Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Backdoor.HacDef.fw [RESOLVED]

Started by brotherdave , Aug 30 2006 09:01 PM

  • This topic is locked This topic is locked

#1
brotherdave
Posted 30 August 2006 - 09:01 PM

brotherdave

    Member

  • Member
  • PipPip
  • 12 posts
My son's PC is a P4 with XP Home. It had several nasties including UCMore, Surfsidekick3 and Backdoor.HacDef.fw. Following instructions from other posts I've managed to eliminte everything but the Backdoor.HacDef.fw which I'm reminded of at every reboot by the Ewido I've installed. It sends it to quarantine and it just keeps coming back.

Most posts on the Backdoor.HacDef.fw advise using the SDFIX.EXE file from the AndyManchesta site but the download link in all the posts yields a 404 error here at this time.

HJT Log follows. Any help appreciated. I'd also like to get rid of the Symantec entries as I've installed TrendMicro and thought I'd uninstalled it already! Thanks in advance for your help. Regards, Dave

Logfile of HijackThis v1.99.1
Scan saved at 10:39:57 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware

4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-spyware

4.0\guard.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.ex

e
C:\WINDOWS\system32\svsnet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.ex

e
C:\WINDOWS\system32\dior4f4gyodtjy.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Documents and Settings\Jacob

Vasser\Desktop\Downloads\hijackthis\Hijac

kThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://red.clientapp...o.com/customize

/ycomp_wave/defaults/su/*http://www.yahoo

.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [!ewido] "C:\Program

Files\ewido anti-spyware 4.0\ewido.exe"

/minimized
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program

Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk

= C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search

- res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search

Using Copernic Agent - C:\Program

Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) -

{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} -

C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch

Copernic Agent -

{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} -

C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent -

{688DC797-DC11-46A7-9F1B-445F4F58CE6E} -

C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program

Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF:

{03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF:

{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF:

{1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF:

{41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF:

{62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF:

{7EB15626-CB8E-4174-8A72-C055B12B4310} -

http://smartdownload...m/installer.dll
O16 - DPF:

{8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF:

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF:

{FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O20 - Winlogon Notify: SMDEn -

C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0

guard - Anti-Malware Development a.s. -

C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple

Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper

Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central

Control Component (PcCtlCom) - Trend

Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.ex

e
O23 - Service: Print Spooler Service

(SpoolSvc220) - Unknown owner -

C:\WINDOWS\system32\dior4f4gyodtjy.exe
O23 - Service: Secondary .NET Framework

(SVSNET) - Unknown owner -

C:\WINDOWS\system32\svsnet.exe
O23 - Service: SymWMI Service (SymWSC) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time

Service (Tmntsrv) - Trend Micro

Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal

Firewall (TmPfw) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service

(tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements

#2
loophole
Posted 30 August 2006 - 10:03 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi there :whistling:

please rescan with hijack and when notepad opens click on format and uncheck wordwrap. ( It makes the logs very hard to read with the double spacing)

Also do the following please

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by loophole, 30 August 2006 - 10:14 PM.

  • 0

#3
brotherdave
Posted 31 August 2006 - 08:59 AM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Loophole. Thanks for your help! Just after running the ComboFix file and saving the log I got a TrendMicro warning of a new nasty it calls Troj VB.BDQ and I sent it to quarantine. Also I forgot to mention in my initial post that I can not turn on the XP firewall or any of the XP Security Suite items as at the top of the Security Suite control window it says these functions are controlled by "group policy" and the buttons are grayed out. I'm guessing one of these nasties has buggered it up. I'm going to be out of town on Friday until late in the afternoon or early evening. I won't be ignoring you, I'll be at the hospital having some tests done.

======================================
Here's the original HJT log with wrapping off (Sorry about that!):

Logfile of HijackThis v1.99.1
Scan saved at 10:39:57 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svsnet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\dior4f4gyodtjy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jacob Vasser\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownload...m/installer.dll
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Print Spooler Service (SpoolSvc220) - Unknown owner - C:\WINDOWS\system32\dior4f4gyodtjy.exe
O23 - Service: Secondary .NET Framework (SVSNET) - Unknown owner - C:\WINDOWS\system32\svsnet.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

===============================

Here's the ComboFix log from about 1 hour ago:

Jacob Vasser - 06-08-31 9:55:23.56
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Jacob Vasser\Desktop\Downloads

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{E096E14C-3901-490A-B5D0-485FBD9A987A}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{E096E14C-3901-490A-B5D0-485FBD9A987A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E096E14C-3901-490A-B5D0-485FBD9A987A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E096E14C-3901-490A-B5D0-485FBD9A987A}\InprocServer32]
@="C:\\WINDOWS\\system32\\uweg.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E384B31D-D57B-4FFC-85D9-73172A511EA1}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{E384B31D-D57B-4FFC-85D9-73172A511EA1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E384B31D-D57B-4FFC-85D9-73172A511EA1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E384B31D-D57B-4FFC-85D9-73172A511EA1}\InprocServer32]
@="C:\\WINDOWS\\system32\\aimeter.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{2130F7AF-90A0-405F-9111-428C8D76930F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2130F7AF-90A0-405F-9111-428C8D76930F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2130F7AF-90A0-405F-9111-428C8D76930F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2130F7AF-90A0-405F-9111-428C8D76930F}\InprocServer32]
@="C:\\WINDOWS\\system32\\oKkley.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{D7FF4DE9-422D-4EB6-A3E2-22576F9AF486}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7FF4DE9-422D-4EB6-A3E2-22576F9AF486}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7FF4DE9-422D-4EB6-A3E2-22576F9AF486}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7FF4DE9-422D-4EB6-A3E2-22576F9AF486}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CE918CB7-AAD2-4C90-901D-6F4FCC8DF998}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE918CB7-AAD2-4C90-901D-6F4FCC8DF998}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE918CB7-AAD2-4C90-901D-6F4FCC8DF998}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CE918CB7-AAD2-4C90-901D-6F4FCC8DF998}\InprocServer32]
@="C:\\WINDOWS\\system32\\oabc32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A064DAA1-C2A3-403F-BC79-9731BF4E83A8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A064DAA1-C2A3-403F-BC79-9731BF4E83A8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A064DAA1-C2A3-403F-BC79-9731BF4E83A8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A064DAA1-C2A3-403F-BC79-9731BF4E83A8}\InprocServer32]
@="C:\\WINDOWS\\system32\\tBpi.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{9D853E4E-8EFB-4A7D-8052-AE06D4CA9CA1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D853E4E-8EFB-4A7D-8052-AE06D4CA9CA1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D853E4E-8EFB-4A7D-8052-AE06D4CA9CA1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9D853E4E-8EFB-4A7D-8052-AE06D4CA9CA1}\InprocServer32]
@="C:\\WINDOWS\\system32\\wgnhttp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{309E44BC-EAA4-4B6F-AAF8-E6065ADF2776}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{309E44BC-EAA4-4B6F-AAF8-E6065ADF2776}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{309E44BC-EAA4-4B6F-AAF8-E6065ADF2776}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{309E44BC-EAA4-4B6F-AAF8-E6065ADF2776}\InprocServer32]
@="C:\\WINDOWS\\system32\\mahtmled.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A21E7FF0-E4A4-43AF-8A3F-8172515FD917}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A21E7FF0-E4A4-43AF-8A3F-8172515FD917}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A21E7FF0-E4A4-43AF-8A3F-8172515FD917}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A21E7FF0-E4A4-43AF-8A3F-8172515FD917}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{36DED134-700B-45D7-A86A-4C11FE8986F4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36DED134-700B-45D7-A86A-4C11FE8986F4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36DED134-700B-45D7-A86A-4C11FE8986F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{36DED134-700B-45D7-A86A-4C11FE8986F4}\InprocServer32]
@="C:\\WINDOWS\\system32\\rychost.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A6D8D545-0653-470A-B157-F6B6220BC0B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A6D8D545-0653-470A-B157-F6B6220BC0B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A6D8D545-0653-470A-B157-F6B6220BC0B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A6D8D545-0653-470A-B157-F6B6220BC0B4}\InprocServer32]
@="C:\\WINDOWS\\system32\\lRprxy.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{F1F3386D-CF12-4F6E-B330-B0B01F09FF0C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1F3386D-CF12-4F6E-B330-B0B01F09FF0C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1F3386D-CF12-4F6E-B330-B0B01F09FF0C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F1F3386D-CF12-4F6E-B330-B0B01F09FF0C}\InprocServer32]
@="C:\\WINDOWS\\system32\\kwdbu.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CBA42506-7860-4EEE-B9F0-E092CD88EEA1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA42506-7860-4EEE-B9F0-E092CD88EEA1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA42506-7860-4EEE-B9F0-E092CD88EEA1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA42506-7860-4EEE-B9F0-E092CD88EEA1}\InprocServer32]
@="C:\\WINDOWS\\system32\\mhhcp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{00A31DD8-0398-4A1E-9B7A-24A3321F5309}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00A31DD8-0398-4A1E-9B7A-24A3321F5309}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00A31DD8-0398-4A1E-9B7A-24A3321F5309}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00A31DD8-0398-4A1E-9B7A-24A3321F5309}\InprocServer32]
@="C:\\WINDOWS\\system32\\cyrpol.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1CC7EA0C-26AB-4FF3-9382-66E5CBE8FD27}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CC7EA0C-26AB-4FF3-9382-66E5CBE8FD27}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CC7EA0C-26AB-4FF3-9382-66E5CBE8FD27}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1CC7EA0C-26AB-4FF3-9382-66E5CBE8FD27}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{58B3809F-0CC4-4306-84E4-7DB7C8D5222C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58B3809F-0CC4-4306-84E4-7DB7C8D5222C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58B3809F-0CC4-4306-84E4-7DB7C8D5222C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{58B3809F-0CC4-4306-84E4-7DB7C8D5222C}\InprocServer32]
@="C:\\WINDOWS\\system32\\xLctsrv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{9893FBC4-9891-4ACE-807B-6AE64C08CC6C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9893FBC4-9891-4ACE-807B-6AE64C08CC6C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9893FBC4-9891-4ACE-807B-6AE64C08CC6C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\djdmoprp.dll
C:\WINDOWS\system32\p8n8li5u18.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\kybrdff_11a.exe
C:\deskbar.exe
C:\Program Files\Deskbar
C:\Program Files\Common Files\{2C968400-07CA-1033-1114-011005010001}


((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-31 09:48 88,064 --a------ C:\WINDOWS\system32\mlsdf8hgyndsiyoeu.exe
2006-08-30 21:48 88,064 --a------ C:\WINDOWS\system32\dior4f4gyodtjy.exe
2006-08-30 21:48 144,300 --a------ C:\ccpt.com
2006-08-30 18:27 171,008 --a------ C:\WINDOWS\system32\LXAESUI.DLL
2006-08-19 17:18 214,752 --a------ C:\Setup100.exe
2006-08-19 17:16 286 --a------ C:\WINDOWS\autoupdate.bat
2006-08-19 17:16 138,862 --a------ C:\WINDOWS\aupdate32.exe
2006-08-19 17:15 232,277 --a------ C:\windr32.exe
2006-08-19 14:03 2,292 --a------ C:\regfile.pif
2006-08-18 21:50 48,128 -r-hs---- C:\WINDOWS\system32\svsnet.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 10:00 -------- d-------- C:\Program Files\Common Files
2006-08-31 09:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-28 14:52 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-26 17:16 -------- d-------- C:\Program Files\QuickTime
2006-08-26 17:16 -------- d-------- C:\Program Files\InstallShield Installation Information
2006-08-21 15:45 -------- d-------- C:\Program Files\LimeWire
2006-08-19 20:15 -------- d-------- C:\Program Files\Windows NT
2006-08-19 17:50 -------- d-------- C:\Program Files\Project64 1.6
2006-08-18 22:02 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-16 17:20 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-08-16 17:20 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-08-16 16:51 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-08-14 18:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-08 19:50 -------- d-------- C:\Program Files\iTunes
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-06-10 13:51 59296 --a--c--- C:\Documents and Settings\Jacob Vasser\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{2C968400-07CA-1033-1114-011005010001}"="\"C:\\Program Files\\Common Files\\{2C968400-07CA-1033-1114-011005010001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{2C968400-07CA-1033-1114-011005010001}"="\"C:\\Program Files\\Common Files\\{2C968400-07CA-1033-1114-011005010001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 08/31/2006 10:01:48.92
ComboFix.txt

====================================
HERE'S THE NEW HJT LOG from about 10 minutes ago:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:22 AM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svsnet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jacob Vasser\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownload...m/installer.dll
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Print Spooler Service (SpoolSvc220) - Unknown owner - C:\WINDOWS\system32\dior4f4izpeu.exe
O23 - Service: Secondary .NET Framework (SVSNET) - Unknown owner - C:\WINDOWS\system32\svsnet.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
================================

Thanks in advance for any help!
Regards,
Dave
  • 0

#4
loophole
Posted 31 August 2006 - 04:59 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok lets get started :whistling:



Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.

SC DELETE SPOOLSVC220  
SC DELETE TIME 
SC DELETE WTIME
attrib -s -r -h "C:\WINDOWS\system32\dior4f4gyodtjy.exe"
del /q "C:\WINDOWS\system32\dior4f4gyodtjy.exe"
attrib -s -r -h "C:\WINDOWS\system32\svsnet.exe"
del /q "C:\WINDOWS\system32\svsnet.exe"
attrib -s -r -h "C:\WINDOWS\system32\mlsdf8hgyndsiyoeu.exe"
del /q "C:\WINDOWS\system32\mlsdf8hgyndsiyoeu.exe"
attrib -s -r -h "C:\windr32.exe"
del /q "C:\windr32.exe"
attrib -s -r -h "C:\WINDOWS\aupdate32.exe"
del /q "C:\WINDOWS\aupdate32.exe"
attrib -s -r -h "C:\Setup100.exe"
del /q "C:\Setup100.exe"

after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Dont do anything with it yet

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Doubleclick the Delete.bat on your desktop (a screen will flash quickly)

Reboot Back into normal windows

Copy everything inside the quote box below (starting with dir)and paste it into notepad. Go up to "File > Save As" then click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

if exist Find.txt del /q Find.txt
dir /b %systemroot%\cjnr4r4* /a h /s >> Find.txt
dir /b %systemroot%\sklrr7y* /a h /s >> Find.txt
dir /b %systemroot%\mlsdf8h* /a h /s >> Find.txt
dir /b %systemroot%\nlkfev7* /a h /s >> Find.txt
dir /b %systemroot%\dior4f4* /a h /s >> Find.txt
dir /b %systemroot%\eraseme_* /a h /s >> Find.txt
dir /b %systemroot%\timedrv26.sys /a h /s >> Find.txt
notepad Find.txt


Locate search.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
  • 0

#5
brotherdave
Posted 31 August 2006 - 06:20 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for helping me out! I decided that when you said to save the file as "findfile.bat" and then said in the next paragraph to locate "search.bat" on the desktop that you were talking about the same file. I used the findfile.bat on the desktop that I'd just created.

Here are results of the Findfile.bat process:
C:\WINDOWS\Temp\cjnr4r43F64A7CC.tmp
C:\WINDOWS\Prefetch\SKLRR7YGYNDSIYOEU.EXE-3B618C3F.pf
C:\WINDOWS\Prefetch\SKLRR7YHMPSVXZ.EXE-0BAF0DFA.pf
C:\WINDOWS\Prefetch\SKLRR7YQWYBEGIMPS.EXE-34BCC067.pf
C:\WINDOWS\system32\sklrr7ygyndsiyoeu.exe
C:\WINDOWS\Prefetch\MLSDF8H6461884.EXE-1239F29E.pf
C:\WINDOWS\Prefetch\MLSDF8HCTIY.EXE-23AF10EC.pf
C:\WINDOWS\Prefetch\MLSDF8HGYNDSIYOEU.EXE-021993F2.pf
C:\WINDOWS\Prefetch\MLSDF8HHMPSVXZC.EXE-0DAE8A8D.pf
C:\WINDOWS\Prefetch\MLSDF8HWEHK.EXE-38E043C8.pf
C:\WINDOWS\system32\mlsdf8hctiy.exe
C:\WINDOWS\Temp\mlsdf8h6461884.exe
C:\WINDOWS\Prefetch\NLKFEV76434222.EXE-1ACB874D.pf
C:\WINDOWS\Prefetch\NLKFEV76840412.EXE-124903FA.pf
C:\WINDOWS\system32\nlkfev7sjzoeukzp.exe
C:\WINDOWS\Temp\nlkfev76434222.exe
C:\WINDOWS\Temp\nlkfev76840412.exe
C:\WINDOWS\Prefetch\DIOR4F4GYODTJY.EXE-09E08D17.pf
C:\WINDOWS\Prefetch\DIOR4F4IZPEU.EXE-39824FBC.pf
C:\WINDOWS\system32\dior4f4izpeu.exe
===============================
Here are the results of a fresh HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:04:14 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\TEMP\nlkfev76840412.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Jacob Vasser\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownload...m/installer.dll
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Print Spooler Service (SpoolSvc222) - Unknown owner - C:\WINDOWS\TEMP\nlkfev76840412.exe
O23 - Service: Secondary .NET Framework (SVSNET) - Unknown owner - C:\WINDOWS\system32\svsnet.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
===========================
I probably should have waited but I've installed Spyware Guard on this machine since the last HJT report. It hasn't found anything.

Also, this machine is showing a new Firewall alert message from Trend Micro Security saying that file: C:\windows\temp\NLKFEVT6840412.EXE
is trying to connect to the internet. I've been blocking it from connecting. This is a brand new issue as far as I know. The Troj VB.BDQ hasn't shown up again.

Thanks again! Dave
  • 0

#6
loophole
Posted 31 August 2006 - 07:17 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok

Bear with me. This is a Rootkit infection, which are a bit tricky to remove and are pretty nasty. Lets go at it again with a little change in instructions

I need you to save these instrucions to notepad for use in safe mode, you will need to copy/and paste


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Click start >>> run
Type the following pressing enter after each one

SC DELETE SPOOLSVC220 {press enter}
SC DELETE SVSNET {press enter}
SC DELETE WTIME {Press enter}

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Killbox

[*] Please double-click Killbox.exe to run it.
[*] Select:
  • Delete on Reboot
  • then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\sklrr7ygyndsiyoeu.exe
C:\WINDOWS\system32\mlsdf8hctiy.exe
C:\WINDOWS\system32\nlkfev7sjzoeukzp.exe
C:\WINDOWS\system32\dior4f4izpeu.exe
C:\WINDOWS\TEMP\nlkfev76840412.exe
C:\WINDOWS\Temp\mlsdf8h6461884.exe
C:\WINDOWS\Temp\nlkfev76434222.exe





[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).[/list]
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot please post a new Hijack log, rerun the search.bat,( Find files.bat) and post i and a new combofix log (2 post if you have to)
  • 0

#7
loophole
Posted 02 September 2006 - 04:57 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Automated fix is back up, Lets give it a whirl

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#8
brotherdave
Posted 02 September 2006 - 06:45 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for your patience. I had a bad day at the hospital yesterday.

The SD FIX report:
SDFix: Version 1.20
-------------------------

Scan Time/Date:

08:31 PM
Sat 09/02/2006

Microsoft Windows XP [Version 5.1.2600]

Running from:
C:\Documents and Settings\Jacob Vasser\Desktop\SDFix\SDFix


Stage One...


Checking Services...

Service Name:
------------------

spoolsvc222
svsnet

File Path:
------------

C:\WINDOWS\TEMP\nlkfev76840412.exe /service
C:\WINDOWS\system32\svsnet.exe

Removing Services:
------------------------

SUCCESS
SUCCESS


Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\XYNRYQIV\D212_1~1.EXE
C:\CCPT.COM
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\E9V8FDN0\D220_1~1.EXE
C:\WINDOWS\Temp\cjnr4r43F64A7CC.tmp
C:\WINDOWS\Prefetch\SKLRR7YGYNDSIYOEU.EXE-3B618C3F.pf
C:\WINDOWS\Prefetch\SKLRR7YHMPSVXZ.EXE-0BAF0DFA.pf
C:\WINDOWS\Prefetch\SKLRR7YQWYBEGIMPS.EXE-34BCC067.pf
C:\WINDOWS\system32\sklrr7ygyndsiyoeu.exe
C:\WINDOWS\Prefetch\MLSDF8H6461884.EXE-1239F29E.pf
C:\WINDOWS\Prefetch\MLSDF8HCTIY.EXE-23AF10EC.pf
C:\WINDOWS\Prefetch\MLSDF8HGYNDSIYOEU.EXE-021993F2.pf
C:\WINDOWS\Prefetch\MLSDF8HHMPSVXZC.EXE-0DAE8A8D.pf
C:\WINDOWS\Prefetch\MLSDF8HWEHK.EXE-38E043C8.pf
C:\WINDOWS\system32\mlsdf8hctiy.exe
C:\WINDOWS\Temp\mlsdf8h6461884.exe
C:\WINDOWS\Prefetch\NLKFEV76434222.EXE-1ACB874D.pf
C:\WINDOWS\Prefetch\NLKFEV76840412.EXE-124903FA.pf
C:\WINDOWS\system32\nlkfev7sjzoeukzp.exe
C:\WINDOWS\Temp\nlkfev76434222.exe
C:\WINDOWS\Temp\nlkfev76840412.exe
C:\WINDOWS\Prefetch\DIOR4F4GYODTJY.EXE-09E08D17.pf
C:\WINDOWS\Prefetch\DIOR4F4IZPEU.EXE-39824FBC.pf
C:\WINDOWS\system32\dior4f4izpeu.exe

Backing Up and Removing any Files Found....

Final Check:

Remaining Services:
------------------------


Remaining Files:
-------------------




FINISHED
======================================
A new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:44:00 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jacob Vasser\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownload...m/installer.dll
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
=======================================

Thanks for your help on this! Dave
  • 0

#9
loophole
Posted 02 September 2006 - 07:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry to hear of your misfortune at the hospital. There are no time restraints on your log. I will be here whenever you can return :whistling:

Please run a scan with HijackThis and check the following lines for removal:

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownload...m/installer.dll
O16 - DPF: {8522F9B3-0000-0000-0000-000000000000} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#10
brotherdave
Posted 02 September 2006 - 09:31 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The Panda Active Scan Result looks pretty nasty. SKIP this post and go down to the one where it is in a .doc WORD file. It is too long to post here. The .txt file is too hard to read. Sorry, Dave

Edited by brotherdave, 02 September 2006 - 10:02 PM.

  • 0

Advertisements

#11
brotherdave
Posted 02 September 2006 - 09:38 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I TRIED to post it again. No dice. SKIP to the HJT file below and the post with the PANDA .doc WORD file.
Sorry...again, Dave

Edited by brotherdave, 02 September 2006 - 10:04 PM.

  • 0

#12
brotherdave
Posted 02 September 2006 - 09:48 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The PANDA scan report is incompete in the previous posts. I'm attaching it instead.
Funny that when I clicked preview it shows both reports in the preview but won't post. Here is the HJT report I just ran.

Logfile of HijackThis v1.99.1
Scan saved at 11:22:25 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Documents and Settings\Jacob Vasser\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Attached Files


  • 0

#13
brotherdave
Posted 02 September 2006 - 09:56 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I used WORD to pare down the Panda Scan. It is attached in the NEXT post. I tried to post a copy of the WORD file here but it didn't work either.

Sorry, but that Panda report is 24 pages long in WORD! Dang! Dave

Edited by brotherdave, 02 September 2006 - 10:06 PM.

  • 0

#14
brotherdave
Posted 02 September 2006 - 09:57 PM

brotherdave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK, SAME result. This panda file is huge. I'm attaching the WORD file. It might be easier to read. Sorry, Dave

Attached Files


  • 0

#15
loophole
Posted 03 September 2006 - 10:04 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

That report is a little decieving. Most of that is in the Norton recycle bin

Follow these directions to empty the Norton recycle bin

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now, navigate to and delete the following files if present:

c:\windows\system32\f3pssavr.scr
c:\keys.ini

Reboot and post a new hijack log and let me know how the computer is running :blink:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP