Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/ Hijacked? [RESOLVED]


  • This topic is locked This topic is locked

#1
NyxVI

NyxVI

    Member

  • Member
  • PipPip
  • 13 posts
Ello all,

I've cleaned my computer the best that I can... :)
I've run:
Ewido
Xoftspy
CWshredder
Trend Micro
Windows Cleanup

I also replaced my winlogon.exe file which was giving and error message after reboot. This seems fine now... However, I am still receiving many 'IE has encountered a problem and must close' error messages when attempting to visit various pages. Along with this I also noticed when trying to login into AOL mail and Ebay earlier that I am redirected to an almost convincing website replica that asks for my credit card information and pin number along with other personal information, stating that they need to verify me in their system and increase security. This is hilarious concidering the fact that both services are free and I have never provided a credit card to either of them in the past.

So... here I am. I've attached my HijackThis log. If anyone could help it would be greatly appreciated!!

_________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:36 PM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\PDF Suite\PDFServiceEngine.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Voodoo\voodoo.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Guards\Protectors\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PDFServiceEngine] C:\Program Files\PDF Suite\PDFServiceEngine.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133676649750
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.ai...AIM.9.5.1.8.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.co...aploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn....FreeInstall.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7887 bytes
  • 0

Advertisements


#2
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello NyxVI and Welcome to Geeks to Go!

Sorry for the delay.
We've been quite busy this week.

I need you to run some scans first.
Please stick with me until I give you the all clear. :)

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next,

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Logs required
- MBAM log
- SuperAntispyware log
- New HijackTHis log
  • 0

#3
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you for your reply and help KoKo Crunch!! Attached are the log files you requested.

---------------------- MBAM LOG -------------------------

Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 2

10:41:36 PM 7/1/2008
mbam-log-7-1-2008 (22-41-36).txt

Scan type: Quick Scan
Objects scanned: 40386
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMDM PMSP Service (Backdoor.Knocker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\cssrss.exe (Backdoor.Knocker) -> Delete on reboot.
C:\WINDOWS\WINLOGON.EX_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



------------------- SUPERAntiSpyware Log ---------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2008 at 11:34 PM

Application Version : 4.15.1000

Core Rules Database Version : 3495
Trace Rules Database Version: 1486

Scan type : Complete Scan
Total Scan Time : 00:34:56

Memory items scanned : 363
Memory threats detected : 0
Registry items scanned : 4864
Registry threats detected : 0
File items scanned : 83240
File threats detected : 70

Adware.Tracking Cookie
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][2].txt
C:\Documents and Settings\Apie Della\Cookies\[email protected][1].txt
C:\Documents and Settings\Apie Della\Cookies\apie [email protected][1].txt

Adware.Director
C:\PROGRAM FILES\WEBHOST\WEBHOST-V2.EXE

Adware.Spyware Labs
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP586\A0040691.EXE

Trojan.WinSoftware/WinFixer
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWFX5_0001_N63M2912NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWFX5_0001_N63M2912NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5_0001_N63M2912NETINSTALLER.EXE




------------------ New HijackThis Log (run after the other two) -------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:32 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PDFServiceEngine] C:\Program Files\PDF Suite\PDFServiceEngine.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133676649750
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.ai...AIM.9.5.1.8.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8362 bytes

  • 0

#4
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
I have some bad news.

One of the file identified is a Backdoor Trojan.
You may be a victim of identity theft.

  • Contact your bank and credit card company for contingency measures.
  • Do not use this system for secure transactions until we rid of the infection.
  • Using another (clean) computer, change the password of all accounts you may have accessed on this system.
    Examples of which are emails and forum accounts.

Next,

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Then,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Logs required on next post.
- Sdfix log
- Vundofix log
- New HijackThis log
  • 0

#5
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you so much Koko! I've changed all my passwords... everywhere! Hehe. I've ran Vundo but it found nothing and I've attached the SDFix report and new Hijack Log.

Many thanks again!!

---------------- SDFix Report --------------------


SDFix: Version 1.200
Run by Apie Della on Wed 07/02/2008 at 08:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ULTRA.DLL - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 20:08:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000057
"TracesSuccessful"=dword:00000009

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Voodoo\\voodoo.exe"="C:\\Program Files\\Voodoo\\voodoo.exe:*:Enabled:Voodoo Chat Client"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Voodoo\\Copy of voodoo.exe"="C:\\Program Files\\Voodoo\\Copy of voodoo.exe:*:Enabled:Voodoo Chat Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Voodoo\\update.exe"="C:\\Program Files\\Voodoo\\update.exe:*:Enabled:update"
"E:\\BIN\\WIN32\\PLAYER.EXE"="E:\\BIN\\WIN32\\PLAYER.EXE:*:Disabled:Macromedia Projector"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1147145241\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1147145241\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1147145241\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1147145241\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1147146999\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1147146999\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1147146999\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1147146999\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1147154521\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Apie Della\\Desktop\\Ares\\Ares.exe"="C:\\Documents and Settings\\Apie Della\\Desktop\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Documents and Settings\\Apie Della\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Apie Della\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:Pando Application"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\DOCUME~1\\APIEDE~1\\LOCALS~1\\Temp\\fdCD.exe"="C:\\DOCUME~1\\APIEDE~1\\LOCALS~1\\Temp\\fdCD.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 3,555,328 A..H. --- "C:\Program Files\Movie Maker\moviemk.exe"
Wed 4 Aug 2004 167,936 A..H. --- "C:\Program Files\Movie Maker\wmm2ae.dll"
Wed 4 Aug 2004 4,096 A..H. --- "C:\Program Files\Movie Maker\wmm2eres.dll"
Wed 4 Aug 2004 7,680 A..H. --- "C:\Program Files\Movie Maker\wmm2ext.dll"
Wed 4 Aug 2004 402,432 A..H. --- "C:\Program Files\Movie Maker\wmm2filt.dll"
Wed 4 Aug 2004 502,272 A..H. --- "C:\Program Files\Movie Maker\wmm2fxa.dll"
Wed 4 Aug 2004 325,632 A..H. --- "C:\Program Files\Movie Maker\wmm2fxb.dll"
Wed 4 Aug 2004 4,256,768 A..H. --- "C:\Program Files\Movie Maker\wmm2res.dll"
Wed 4 Aug 2004 5,632 A..H. --- "C:\Program Files\Movie Maker\wmm2res2.dll"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\MSIMN.EXE"
Fri 8 Jun 2007 1,682 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Thu 15 Feb 2007 308,832 A..H. --- "C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator EX 1.0\uinstrsc.dll"
Wed 25 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 2 Jan 2007 2,668 A..H. --- "C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Plug-Ins\KPT6\MetaImage.dll"
Sun 8 Oct 2006 2,668 A..H. --- "C:\Documents and Settings\Apie Della\Desktop\0Favorites0\Plug-Ins\KPT effects\MetaImage.dll"

Finished!


------------------- New HijackThis Log --------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:00 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PDFServiceEngine] C:\Program Files\PDF Suite\PDFServiceEngine.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133676649750
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.ai...AIM.9.5.1.8.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8369 bytes

  • 0

#6
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
We need to do a deep scan.

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#7
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here are the results...

Thanks!

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-02 22:13:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess [0xB21FC68C]
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess [0xB21FC604]

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F872E4B2 4 Bytes [ 32, A0, 9E, FE ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F872E4BD 4 Bytes [ 36, 5F, 9E, FE ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F872E4C8 4 Bytes [ 44, A0, 9E, FE ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F872E4CF 4 Bytes [ 38, A0, 9E, FE ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F872E4D6 4 Bytes [ 3E, A0, 9E, FE ]
PAGE ...
? C:\DOCUME~1\APIEDE~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1616] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 00F12C2D
.text C:\WINDOWS\Explorer.EXE[1616] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 00F12BEA
.text C:\WINDOWS\Explorer.EXE[1616] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 00F12BAE
.text C:\WINDOWS\Explorer.EXE[1616] WS2_32.dll!send 71AB428A 5 Bytes JMP 00F12A1F
.text C:\WINDOWS\Explorer.EXE[1616] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00F12B11
.text C:\WINDOWS\Explorer.EXE[1616] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00F12A57
.text C:\WINDOWS\Explorer.EXE[1616] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00F12A8F
.text C:\WINDOWS\Explorer.EXE[1616] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00F12B93
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 024D2C2D
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 024D2BEA
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 024D2BAE
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!InternetCloseHandle 7805DA59 5 Bytes JMP 024D312E
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 024D2E69
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!InternetConnectA 7806499A 5 Bytes JMP 024D2C48
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 024D30DB
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 024D2FA9
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] WININET.dll!HttpSendRequestW 78080825 5 Bytes JMP 024D3A64
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] CRYPT32.dll!CertGetCertificateChain 77A91243 5 Bytes JMP 024D360E
.text C:\Program Files\Internet Explorer\iexplore.exe[2664] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A99A4C 5 Bytes JMP 024D3617

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1147154521\ee\AOLSoftware.exe[1948] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)

---- Devices - GMER 1.0.14 ----

Device \Driver\Cdrom \Device\CdRom0 FE9EA032
Device \Driver\Cdrom \Device\CdRom1 FE9EA032
Device \Driver\Disk \Device\Harddisk0\DR0 FE9EA032
Device \FileSystem\Fastfat \Fat AFBAEC8A
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.14 ----

Thread 4:1760 FEA1CCF0
Thread 4:1764 FEA09DF0
Thread 4:1768 FEA53260
Thread 4:1772 FE9F5E70
Thread 4:1488 FEA1CCF0
Thread 4:2052 FEA09DF0
Thread 4:2056 FEA53260
Thread 4:2060 FE9F5E70

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x94fe9bd size 0x1e4
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----
  • 0

#8
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
It's confirmed. You have MBR rootkit on your system.

Download GMER's MBR.exe to your desktop from the following link:

Double click on the MBR.exe file to run it. A log will be produced, MBR.log. Please open this log in Notepad and post its contents in your next reply.
  • 0

#9
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x94fe9bd size 0x1e4 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
  • 0

#10
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Click on Start >> Run >> Copy/Paste text in codebox below then press enter.

"%USERPROFILE%\Desktop\mbr.exe -f"

  • 0

Advertisements


#11
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It says Windows cannot find ..... click to browse for the file.
  • 0

#12
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Where did you save MBR.exe again?

Try this

Click on Start >> Run >> Copy/Paste text in codebox below then press enter.

"%USERPROFILE%\Desktop\mbr.exe" -f

Just follow the prompts if any.
  • 0

#13
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
On my desktop. That one worked it opened a Run MBR.exe program window. However, when I clicked run the window disappeared and there were no prompts after that. Should I do it a different way?
  • 0

#14
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Reboot your computer.

Then

Double click on the MBR.exe file to run it. A log will be produced, MBR.log. Please open this log in Notepad and post its contents in your next reply.
  • 0

#15
NyxVI

NyxVI

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the new one. Thanks!

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP