Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Merged a .reg file that was a trojan

Started by hyeok , Jul 28 2006 04:03 PM

  • Please log in to reply

#1
hyeok
Posted 28 July 2006 - 04:03 PM

hyeok

    Member

  • Member
  • PipPip
  • 21 posts
Hello,

I merged a .reg file that happened to be a trojan. On the next reboot of my computer, it installed Toolbar888 to IE7 and who know what else. I could uninstall Toolbar888 from Remove Programs in control pannel but I am not sure if that will help as my registry has been compromised. Here is my hjt log:

-----
Logfile of HijackThis v1.99.1
Scan saved at 10:03:23 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\{6C5FB59A-07C8-1042-0822-020219040001}\Update.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Maxx Hyeok Cho\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PimpFish Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\Small Programs\PimpFish\PimpFish.dll
O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\Small Programs\PimpFish\FloatBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\Small Programs\PimpFish\PimpFish.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PimpFish Grab movies on this page - C:\Program Files\Small Programs\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Grab pictures on this page - C:\Program Files\Small Programs\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Grab pictures this page links to - C:\Program Files\Small Programs\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Grab Target File - C:\Program Files\Small Programs\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Grab This Picture - C:\Program Files\Small Programs\PimpFish\GRABPIC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Small Programs\WinHTTrack\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\Small Programs\WinHTTrack\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.c.../NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132723957795
O16 - DPF: {68C56780-1573-4836-A3F9-3D5219E49BE1} (PopdramaQLauncher Class) - http://appupdate.pop...ad/DramaQAx.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

-----

Here is the .reg file contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]
"{R7C0BB672A3F776C0}"=hex:d1,69,6e,3c
"{K7C0BB672A3F776C0}"=hex:c6,9e,f6,0a,09,0a,1f,ff,ff,ff,ff,ad,cd,35,6f,02,c4,\
f9,44,0d,d0,23,60,6f,9c,66,16,d1,69,6e,3c,ff,ff,ff,ff,73,61,67,a6,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,6f,9c,66,16,09,0a,1f,ff,ff,ff,ff,ad,cd,35,6f,\
02,c4,f9,44,0d,d0,23,60,6f,9c,66,16,d1,69,6e,3c,ff,ff,ff,ff,73,61,67,a6,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,6f,9c,66,16,00,00,09,0a,06,37,e6,24,6c,\
09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,\
e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,\
0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,\
24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,\
06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,6c,09,0a,06,37,e6,24,\
6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,\
37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,\
0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,\
e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0a,\
0a,06,37,e6,24,6c,0a,0a,06,37,e6,24,6c,0b,0a,06,37,e6,24,6c,0b,0a,06,37,e6,\
24,6c,0f,0a,06,37,e6,24,6c,11,0a,06,37,e6,24,6c,13,0a,06,37,e6,24,6c,13,0a,\
06,37,e6,24,6c,13,0a,06,37,e6,24,6c,14,0a,06,37,e6,24,6c,15,0a,06,37,e6,24,\
6a,16,0a,06,37,e6,24,6c,1a,0a,06,37,e6,24,6c,1b,0a,06,37,e6,24,6c,20,0a,06,\
37,e6,24,6c,21,0a,06,37,e6,24,6c,30,0a,06,37,e6,24,6c,31,0a,06,37,e6,24,6c,\
33,0a,06,37,e6,24,6c,33,0a,06,37,e6,24,6c,33,0a,06,37,e6,24,6c,34,0a,06,37,\
e6,24,6c,36,0a,06,37,e6,24,6c,36,0a,06,37,e6,24,6c,36,0a,06,37,e6,24,6c,37,\
0a,06,37,e6,24,6c,36,0a,06,37,e6,24,6c,36,0a,06,37,e6,24,6c,39,0a,06,37,e6,\
24,6c,3a,0a,06,37,e6,24,6c,3a,0a,06,37,e6,24,6c,3b,0a,06,37,e6,24,6c,3c,0a,\
06,37,e6,24,6c,3d,0a,06,37,e6,24,6c,40,0a,06,37,e6,24,6c,40,0a,06,37,e6,24,\
6c,45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,\
37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,\
45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,37,e6,24,6c,45,0a,06,37,\
e6,24,6c,45,0a,06,37,e6,24,6c,46,0a,06,37,e6,24,6c,46,0a,06,37,e6,24,6c,47,\
0a,06,37,e6,24,6c,47,0a,06,37,e6,24,6c,47,0a,06,37,e6,24,6c,47,0a,06,37,e6,\
24,6c,47,0a,06,37,e6,24,6c,46,0a,06,37,e6,24,6c,4d,0a,06,37,e6,24,6c,4e,0a,\
06,37,e6,24,6c,4f,0a,06,37,e6,24,6c,52,0a,06,37,e6,24,6c,53,0a,06,37,e6,24,\
6c,55,0a,06,37,e6,24,6c,57,0a,06,37,e6,24,6c,56,0a,06,37,e6,24,6c,59,0a,06,\
37,e6,24,6c,5a,0a,06,37,e6,24,6c,5b,0a,06,37,e6,24,6c,5c,0a,06,37,e6,24,6c,\
5c,0a,06,37,e6,24,6c,5d,0a,06,37,e6,24,6c,5e,0a,06,37,e6,24,6c,5f,0a,06,37,\
e6,24,6c,60,0a,06,37,e6,24,6c,61,0a,06,37,e6,24,6c,62,0a,06,37,e6,24,6c,63,\
0a,06,37,e6,24,6c,63,0a,06,37,e6,24,6c,64,0a,06,37,e6,24,6c,65,0a,06,37,e6,\
24,6c,65,0a,06,37,e6,24,6c,66,0a,06,37,e6,24,6c,67,0a,06,37,e6,24,6c,67,0a,\
06,37,e6,24,6c,66,0a,06,37,e6,24,6c,69,0a,06,37,e6,24,6c,6a,0a,06,37,e6,24,\
6c,6b,0a,06,37,e6,24,6c,6c,0a,06,37,e6,24,6c,6c,0a,06,37,e6,24,6c,6d,0a,06,\
37,e6,24,6c,6e,0a,06,37,e6,24,6c,6f,0a,06,37,e6,24,6c,70,0a,06,37,e6,24,6c,\
71,0a,06,37,e6,24,6c,72,0a,06,37,e6,24,6c,73,0a,06,37,e6,24,6c,73,0a,06,37,\
e6,24,6c,74,0a,06,37,e6,24,6c,75,0a,06,37,e6,24,6c,76,0a,06,37,e6,24,6c,77,\
0a,06,37,e6,24,6c,76,0a,06,37,e6,24,6c,79,0a,06,37,e6,24,6c,7a,0a,06,37,e6,\
24,6c,7b,0a,06,37,e6,24,6c,7c,0a,06,37,e6,24,6c,7d,0a,06,37,e6,24,6c,7e,0a,\
06,37,e6,24,6c,7e,0a,06,37,e6,24,6c,7e,0a,06,37,e6,24,6c,7f,0a,06,37,e6,24,\
6c,60,0a,06,37,e6,24,6c,60,0a,06,37,e6,24,6c,60,0a,06,37,e6,24,6c,60,0a,06,\
37,e6,24,6c,60,0a,06,37,e6,24,6c,61,0a,06,37,e6,24,6c,61,0a,06,37,e6,24,6c,\
62,0a,06,37,e6,24,6c,62,0a,06,37,e6,24,6c,62,0a,06,37,e6,24,6c,62,0a,06,37,\
e6,24,6c,62,0a,06,37,e6,24,6c,63,0a,06,37,e6,24,6c,63,0a,06,37,e6,24,6c,63,\
0a,06,37,e6,24,6c,64,0a,06,36,e6,24,6c,64,0a,06,37,e6,24,6c,64,0a,06,37,e6,\
24,6c,65,0a,06,37,e6,24,6c,65,0a,06,37,e6,24,6c,66,0a,06,37,e6,24,6c,67,0a,\
06,37,e6,24,6c,67,0a,06,37,e6,24,6c,66,0a,06,37,e6,24,6c,69,0a,06,37,e6,24,\
6c,69,0a,06,37,e6,24,6c,6a,0a,06,37,e6,24,6c,6b,0a,06,37,e6,24,6c
"{IE10B9007CE656495}"=hex:57,01,02,00
"{0E10B9007CE456495}"=hex:53,3e,e7,7c,6a,f3,a0,ba,01,9c,a7,1e,63,65,12,50,17,\
7c,76,a3,19,f6,a0,6f,96,22,99,09,d1,ca,6b,e5,40,1b,e1,2e,00,62,4f,77,d9,16,\
a7,1c,72,ed,7c,79,66,fc,b7,4f,c6,6d,2a,a6,44,3f,45,70,65,24,b0,11,1c,94,2e,\
7d,36,a1,7e,e0,bb,9b,1c,ac,7e,5d,71,6f,1f,0a,ed,a3,e1,ba,b7,2a,74,66,3a,f4,\
1b,16,54,59,c1,a7,c2,cb,23,07,c6,94,0c,fa,5d,61,30,74,79,47,cf,f2,b0,9f,5b,\
69,62,10,1d,f6,56,04
"{ICE42F3DCA4E0AD62}"=hex:04,00,00,00
----------------

Once again, I merged a .reg file that on the next reboot of my computer, installed Toolbar888 to IE7 and who know what else. I could uninstall Toolbar888 from Remove Programs in control pannel but I am not sure if that will help as my registry has been compromised.

Many many thanks in advance. You guys saved me the last time I had spyware on my computer, so you guys rock!

EDIT: I will add the Google Desktop Search failed to launch on startup of Windows. There may be other startup programs that did not launch, such as ActiveSync.
Also, I have just updated by HJT log to reflect the latest state of my computer. Finally, my clock reads 19:01 PM. I never set it to display military time.

Edited by hyeok, 29 July 2006 - 08:04 PM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP