Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible Trojan infection [RESOLVED]

Started by maze7817 , Feb 15 2007 01:06 PM

  • This topic is locked This topic is locked

#91
maze7817
Posted 31 March 2007 - 09:36 AM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Scanner results
Scan taken on 31 Mar 2007 15:32:30 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Statistics
Last file scanned at least one scanner reported something about: Admin_Panel.exe (MD5: 33d4b9d5c03adb1f9bbdc6b612cfbcc4, size: 57344 bytes), detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 Backdoor.VB.63
  • 0

Advertisements

#92
maze7817
Posted 31 March 2007 - 09:42 AM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
when uploading the file in step 2, i was unable to find the file in the designated area. is there anywhere else it could possibly be?
  • 0

#93
SNOWHITE
Posted 31 March 2007 - 11:57 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts

when uploading the file in step 2, i was unable to find the file in the designated area. is there anywhere else it could possibly be?

Did you copy and paste the path or you used the browse button? Can you try with copy & paste and if that don't work just proceed with the steps.

Edited by SNOWHITE, 31 March 2007 - 11:57 AM.

  • 0

#94
maze7817
Posted 31 March 2007 - 03:53 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
i tried to copy & paste the file and i got this message in response:

The file you tried to upload was 0 Bytes or something prevented it from being uploaded. If someone requested you upload the file please let them know.
  • 0

#95
SNOWHITE
Posted 31 March 2007 - 04:05 PM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts

i tried to copy & paste the file and i got this message in response:

The file you tried to upload was 0 Bytes or something prevented it from being uploaded. If someone requested you upload the file please let them know.

OK, proceed with the next steps :whistling:
  • 0

#96
maze7817
Posted 01 April 2007 - 04:29 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ybrrckcd

*******************

Script file located at: \??\C:\WINNT\system32\bqfahgrg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver Hrmy19 unloaded successfully.


File C:\WINNT\system32\Hrmy19.sys not found!
Deletion of file C:\WINNT\system32\Hrmy19.sys failed!

Could not process line:
C:\WINNT\system32\Hrmy19.sys
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
  • 0

#97
maze7817
Posted 01 April 2007 - 04:30 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:29:23 PM, on 04/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165361061335
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#98
maze7817
Posted 01 April 2007 - 04:43 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
in step 5 what option should i select under "Regisrty"?
  • 0

#99
SNOWHITE
Posted 01 April 2007 - 05:08 PM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts

in step 5 what option should i select under "Regisrty"?

Change only the ones that i mentioned in the instructions, leave the default setting for everything else :whistling:
  • 0

#100
maze7817
Posted 02 April 2007 - 07:10 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
i try to complete step 5 but the scanner stops responding when it starts to scan Winlogon Settings
  • 0

Advertisements

#101
SNOWHITE
Posted 04 April 2007 - 07:36 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
maze7817 :whistling:

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#102
maze7817
Posted 06 April 2007 - 01:15 AM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
"Allen" - Fri 04/06/2007 1:08:03 Service Pack 4
ComboFix 07-04-04.5 - Running from: "C:\Documents and Settings\Allen\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32_exception.nls
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\pthreadVC.dll
C:\WINNT\system32\WanPacket.dll
C:\WINNT\system32\wpcap.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINNT\system32\drivers\npf.sys
C:\Documents and Settings\All Users.\documents\settings


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\NPF
-------\LEGACY_CMDSERVICE
-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-05 19:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_270.dat
2007-04-04 21:48 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_268.dat
2007-04-01 16:25 <DIR> d-------- C:\avenger
2007-04-01 16:18 60,416 --a------ C:\WINNT\system32\drivers\uu^hhaku.sys
2007-03-30 12:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_27c.dat
2007-03-27 19:17 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-03-24 14:18 <DIR> d-------- C:\DOCUME~1\Allen\DoctorWeb
2007-03-24 14:09 79,360 --a------ C:\WINNT\system32\swxcacls.exe
2007-03-24 14:09 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-03-24 14:09 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-03-24 14:09 135,168 --a------ C:\WINNT\system32\swreg.exe
2007-03-24 13:57 40,960 --a------ C:\WINNT\system32\swsc.exe
2007-03-22 21:30 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_104.dat
2007-03-21 18:33 <DIR> d-------- C:\Deckard
2007-03-19 18:32 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_28c.dat
2007-03-17 14:27 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_288.dat
2007-03-17 13:34 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_294.dat
2007-03-16 20:50 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2ac.dat
2007-03-16 20:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a8.dat
2007-03-16 20:35 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b0.dat
2007-03-16 20:16 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a0.dat
2007-03-16 20:03 94,424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-03-16 20:03 90,112 --a------ C:\WINNT\system32\AVASTSS.scr
2007-03-16 20:03 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-03-16 20:03 689,280 --a------ C:\WINNT\system32\aswBoot.exe
2007-03-16 20:03 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-03-16 20:03 31,560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-03-16 20:03 23,352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-03-16 20:03 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2007-03-16 20:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-03-16 19:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5fc.dat
2007-03-16 18:59 51,328 --a------ C:\WINNT\system32\drivers\inspect.sys
2007-03-16 17:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-03-16 17:49 <DIR> d-------- C:\DOCUME~1\Allen\APPLIC~1\Comodo
2007-03-16 17:38 <DIR> d-------- C:\Program Files\Comodo
2007-03-14 17:25 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1644.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-27 03:37 -------- d-------- C:\Program Files\java
2007-03-24 14:09 880 --a------ C:\WINNT\system32\tmp.reg
2007-03-19 18:31 69904 --a------ C:\WINNT\system32\ws2_32.dll
2007-02-23 17:36 16384 --a----t- C:\WINNT\system32\perflib_perfdata_384.dat
2007-02-18 23:32 16384 --a----t- C:\WINNT\system32\perflib_perfdata_210.dat
2007-02-18 20:43 16384 --a----t- C:\WINNT\system32\perflib_perfdata_2bc.dat
2007-02-18 14:06 16384 --a----t- C:\WINNT\system32\perflib_perfdata_8c8.dat
2007-02-18 04:15 16384 --a----t- C:\WINNT\system32\perflib_perfdata_998.dat
2007-02-18 02:56 16384 --a----t- C:\WINNT\system32\perflib_perfdata_1ce4.dat
2007-01-28 22:40 1168 --a------ C:\WINNT\mozver.dat
2007-01-21 19:18 16384 --a----t- C:\WINNT\system32\perflib_perfdata_10e0.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannel\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\
wugroup REG_MULTI_SZ wuauserv\
BITSgroup REG_MULTI_SZ BITS\

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\AppleSoftwareUpdate.job
C:\WINNT\tasks\McAfee.com Update Check (ALLEN-YCZ4CN9JC-Allen).job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Fri 2007-04-06 1:13:26
C:\ComboFix ... 07-04-06 01:13
C:\ComboFix ... 07-04-06 01:13
C:\ComboFix-quarantined-files.txt ... 07-04-06 01:13
C:\ComboFix2.txt ... 06-12-15 17:14
C:\ComboFix3.txt ... 06-12-14 17:12
  • 0

#103
maze7817
Posted 06 April 2007 - 01:16 AM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:15:05 AM, on 04/06/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165361061335
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#104
SNOWHITE
Posted 07 April 2007 - 01:02 AM

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts


Hello maze7817,

Nice job :whistling:
Step 1

1. Double-click avenger.exe on your desktop.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
uu^hhaku

Files to delete:
C:\WINNT\system32\drivers\uu^hhaku.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Step 2

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINNT\tasks\McAfee.com Update Check (ALLEN-YCZ4CN9JC-Allen).job <<This file

Step 3

Copy the text below from the codebox into Notepad and Save it to the Desktop with the name find.bat and Save As: All Files

dir \ws2_32.dll /a h /s > File.txt

Double click the find.bat and wait for the dos window to close, a file.txt will appear on the desktop. Post the contents of the file.txt back in this thread.

Step 4

Now, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Scan for Hidden Data Streams
  • Open HiJackThis
  • Click on the "Open the Misc Toll section"
  • Click on "Open ADS Spy.."
    • Uncheck "Quick scan (Windows base folder only)"
    • Uncheck "Ignore safe system info streams"
  • Click on "Scan"
  • Click on "Save Log..."
  • Copy and past the List from the notepad into your next post
OK, post back with avenger report, file.txt and HJT ADS Spy report, let me know hows the computer running :blink:
  • 0

#105
maze7817
Posted 07 April 2007 - 02:50 PM

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nedbsbip

*******************

Script file located at: \??\C:\Program Files\rxusvygp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\uu^hhaku not found!
Unload of driver uu^hhaku failed!

Could not process line:
uu^hhaku
Status: 0xc0000034

File C:\WINNT\system32\drivers\uu^hhaku.sys deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP