Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Potentially Medbot [RESOLVED]


  • This topic is locked This topic is locked

#1
help_me_pls

help_me_pls

    Member

  • Member
  • PipPip
  • 73 posts
hi

A setup.exe and a corresponding autorun.inf file is appearing in the root directory of the harddisk (C:\). When I delete it, it reappears at a random time. My current AV doesn't detect it, but other scanners detect it as Win32/Medbot.?? or a variant (NOD32) and Dr.Web detect it as Trojan.Popuper.

So how can I eliminate it? pls.


Logfile of HijackThis v1.99.1
Scan saved at 08:28:27, on 17/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera 9\Opera.exe
C:\Documents and Settings\User\Desktop\cureit.exe
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bandwidth Monitor Pro - Pro²soft - C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

Advertisements


#2
Vikesrock8411

Vikesrock8411

    Visiting Staff

  • Member
  • PipPipPip
  • 456 posts
Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.
  • At the end of the scan click on see report. Then click Save report
Please post that log in your next reply.

In your next post please include:
  • Panda Activescan Log
  • A new Hijackthis! Log

  • 0

#3
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Note that the setup.exe file, mentioned in the first post, is not detected by the Activescan because at the time of the scan it was already deleted by Dr.Web AV.

Panda ActiveScan

Incident Status Location

Adware:adware/fastvideoplayer Not disinfected c:\windows\inf\fastvideoplayer.inf

Spyware:spyware/dluca Not disinfected Windows Registry

Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware:adware/savenow Not disinfected Windows Registry

Adware:adware/wupd Not disinfected Windows Registry

Adware:adware/azesearch Not disinfected Windows Registry

Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}

Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Temp\Cookies\user@tribalfusion[2].txt

Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Documents and Settings\User\My Documents\My Received Files\susetup.exe

Potentially unwanted tool:Application/Seekmo Not disinfected C:\Documents and Settings\User\DoctorWeb\Quarantine\SeekmoSetup.exe

Potentially unwanted tool:Application/Zango Not disinfected C:\Documents and Settings\User\DoctorWeb\Quarantine\Setup.exe


Logfile of HijackThis v1.99.1

Scan saved at 10:33:35, on 17/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bandwidth Monitor Pro - Pro²soft - C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

#4
Vikesrock8411

Vikesrock8411

    Visiting Staff

  • Member
  • PipPipPip
  • 456 posts
Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Open Notepad and copy and paste everything from the box below.
REGEDIT4

[-hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}]

[-hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}]

[-hkey_classes_root\clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}]

Click on File, Save it to your desktop, in file name save as
zango.reg
click OK.

Next go to your desktop and double click on zango.reg, allow it to merge to the registry. It should give you a prompt "sucessfully merged".

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Unzip it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\inf\fastvideoplayer.inf
    C:\Documents and Settings\User\My Documents\My Received Files\susetup.exe
    C:\Documents and Settings\User\DoctorWeb\Quarantine\SeekmoSetup.exe
    C:\Documents and Settings\User\DoctorWeb\Quarantine\Setup.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a new Hijackthis log and let me know if the files in question have returned.
  • 0

#5
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
First of all thanks for your help.

Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

No, I haven't received any PendingFileRenameOperations prompt.

...and let me know if the files in question have returned.

Until now there are no files (setup.exe & autorun.inf) but it may take a couple of hours or even a day to reappear, so I'll post as soon as they reappear.

Logfile of HijackThis v1.99.1


Scan saved at 03:05:22, on 18/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety....lscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E31CCB4-9988-4FA1-8A10-2DF88CBB245D}: NameServer = 194.158.37.177
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F168BA-E08A-4F25-B61C-3F0F6EAA612C}: NameServer = 194.158.37.196,194.158.37.211
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bandwidth Monitor Pro - Pro²soft - C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

#6
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts

Ooops, the files (setup.exe & autorun.inf) are back :whistling:



I've sent the setup.exe file to suspectfile.com and I've received two replys. I'm posting them just in case they might be helpful.

Reply ONE
Hi,thanks for upload
This file is a malware,once executed add's this file
C:\Windows\System\smss.exe
C:\Windows\System32\nvsvcd.exe
 
creates the following entries in the Windows Registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ ".nvsvc" = "C:\WINDOWS\system\smss.exe /w"
 
Create this service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log
"ImagePath"="C:\WINDOWS\system32\nvsvcd.exe"
 
Stop the following services:
RASMAN 
wscsvc 
SharedAccess
kavsvc
SAVScan
Symantec Core LC
wuauserv
navapsvc
 
The file packet with upx and written in C++
More strings in the code is encrypted
 
Regards

Reply TWO
Hi,  
thanks in order to have sended the file to us.  
setup.exe it is connected to a Trojan proxy (Trojan-Proxy.Win32.Horst.fi). Verification please if you have these values, in the event eliminates them:
 
HKLM\SYSTEM\CurrentControlSet\Services\Windows Log (the value in red is from eliminating)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.nvsvc = "c:\windows\System\smss.exe (the value in red is from eliminating)
 
c:\windows\TEMP\tmp1.tmp  (the value in red is from eliminating)
c:\windows\SYSTEM\smss.exe (the value in red is from eliminating)
c:\windows\system32\nvsvcd.exe (the value in red is from eliminating)
 
Ciao
==
The SuspectFile Team
Marco de Felice (amvinfe)
==

NOTE that I didn't find the above mentioned files (smss.exe & nvsvcd.exe) BUT I did find tmp1.tmp and its infected with Medbot. It is located in

C:\Documents and Settings\Kurt\Local Settings\Temp

Also, the following entries are NOT present in the registry

HKLM\SYSTEM\CurrentControlSet\Services\Windows Log
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

.nvsvc = "c:\windows\System\smss.exe

Any more help pls. ? :blink:

THANKS
  • 0

#7
Vikesrock8411

Vikesrock8411

    Visiting Staff

  • Member
  • PipPipPip
  • 456 posts
Download Cleanup!- Install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.
Click OK
Press the CleanUp! button to start the program. If prompted to reboot, click No.

Then delete Setup.exe and autorun.inf

Download The MVPS HOSTS file and use it to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Unfortunately the only way to tell if we got it is to wait and see if they reappear.
  • 0

#8
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I've done all of the above and now I'm waiting :whistling:

THANKS
:blink:
  • 0

#9
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Guess what?

The files (setup.exe & autorun.inf) are BACK :whistling:
  • 0

#10
Vikesrock8411

Vikesrock8411

    Visiting Staff

  • Member
  • PipPipPip
  • 456 posts
Something is bringing them back and we need to find out what.

Download GMER to your desktop.
  • Right Click the Zip and Select Extract All.
  • Open GMER and Click the Tab labeled RootKit.
  • Now Click Scan, it will take a while for the scan to complete.
  • Once done, Copy the results to Notepad and post them in the next reply.
Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
  • 0

Advertisements


#11
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I've attached the results of GMER and when I have time I'll do a KAV online scan and post the results.

THANKS.

Attached Files

  • Attached File  GMER.txt   44.76KB   496 downloads

  • 0

#12
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Here is the KAV online scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 20, 2006 11:32:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/08/2006
Kaspersky Anti-Virus database records: 216615
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 193084
Number of viruses found: 18
Number of infected objects: 57 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:45:34

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd9997.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4d0.dat Object is locked skipped
C:\WINDOWS\Temp\tmp00002181\tmp00000000 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-05122006-024132.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D717076.htm Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\All Users\Documents\setup.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{947D00EA-93F6-47CE-927C-A31F0AA532E1} Object is locked skipped
C:\Documents and Settings\User\My Documents\Brian\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\User\Desktop\setup.zip/setup.exe Infected: Trojan-Proxy.Win32.Horst.fi skipped
C:\Documents and Settings\User\Desktop\setup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe/data0038 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped
C:\Documents and Settings\stephen\My Documents\Programs\setup_ares.exe NSIS: infected - 7 skipped
C:\Documents and Settings\stephen\My Documents\Programs\CrsScript.exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\stephen\My Documents\Programs\CrsScript.exe InstallCreator: infected - 1 skipped
C:\Documents and Settings\stephen\My Documents\Programs\CrsScript.exe UPX: infected - 1 skipped
C:\Documents and Settings\stephen\My Documents\My eBooks\jokes.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\stephen\My Documents\My eBooks\jokes.exe/stream/data0026 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\stephen\My Documents\My eBooks\jokes.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\stephen\My Documents\My eBooks\jokes.exe NSIS: infected - 3 skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0020 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe/data0021 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped
C:\Documents and Settings\Kurt\My Documents\Programms\setup_ares.exe NSIS: infected - 7 skipped
C:\Program Files\Softwin\BitDefender9\aspdict.dat Object is locked skipped
C:\Program Files\Softwin\BitDefender9\asdict.dat Object is locked skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-08-20.15-42-58.log Object is locked skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Serv-U\ServUTray.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.5201 skipped
C:\Program Files\Serv-U\ServUAdmin.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6105 skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP77\A0006472.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP84\A0006721.exe Infected: Trojan-Proxy.Win32.Horst.fi skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP88\A0006857.exe Infected: Trojan-Proxy.Win32.Horst.fk skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP90\A0006876.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP91\A0006889.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP94\A0007002.exe Infected: Trojan-Proxy.Win32.Horst.fi skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP94\A0007008.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP97\A0007073.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP98\A0007128.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP100\A0007153.exe Infected: not-a-virus:AdWare.Win32.180Solutions.y skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP100\A0007154.exe Infected: not-a-virus:AdWare.Win32.180Solutions.am skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP103\A0007294.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP103\A0007295.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP104\A0007319.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP105\A0007929.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007944.exe Infected: not-a-virus:AdWare.Win32.180Solutions.am skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007945.exe Infected: not-a-virus:AdWare.Win32.180Solutions.y skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007946.exe/CHECKUPDATE.DLL Infected: not-a-virus:Server-FTP.Win32.Serv-U.6105 skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007946.exe/SERVUTRAY.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.5201 skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007946.exe/SERVUADMIN.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.6105 skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP106\A0007946.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP108\A0008006.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP109\A0009021.exe Infected: Trojan-Proxy.Win32.Horst.av skipped
C:\System Volume Information\_restore{71CC9CD8-6E19-49F6-B737-8CE541F5AD29}\RP111\change.log Object is locked skipped
C:\setup.exe Infected: Trojan-Proxy.Win32.Horst.av skipped

Scan process completed.
  • 0

#13
Vikesrock8411

Vikesrock8411

    Visiting Staff

  • Member
  • PipPipPip
  • 456 posts
I see some files there we will need to address but I would like more information before continuing.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

  • 0

#14
LonnyRJones

LonnyRJones

    Malware Expert

  • Member
  • PipPipPip
  • 143 posts
help_me_pls
Where else are you recieving assistance ?
http://forums.spybot...read.php?t=6595
  • 0

#15
help_me_pls

help_me_pls

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts

help_me_pls
Where else are you recieving assistance ?
http://forums.spybot...read.php?t=6595


I've started a thread at GeeksToGo after 3 days with no reply from SpyBot so I had to find help somewhere else. (hope to understand my postion)

BTW I've started only these two Threads.

THANKS to everyone who is contributing. :whistling:

Edited by help_me_pls, 22 August 2006 - 06:52 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP