Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Danger: Spyware Red/Black Desktop


  • This topic is locked This topic is locked

#1
ericm

ericm

    New Member

  • Member
  • Pip
  • 2 posts
Laptop/ Win XP Home/ IE Ver: 6.0.2800.1106.xpsp2.030422-1633

Ran Adaware/ SpyBot/ Hijack This and Panda.


Here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:04 AM, on 4/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




****************************************************************************************************************************************


INTERMUTE System Report



**** Run Keys ****

RUN: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe


**** Browser Helper Objects ****



**** IE Toolbars ****



**** IE Extensions ****



**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Page: http://www.google.com/
Default Search: http://www.google.com/
Local Page: http://www.google.com/
Search Page:


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD ATM AAL5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B3E3448-46E3-40F3-AC9F-12423601C3EC}] SEQPACKET 11
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B3E3448-46E3-40F3-AC9F-12423601C3EC}] DATAGRAM 11
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A60C787B-864B-4CC5-BB25-76965D120342}] SEQPACKET 10
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A60C787B-864B-4CC5-BB25-76965D120342}] DATAGRAM 10
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9B2BFDF9-6B1A-4E3D-A69B-36CDF0C75812}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9B2BFDF9-6B1A-4E3D-A69B-36CDF0C75812}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5F1E012-8BC5-4CD9-8D19-9623AA212C8A}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5F1E012-8BC5-4CD9-8D19-9623AA212C8A}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80CDA74E-64D6-4979-8DBC-3958D12DE9D7}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80CDA74E-64D6-4979-8DBC-3958D12DE9D7}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6D8DF07-A376-412B-AFE3-DCBD8EE8AC29}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6D8DF07-A376-412B-AFE3-DCBD8EE8AC29}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58C3B76B-F0B8-4F8C-8C62-8813081600FF}] SEQPACKET 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{58C3B76B-F0B8-4F8C-8C62-8813081600FF}] DATAGRAM 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6310D870-05F2-4F57-86F2-69838E93589F}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6310D870-05F2-4F57-86F2-69838E93589F}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{349E0C2B-D186-4D1B-B8ED-C19961BC2706}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{349E0C2B-D186-4D1B-B8ED-C19961BC2706}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{83B92734-BBE3-4313-A4E6-BC201D0A2ABD}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{83B92734-BBE3-4313-A4E6-BC201D0A2ABD}] DATAGRAM 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D75043EC-03C1-406D-99CE-45D36DB56111}] SEQPACKET 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D75043EC-03C1-406D-99CE-45D36DB56111}] DATAGRAM 8


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No


**** Downloaded Program Files ****



**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[Ati HotKey Poller] %SystemRoot%\System32\Ati2evxx.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[CA_LIC_CLNT] C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
[CA_LIC_SRVR] C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccProxy] "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[Ip6FwHlp] %SystemRoot%\System32\svchost.exe -k netsvcs
[ISSVC] C:\Program Files\Norton Personal Firewall\ISSVC.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[LogWatch] C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
[LPDSVC] %SystemRoot%\System32\tcpsvcs.exe
[MDM] "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SNDSrvc] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[SNMP] %SystemRoot%\System32\snmp.exe
[SNMPTRAP] %SystemRoot%\System32\snmptrap.exe
[SPBBCSvc] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{31C470A8-D205-4842-AC2A-CD97FEB974AF}
[Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
[SymWSC] C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn...st/srchcust.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] http://www.google.com/
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.google.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [SmoothScroll]
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [HistoryViewType]
IEOPT: [HistoryTopNSitesView]
IEOPT: [AutoSearch]

***(WHAT IS THIS???)**
IEOPT: [Toolbars_Placement] cAawyw_)

IEOPT: [Use Search Asst] no
IEOPT: [Search Page]
IEOPT: [CheckDocumentForProgID] yes
IEOPT: [ShowGoButton] yes
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Use FormSuggest] yes
IEOPT: [FormSuggest Passwords] yes
IEOPT: [Use Custom Search URL]
IEOPT: [Disable Script Debugger] no
IEOPT: [AllowWindowReuse]
IEOPT: [Default_Page_Url] http://www.google.com/
IEOPT: [Default_Search_Url] http://www.google.com/
IEOPT: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
IEOPT: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
IEOPT: [Default_Search_URL] http://www.google.com/
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] http://www.google.com/
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.google.com/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Use Search Asst] no
IEOPT: [Search Page] http://www.google.com
IEOPT: [Search Bar]
IEOPT: [IEWatsonDisabled]
IEOPT: [IEWatsonEnabled]
IEOPT: [Default_Page_URL] http://www.google.com/
  • 0

Advertisements


#2
ericm

ericm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Here is my Panda Scan Report as well if it helps.


Incident Status Location

Spyware:Spyware/Searchcentrix No disinfected C:\Program Files\dynamic toolbar
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Auk.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Bdj.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Flp.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Hvh.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Pid.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Qan.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Qgj.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Anu.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Des.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Egf.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Fgt.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Lek.exe
Virus:Trj/Downloader.HK Disinfected C:\WINDOWS\system32\msbar.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Nav.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Ote.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Pls.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Qfc.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Qkd.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Sfn.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Sic.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Sug.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Tdd.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\system32\Vtq.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Unc.exe
Spyware:Spyware/Slimield No disinfected C:\WINDOWS\Vqg.exe
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello and welcome to GTG

Please accept my apologies for the late reply.

If youre still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesnt cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.

Thank you for your co-operation and once again apologies for the late reply.




"Edit,
As there has been no reply from the original poster this topic is now closed,
Should you have any further problems please create a new Topic,

Thanks "

Edited by Crustyoldbloke, 29 April 2005 - 03:49 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP