this is no real help to me. I did a search on my computer for the programme sychost.exe and the search did not find anything. The zone alarm alert info tells me the following:
Description: Packet sent from ********** (UDP Port) ********
Rating: Medium.
Date/Time 2006/01/05 16:05: 10+ 13 GMT.
Type: Firewall.
Protocol UDP
Program: sychost.exe.
Source IP *****************
Destination IP *****************
Direction: Outgoing.
Action Taken: Blocked
Count 1
Source DNS*************
Destination: dnsc/.xtra.co.nz
I have not given all the port and IP info in case this is a security risk to me.
What I want to know is: Have I got a virus/worm in my machine and if so how do I get rid of it ?
All the foregoing is gobblygook to a simple user like me so please make your explanations simple accordingly. Thanks.

Speedy Gonzales
07-01-2006, 03:44 PM
Click on the here links in my previous post.

You have a worm.

If you dont think you've got a worm or anything get hijackthis (http://www.merijn.org/files/hijackthis.zip) from here (http://www.spywareinfo.com/~merijn/)

Unzip this file into its own folder, and copy and paste the log here.

We'll soon find out.

Speedy Gonzales
07-01-2006, 03:49 PM
Oops, by the looks of it, the firewall blocked it, meaning it maybe on your system, but whatever firewall u have may have blocked it.

You can paste a hijackthis log here anyway, just in case.

heaton
07-01-2006, 03:54 PM
Oops, by the looks of it, the firewall blocked it, meaning it maybe on your system, but whatever firewall u have may have blocked it.

You can paste a hijackthis log here anyway, just in case.

Sorry but I don't know what I am letting myself in for now. What is this program hijackthis please ?

Speedy Gonzales
07-01-2006, 03:59 PM
Just go and get it download it, run it and scan and copy and paste the log here.

It shows files that maybe nasty on ya system.

heaton
07-01-2006, 04:21 PM
Logfile of HijackThis v1.99.1
Scan saved at 17:17:40, on 7/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\DOCUME~1\GERARD~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Update Service] "c:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\update.exe" /startup
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.akaimi.net
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for your assistance so far.

Speedy Gonzales
07-01-2006, 04:40 PM
The log doesnt look too bad. Run hijackthis again, and tick these entries, and tick fix checked.

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

These entries below doesnt have to be in startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: *.akaimi.net - I dont think this is meant to be there, unless you added it.

O15 - Trusted Zone: http://Download.Windowsupdate.com - safe if u added it.

That sychost.exe file isnt in this log. Looks like ZA or whatever firewall u have may have blocked it.

heaton
07-01-2006, 05:03 PM
Ok done all that and hope my paranoi is relieved.
Thanks Speedy. What would we eightyone year old fuddy duddies do without experts like you. Thanks again . :nerd: :)

Speedy Gonzales
07-01-2006, 05:08 PM
No worries Heaton :)

I would also keep XP up to date.

heaton
07-01-2006, 05:18 PM
No worries Heaton :)

I would also keep XP up to date.

Now you have got me worried again. I thought my auto updating thing was automatically keeping XP up to date.

Speedy Gonzales
07-01-2006, 05:23 PM
Well dont worry if its up to date then!