Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Haxdoor.hm (trojan) [RESOLVED]


  • This topic is locked This topic is locked

#46
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Can you run it again?
  • 0

Advertisements


#47
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
This may be the log you were looking for. I looked under the folder and this is what I found, but it wasn't under the name I thought it would be though. One did not pop up after the reboot, just as last time. I hope this is the proper log then...

[Driver Services - Non-Microsoft Only]
Service MEMSWEEP2 stopped successfully.
Service MEMSWEEP2 deleted successfully.
File C:\WINDOWS\system32\731.tmp not found.
[Registry - Non-Microsoft Only]
C:\AUTOEXEC.BAT moved successfully.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\advertising.com\www.bannerfarm.ace not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\objects_aol.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\revsci.net\www not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websidestory.com\www not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yahoo.com\us.f834.mail not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D554D8FC-B36D-4BB4-93DB-4A3394D505E3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D554D8FC-B36D-4BB4-93DB-4A3394D505E3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload &with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload all video with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload all with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with Star Downloader\ deleted successfully.
Starting removal of ActiveX control {639658F3-B141-4D6B-B936-226F75A5EAC3}
C:\WINDOWS\Downloaded Program Files\DinerDash2.1.0.0.67.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{639658F3-B141-4D6B-B936-226F75A5EAC3}\ deleted successfully.
Starting removal of ActiveX control {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll not found.
[Files/Folders - Created Within 60 days]
C:\spywareblastersetup41.exe moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\Kelly\Desktop\Regfix.zip:Zone.Identifier deleted successfully.
C:\Documents and Settings\Kelly\Desktop\Sophos Anti-Rootkit.lnk moved successfully.
C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\System32\zllictbl.dat moved successfully.
C:\WINDOWS\System32\ZoneLabs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat moved successfully.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0AA21473 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2C321309 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3EA7510F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:82ED8454 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:96FAC731 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E1C306C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A98B12D4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CBCF563D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
Unable to delete ADS C:\Documents and Settings\Kelly\Desktop\Regfix.zip:Zone.Identifier .
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08072008_164042

Files moved on Reboot...
File move failed. E:\autorun.inf scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\XUL.mfl moved successfully.

Edited by kelkay, 08 August 2008 - 08:40 AM.

  • 0

#48
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@ECHO off
If exist "looksee.txt" del looksee.txt
type "E:\autorun.inf"> looksee.txt
start notepad looksee.txt
del %0


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat. Looksee.txt will appear - please post the contents of that file.

Also, could you re-run OTScanIt the way I had you do it previously? Attach the file in your next post please :)

Edited by Mike, 08 August 2008 - 11:13 AM.
Typo

  • 0

#49
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Also, could you re-run OTScanIt the way I had you do it previously? I did that again this morning Mike. The log I posted was a newer one I think. It was not a OTScanit.txt but a file I found in the folder that was a log. No log came up at all after the reboot, just as it did not do it yesterday. I have no idea why it did not work. I will redo it as you requested though. First I will do the first step you mentioned.

Step 1
[autorun]
open=Start.exe
icon=SIMSCD.ICO

Edited by kelkay, 08 August 2008 - 11:38 AM.

  • 0

#50
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
When I went to the OTScanIt folder I found this. I had rerun the program, but not a pop up log came out. I am doing a search for any other OTScanit.txt now. I will attach the one from yesterday.
Update: A search under OTScanit.txt revealed only the one log. It did not show one from today, and I ran this twice today. Another odd thing is Sophos Anti-Rootkit disappeared off of my desktop. I redownloaded it, and ran it, it showed no rootkits. Still I thought that strange.

Attached Files


Edited by kelkay, 08 August 2008 - 11:57 AM.

  • 0

#51
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
No you posted the proper log :)

I wanted a new log, like the first one by doing this http://www.geekstogo...48#entry1302048
  • 0

#52
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Oh, you wanted another scan. I thought you wanted me to rerun the fix to get a log...ok, I will do that now.

Here is the txt file attached.

Attached Files


Edited by kelkay, 08 August 2008 - 12:07 PM.

  • 0

#53
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Do you have something related to the SIMS game in your E:\ Drive? Maybe the CD itself lol?


Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.


[Registry - Non-Microsoft Only]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#54
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
[Registry - Non-Microsoft Only]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08082008_134922
  • 0

#55
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Do you have something related to the SIMS game in your E:\ Drive? Maybe the CD itself lol?


could you answer that for me? Also how is your PC Running - your logs look good to me.
  • 0

Advertisements


#56
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Why yes, I sure do. I didn't realize it was in there, it is one of my kid's games. The computer seems to be running fine. The internet speed is slower than normal. I usually get 5.100 mbps on the throughput download...and 6.580 kbps on the upload. It is reading close to 4.8 on the download. Other than that, it seems about normal. :)

Edited by kelkay, 09 August 2008 - 12:02 AM.

  • 0

#57
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Glad to hear it, your logs look clean to me :)

Internet speed change now and then.

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

&

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.



Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to avoid downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Run your PC for a day or two and tell me if everything is fine :)
  • 0

#58
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Mike, I cannot thank you enough. You have been wonderful. I am so thrilled that my computer is clean. I will read what you said about preventing these awful malware and trojans etc... I am just so happy. THANK YOU!!! :)
  • 0

#59
kelkay

kelkay

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 423 posts
Mike, I had visited the IE Spyad thing before. This is what scared me.
>>>Known Issue (all versions) -If you have by chance "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...>>>
I am afraid I am gonna mess up. I already have Spyware Blaster, I have used it for a few months now.

As far as Secunia I found it recently and started using it. I did all the updates except I had trouble with a couple. I emailed them about this, but got no response. Macromedia Flash shows it needs updating. When I try to update it, it sends me to Adobe Flash Player. I have updated that. Adobe bought out Macromedia Flash Player. I looked under search, all programs, but could not find it, obviously it is still there because Secunia sees it.

I have most of the stuff you mentioned. I am going over the list. As far as programs, I get most of my free stuff from Major Geeks.

Edited by kelkay, 09 August 2008 - 09:14 AM.

  • 0

#60
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
reply to PM:

Cracks refer to illegal/hacked software - if you don't download it that's great.

I cannot tell you exactly where you got infected, my prevention speech is 'generic' so to say - I give it to everyone, and tailor it slightly to fit each users needs.
It is meant to give you a little heads up regarding what you need to watch out for and some free and simple ways to stay a bit safer.

You don't need to use ZonedOut since you are using FireFox.

Hope that's everything :)

Please post any questions in the thread rather than PMing me.

Regards,

Mike


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP