Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't run Hijack This & other recommended software


  • Please log in to reply

#31
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok, I'm sure Ewido will find alot, hopefully most are just cookies and it cleans (quarantines) what it finds. The less manual work we have to do the better :blink: What a pain when they prevent you from running all these programs. I'm just glad you know your way around without explorer but Im glad that back :whistling:

Edited by loophole, 22 September 2006 - 10:00 PM.

  • 0

Advertisements


#32
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
No kidding. I've never seen anything like that before. I am glad I found geeks to go and such pacient and helpful guy like you :whistling: otherwise I would be screwd. I rely a lot on my computer for work / school stuff.

Anyway, My ewido is a no go. On safe mode it wont open at all and on normal mode it runs for a while and then I get that randon system shutdowm. I did not have enough time to copy the whole mesage but it is something like:
System Shutdown

Shutdown initiated by NT AUTHORITY \SYSTEM ......

C:\WINNT\system32\services.exe generated and error # (dont remember the number). System will shutdown and restart again. Please save all your work. Shutdown in XX seconds (countdown).
How can I overcome that?

Depite the above, I am quarentining everything that pops up from either AVG or Ewido, is that ok?

Cheers!

Felipe

Edited by felipao, 22 September 2006 - 10:36 PM.

  • 0

#33
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Thanks for the kind words. without the specific numbers of the error Im not sure. Yes have Avg and ewido get rid of anything they don't like How bout another combofix log. Also I overlooked that I dont see a firewall running. Could you install one of these if that is the case.
Lets clean your temp files, this just takes a second or two

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Also lets look for a rootkit

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
  • 0

#34
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Before I read your reply I tried running ewido again and the system shutdown came again. It Says something like C:\winnt\system32\services.exe terminated unexpectedly with status code 128.


I installed zone alert. The first alert I got was about services.exe trying to connect to the internet. I am not sure if I should allow or deny.

ATF Cleaner ran ok.

Blacklight:

09/22/06 22:59:46 [Info]: BlackLight Engine 1.0.46 initialized
09/22/06 22:59:46 [Info]: OS: 5.0 build 2195 (Service Pack 4)
09/22/06 22:59:47 [Note]: 7019 4
09/22/06 22:59:47 [Note]: 7005 0
09/22/06 23:00:02 [Note]: 7006 0
09/22/06 23:00:02 [Note]: 7011 1032
09/22/06 23:00:02 [Note]: 7026 0
09/22/06 23:00:02 [Note]: 7026 0
09/22/06 23:00:10 [Note]: FSRAW library version 1.7.1019
09/22/06 23:04:11 [Note]: 7007 0


Combofix:

Felipe - Fri 22/09/2006 22:57:25.89 Service Pack 4
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Felipe .GLOBAL\Desktop\clean"

((((((((((((((((((((((((((((((( Files Created from 2006-08-22 to 2006-09-22 ))))))))))))))))))))))))))))))))))


2006-09-22 22:33 257,024 --ah----- C:\WINNT\system32\hnsipv.exe
2006-09-22 20:27 125,852 --a------ C:\mguard.exe
2006-09-22 19:16 188,928 --a------ C:\WINNT\system32\05408_netapi.exe
2006-09-22 19:01 120,220 --a------ C:\WINNT\system32\30782_netapi.exe
2006-09-22 18:58 120,220 --a------ C:\WINNT\system32\15158_netapi.exe
2006-09-22 18:57 188,928 --a------ C:\WINNT\system32\44773_netapi.exe
2006-09-22 17:38 120,220 --a------ C:\WINNT\system32\27866_netapi.exe
2006-09-22 17:29 188,928 --a------ C:\WINNT\system32\10358_netapi.exe
2006-09-22 17:29 120,220 --a------ C:\WINNT\system32\47228_netapi.exe
2006-09-22 17:26 5,404 --ah----- C:\WINNT\system32\cfcgr.exe
2006-09-22 17:23 188,928 --a------ C:\WINNT\system32\41662_netapi.exe
2006-09-22 17:20 188,928 --a------ C:\WINNT\system32\65103_netapi.exe
2006-09-22 17:16 188,928 --a------ C:\WINNT\system32\64047_netapi.exe
2006-09-22 17:13 188,928 --a------ C:\WINNT\system32\81665_netapi.exe
2006-09-12 21:17 1,386,496 --a------ C:\WINNT\system32\msvbvm60.dll
2006-09-12 20:23 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-09-12 20:23 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-09-12 20:23 6,416 -ra------ C:\WINNT\system32\hccoin.dll
2006-09-12 20:23 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-09-12 20:23 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-09-12 20:23 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-09-12 20:23 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-09-12 20:23 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-09-12 20:23 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-09-12 20:23 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-09-12 20:22 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-09-12 20:02 176,128 --a------ C:\WINNT\system32\nvuaudio.exe
2006-09-12 19:54 6,928 --a------ C:\WINNT\system32\schmupd.exe
2006-09-11 00:23 18,192 --a------ C:\WINNT\system32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-22 22:58 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-22 22:34 -------- d-------- C:\Program Files\Zone Labs
2006-09-22 21:30 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-22 20:27 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-09-22 18:31 60416 --a------ C:\WINNT\system32\drivers\nnjxknjc.sys
2006-09-22 16:55 -------- d-a------ C:\Program Files\Common Files
2006-09-13 23:36 -------- d-------- C:\Program Files\Winamp
2006-09-13 23:36 -------- d-------- C:\Program Files\Webshots
2006-09-13 23:36 -------- d-------- C:\Program Files\Internet Explorer
2006-09-13 23:35 -------- d-------- C:\Program Files\PrintView
2006-09-13 23:35 -------- d-------- C:\Program Files\iTunes
2006-09-13 23:24 -------- d-------- C:\Program Files\CleanUp!
2006-09-12 21:17 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-12 02:19 -------- d-------- C:\Program Files\Last.fm Player
2006-09-11 10:46 33856 --a------ C:\WINNT\system32\drivers\oreans32.sys
2006-09-11 02:01 -------- d-------- C:\Program Files\eMule
2006-09-01 02:10 -------- d-------- C:\Program Files\Easy DVD Player
2006-08-24 17:45 -------- d-a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\SopCast
2006-08-22 22:44 -------- d-------- C:\Program Files\Java
2006-08-13 23:50 -------- d-------- C:\Program Files\Guild Wars
2006-08-13 13:13 -------- d-------- C:\Program Files\Soulseek-Test
2006-08-08 23:19 -------- d-------- C:\Documents and Settings\Felipe .GLOBAL\Application Data\CyberLink
2006-08-08 17:59 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-08 17:59 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:59 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-08-01 01:39 -------- d-------- C:\Program Files\mIRC
2006-07-26 23:43 -------- d-------- C:\Program Files\EndlessOnline
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\Real
2006-07-18 20:12 122 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini
2006-07-11 23:31 9363 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"NeroCheck"="C:\\WINNT\\system32\\\\NeroCheck.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"ATIModeChange"="Ati2mdxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"RegistryMechanic"=""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"levmbnok"="C:\\slvpvevx.bat"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"SubscribedURL"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,00,00,00,60,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,05,00,00,62,01,00,00,80,02,00,00,e0,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,c8,00,00,00,2f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c8,00,00,00,ed,00,00,00,a8,00,00,00,9e,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,05,00,00,1f,00,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Windows Communicator for NT/XP"="wincomm.exe"
"Ms Java for Windows NT"="mguard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Fri 2006-09-22 22:58:06.06
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
  • 0

#35
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Now with the firewall I was able to run ewido, following is the report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:58:04 PM 22/09/2006

+ Scan result:



C:\!KillBox\n8n6li5s18.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\!KillBox\rxched20.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/Installer4.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\!KillBox\TIGEN001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\!KillBox\lwinopex.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/ondsregl.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\58786_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\73266_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\13524_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\45172_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\58013_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\33563_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\41272_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\47216_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\60701_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\35563_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\44734_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\66453_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\71066_netapi[1].exe -> Backdoor.IRCBot.vm : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\07248_netapi[1].exe -> Backdoor.PcClient.qf : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\87225_netapi[1].exe -> Backdoor.PcClient.qf : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\87740_netapi[1].exe -> Backdoor.PcClient.qf : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\28028_netapi[1].exe -> Backdoor.PcClient.qf : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\56066_netapi[1].exe -> Backdoor.PcClient.qf : Cleaned with backup (quarantined).
C:\!KillBox\MS32.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\!KillBox\wincomm.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\!KillBox\wincomm.exe( 1) -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\12586_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\18230_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\33282_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\03136_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\26553_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\33182_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\36304_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2WTQQ5ML\50613_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\24046_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\58801_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\68462_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\33168_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\36541_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\70108_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\A223BJNO\87848_netapi[1].exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\05408_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\10358_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\41662_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\44773_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\64047_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\65103_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\81665_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\WINNT\system32\wincomm.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/01164_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/04706_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/32205_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/44132_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/45388_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/55175_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/62006_netapi.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/wincomm.exe -> Backdoor.Rbot.bie : Cleaned with backup (quarantined).
C:\!KillBox\msvps.exe -> Backdoor.Rbot.biw : Cleaned with backup (quarantined).
C:\!KillBox\explorer.exe -> Backdoor.Rbot.bjc : Cleaned with backup (quarantined).
C:\WINNT\system32\iexplore.exe -> Backdoor.Rbot.bjc : Cleaned with backup (quarantined).
C:\!KillBox\wgareg.exe -> Backdoor.VanBot.a : Cleaned with backup (quarantined).
C:\!KillBox\mswincom32.exe -> Backdoor.VanBot.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\backups\backup-20060918-195757-760.dll -> Dialer.Creazione.x : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\abcd[1].txt/drxvp.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\antec[1].jpg -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\WINNT\system32\config\drxvp.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/abcd.exe/drxvp.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\acer.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\drsmartload45a45z.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\drsmartload46a46z.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\drsmartload849a849z.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\msct.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\mscts.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\windrv.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\bintheredunthat\drsmartload.exe -> Downloader.Adload.fg : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\2CA27QOK\drsmartload152a[1].exe -> Downloader.Adload.fo : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81OX32KO\loader[1].exe -> Downloader.VB.ach : Cleaned with backup (quarantined).
C:\!KillBox\akkpsatA.exe -> Downloader.VB.ang : Cleaned with backup (quarantined).
C:\avenger\backup-Fri 22.09.2006-20.12.40.17.zip/avenger/akkpsatA.exe -> Downloader.VB.ang : Cleaned with backup (quarantined).
C:\Documents and Settings\Felipe .GLOBAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\Cache\D536F398d01 -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\WINNT\system32\wins\SqlExp.exe -> Not-A-Virus.Exploit.Win32.MS06040.c : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oh34ohhc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oh34ohhc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oh34ohhc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oh34ohhc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oh34ohhc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Felipe .GLOBAL\Cookies\felipe @data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Felipe .GLOBAL\Cookies\felipe @perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Felipe .GLOBAL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-44eba5ec-78be5755.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup (quarantined).
C:\!KillBox\912_121.exe -> Trojan.LdPinch.arr : Cleaned with backup (quarantined).
C:\WINNT\system32\hnsipv.exe -> Trojan.Lineage.aeh : Cleaned with backup (quarantined).


::Report end

Edited by felipao, 23 September 2006 - 01:17 AM.

  • 0

#36
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi felapip :whistling:



Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#37
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
SDfix:


SDFix: Version 1.25
-------------------

Sat 23/09/2006
1:29p


Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\Felipe .GLOBAL\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MSCommmand

Path:
----

"C:\WINNT\system32\dllcache\mswincom32.exe"


MSCommmand ... deleted


Repairing Registry...





Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\WINNT\system32\15158_netapi.exe
C:\WINNT\system32\27866_netapi.exe
C:\WINNT\system32\30782_netapi.exe
C:\WINNT\system32\47228_netapi.exe
C:\WINNT\system32\i

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------



*If Malware was detected, the files are stored in the SDFix\Backup Folder !

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:23 PM, on 23/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\clean\hijackthis\his.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [levmbnok] C:\slvpvevx.bat
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#38
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Felapio :whistling:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#39
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello Loophole!

Since it is hard to read the report here, I am ataching the log file on this post.

Activescan:


Incident Status Location

Adware:Adware/Popper Not disinfected C:\!KillBox\akkpsat.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\fix32.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\fix32ddd.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\fix32oi.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\rayon.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\rayons.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\videotrom.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\videotron.exe
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\vnsbnsb.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.uol.com.br/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.terra.com.br/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.adtech.de/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.xiti.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Cookies\felipe @perf.overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Cookies\felipe @tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Desktop\clean\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Felipe .GLOBAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\yamyxzut.default\Cache\DD0DA363d01[SDFix/apps/Process.exe]
Adware:Adware/CommAd Not disinfected C:\WINNT\RmVsaXBlIA\lApPur15KE.vbs
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\x

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:52:03 PM, on 24/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\clean\hijackthis\his.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [levmbnok] C:\slvpvevx.bat
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Attached Files


Edited by felipao, 24 September 2006 - 03:53 PM.

  • 0

#40
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi felipao :whistling:

Great, not much there

Delete these two folders:
C:\!KillBox
C:\WINNT\RmVsaXBlIA
C:\WINNT\system32\x (if present)

You may also delete any of the programs we had you download



Deleting your Firefox cookiesClick Tools then Options.
Click Privacy.
Click Clear across from the Cookies option.
Click Ok to return to the browser main page.
Exit and relaunch the browser.

How is the computer running?
  • 0

Advertisements


#41
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello loophole!

Done and Done.
Everything seem to be running smootly.
Do you think is it safe for me to buy you a beer :whistling: trough paypal yet? No keyloggers or anything?

Thank you so much
Felipe
  • 0

#42
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :blink:

Yep I think its fine. You did a great job. Beer......hmmm... That sounds good after this one :whistling:
  • 0

#43
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I really apreciate all your help, experitse and time.

I am usualy careful with my comp but this time I let it slide.
Anyway, now I am able to carry on with my life since I rely a lot on the computer. Please let me know if there is anything else I should do to protect my comp, but its performance is apparently even better than before.

Hope you enjoy your beer, I am cracking one open right now. :whistling:

Cheers
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP