Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bitgrabber victim


  • Please log in to reply

#1
Elya

Elya

    New Member

  • Member
  • Pip
  • 2 posts
Hi guys,

I'm another stupid victim of the Bitgrabber program. I ran it to get a password for a file that I downloaded and then found out it's not only adaware but possibly something far worse.

I took all the steps you required before making a HiJackThis log and also ran a F-Secure Blacklight scan. Nothing popped up so far but as I'm not really an expert I want to be sure that there is nothing hidden in my system before using the machine for banking and credit card transfers a gain. As recommended in the other thread to the Bitgrabber problem I also made a combofix log.

Thanks in advance for your help!

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:00:27, on 25.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\PowerISO\PWRISOVM.EXE
C:\Programme\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WService.EXE
C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Programme\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programme\Semagic\LiveJournalU.exe
C:\HIJ\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programme\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Programme\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Programme\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

Combofix log:

"Chili" - 07-01-25 19:06:38 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Dokumente und Einstellungen\Chili"

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))


2007-01-25 18:58 <DIR> d-------- C:\HIJ
2007-01-25 18:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-24 22:31 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-24 18:24 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2007-01-24 18:24 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2007-01-24 18:24 <DIR> d-------- C:\DOKUME~1\Chili\Anwendungsdaten\SUPERAntiSpyware.com
2007-01-24 18:24 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\Anwendungsdaten\SUPERAntiSpyware.com
2007-01-24 17:59 <DIR> d-------- C:\WINDOWS\pss
2007-01-23 22:46 <DIR> d-------- C:\Programme\Lavasoft
2007-01-23 22:46 <DIR> d-------- C:\DOKUME~1\Chili\Anwendungsdaten\Lavasoft
2007-01-23 22:19 <DIR> d-------- C:\My Downloads
2007-01-23 22:19 <DIR> d-------- C:\DOKUME~1\Chili\Anwendungsdaten\BitGrabber
2007-01-20 18:27 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-01-20 18:27 315,392 --a------ C:\WINDOWS\SETUPX32.EXE
2007-01-20 18:27 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-01-20 18:27 <DIR> d-------- C:\Programme\GENIUS TABLET
2007-01-09 01:16 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-06 19:13 <DIR> d-------- C:\Programme\SlySoft
2007-01-06 19:06 <DIR> d-------- C:\Programme\CDBurnerXP Pro 3
2007-01-03 16:50 <DIR> d-------- C:\Programme\Webteh
2007-01-03 16:50 <DIR> d-------- C:\DOKUME~1\Chili\Anwendungsdaten\BSplayer
2007-01-03 16:45 <DIR> d-------- C:\Programme\Image Grabber II.NET
2007-01-03 16:41 <DIR> dr--s---- C:\WINDOWS\assembly
2007-01-03 16:40 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2007-01-02 03:26 <DIR> d-------- C:\Programme\ModTheSims2.com
2006-12-26 13:54 34,760 --a------ C:\WINDOWS\system32\drivers\ElbyCDFL.sys
2006-12-26 13:54 15,440 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-25 19:06 -------- d-------- C:\Programme\trillian
2007-01-25 18:15 -------- d-------- C:\Programme\mozilla thunderbird
2007-01-25 17:17 -------- d-------- C:\Programme\mozilla firefox
2007-01-25 16:35 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\avg7
2007-01-25 01:39 -------- d-------- C:\Programme\semagic
2007-01-24 19:34 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\foobar2000
2007-01-24 01:05 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\azureus
2007-01-23 20:08 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\adobe
2007-01-19 02:58 -------- d-------- C:\Programme\mirc
2007-01-18 22:53 -------- d-------- C:\Programme\antivir personaledition classic
2007-01-15 12:56 -------- d---s---- C:\DOKUME~1\Chili\Anwendungsdaten\microsoft
2007-01-10 18:06 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\adobeum
2007-01-09 22:22 -------- d-------- C:\Programme\java
2007-01-08 21:28 -------- d-------- C:\Programme\world of warcraft
2006-12-30 17:47 -------- d-------- C:\Programme\Gemeinsame Dateien\adobe
2006-12-21 01:55 -------- d-------- C:\Programme\emule
2006-12-13 21:24 89296 --a------ C:\WINDOWS\system32\elbycdio.dll
2006-12-11 23:51 -------- d--h----- C:\Programme\installshield installation information
2006-12-08 16:58 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\sony corporation
2006-12-08 16:54 -------- d-------- C:\Programme\sony corporation
2006-12-08 16:54 -------- d-------- C:\Programme\sony
2006-12-08 16:54 -------- d-------- C:\Programme\Gemeinsame Dateien\sony shared
2006-12-08 16:51 -------- d-------- C:\Programme\Gemeinsame Dateien\installshield
2006-12-07 19:42 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-12-07 19:42 -------- d-------- C:\Programme\motorola phone tools
2006-12-07 19:40 -------- d-------- C:\Programme\avanquest update
2006-12-07 19:40 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\installshield
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 18:30 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\opera
2006-12-04 22:21 -------- d-------- C:\Programme\poweriso
2006-11-30 22:59 -------- d-------- C:\Programme\google
2006-11-30 22:59 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\google
2006-11-30 17:18 -------- d-------- C:\Programme\k-lite codec pack
2006-11-30 17:18 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\real
2006-11-30 17:17 -------- d-------- C:\Programme\quicktime
2006-11-30 17:14 -------- d-------- C:\Programme\mpc
2006-11-30 17:14 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\media player classic
2006-11-28 19:12 -------- d-------- C:\Programme\microsoft activesync
2006-11-28 14:57 -------- d-------- C:\DOKUME~1\Chili\Anwendungsdaten\sun
2006-11-28 14:05 -------- d-------- C:\Programme\Gemeinsame Dateien\java
2006-11-28 14:03 -------- d-------- C:\Programme\azureus
2006-11-22 17:44 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-22 17:44 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-22 17:12 62 --ahs---- C:\DOKUME~1\Chili\Anwendungsdaten\desktop.ini
2006-11-22 16:25 0 -rahs---- C:\MSDOS.SYS
2006-11-22 16:25 0 -rahs---- C:\IO.SYS
2006-11-22 16:25 0 --a------ C:\CONFIG.SYS
2006-11-22 16:25 0 --a------ C:\AUTOEXEC.BAT
2006-11-08 09:48 1138688 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-11-08 06:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-03 13:35 217088 --a------ C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Programme\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"PWRISOVM.EXE"="C:\\Programme\\PowerISO\\PWRISOVM.EXE"
"CloneCDTray"="\"C:\\Programme\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"WService"="WService.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-25 19:08:27
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Elya and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:whistling:

Excal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP