Haxdoor.hm (trojan) [RESOLVED]
#46
Posted 08 August 2008 - 03:52 AM
#47
Posted 08 August 2008 - 08:39 AM
[Driver Services - Non-Microsoft Only]
Service MEMSWEEP2 stopped successfully.
Service MEMSWEEP2 deleted successfully.
File C:\WINDOWS\system32\731.tmp not found.
[Registry - Non-Microsoft Only]
C:\AUTOEXEC.BAT moved successfully.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\advertising.com\www.bannerfarm.ace not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\objects_aol.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\revsci.net\www not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websidestory.com\www not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yahoo.com\us.f834.mail not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D554D8FC-B36D-4BB4-93DB-4A3394D505E3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D554D8FC-B36D-4BB4-93DB-4A3394D505E3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2D4D26B-0180-43a4-B05F-462D6D54C789}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload &with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload all video with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&D&ownload all with BitComet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with Star Downloader\ deleted successfully.
Starting removal of ActiveX control {639658F3-B141-4D6B-B936-226F75A5EAC3}
C:\WINDOWS\Downloaded Program Files\DinerDash2.1.0.0.67.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{639658F3-B141-4D6B-B936-226F75A5EAC3}\ deleted successfully.
Starting removal of ActiveX control {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DinerDash2.1.0.0.67.dll not found.
[Files/Folders - Created Within 60 days]
C:\spywareblastersetup41.exe moved successfully.
[Files Created - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\Kelly\Desktop\Regfix.zip:Zone.Identifier deleted successfully.
C:\Documents and Settings\Kelly\Desktop\Sophos Anti-Rootkit.lnk moved successfully.
C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\System32\zllictbl.dat moved successfully.
C:\WINDOWS\System32\ZoneLabs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat moved successfully.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0AA21473 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2C321309 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3EA7510F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:82ED8454 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:96FAC731 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E1C306C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A98B12D4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CBCF563D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
Unable to delete ADS C:\Documents and Settings\Kelly\Desktop\Regfix.zip:Zone.Identifier .
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08072008_164042
Files moved on Reboot...
File move failed. E:\autorun.inf scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Kelly\Local Settings\Application Data\Mozilla\Firefox\Profiles\bfi975b0.default\XUL.mfl moved successfully.
Edited by kelkay, 08 August 2008 - 08:40 AM.
#48
Posted 08 August 2008 - 11:12 AM
Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following
@ECHO off
If exist "looksee.txt" del looksee.txt
type "E:\autorun.inf"> looksee.txt
start notepad looksee.txt
del %0
In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.
Double click on fix.bat. Looksee.txt will appear - please post the contents of that file.
Also, could you re-run OTScanIt the way I had you do it previously? Attach the file in your next post please
Edited by Mike, 08 August 2008 - 11:13 AM.
Typo
#49
Posted 08 August 2008 - 11:36 AM
Step 1
[autorun]
open=Start.exe
icon=SIMSCD.ICO
Edited by kelkay, 08 August 2008 - 11:38 AM.
#50
Posted 08 August 2008 - 11:51 AM
Update: A search under OTScanit.txt revealed only the one log. It did not show one from today, and I ran this twice today. Another odd thing is Sophos Anti-Rootkit disappeared off of my desktop. I redownloaded it, and ran it, it showed no rootkits. Still I thought that strange.
Attached Files
Edited by kelkay, 08 August 2008 - 11:57 AM.
#51
Posted 08 August 2008 - 11:52 AM
I wanted a new log, like the first one by doing this http://www.geekstogo...48#entry1302048
#52
Posted 08 August 2008 - 11:59 AM
Here is the txt file attached.
Attached Files
Edited by kelkay, 08 August 2008 - 12:07 PM.
#53
Posted 08 August 2008 - 12:43 PM
Do you have something related to the SIMS game in your E:\ Drive? Maybe the CD itself lol?
Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Registry - Non-Microsoft Only] [Files Modified - Additional Folder Scans - Non-Microsoft Only] NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
#54
Posted 08 August 2008 - 12:52 PM
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08082008_134922
#55
Posted 08 August 2008 - 01:48 PM
Do you have something related to the SIMS game in your E:\ Drive? Maybe the CD itself lol?
could you answer that for me? Also how is your PC Running - your logs look good to me.
#56
Posted 08 August 2008 - 08:08 PM
Edited by kelkay, 09 August 2008 - 12:02 AM.
#57
Posted 09 August 2008 - 02:37 AM
Internet speed change now and then.
Click START then RUN
Now type Combofix /u in the runbox and click OK
Notice the space between the x and / -- That needs to be there.
&
Now please download OTCleanIt.
- Save it to your desktop.
- Double Click on OTCleanIt.exe, a window will appear.
- Please press the CleanUp! Button.
Now that your are clean, you'll want to stay that way.
Some important things that you should keep in mind in order to protect yourself:
- Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
Things you can do to avoid downloading bad programs:- Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
- Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
- Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
- Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
- Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
- Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
- Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
- SpywareBlaster Take a look at the tutorial here.
- ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.
Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place
Run your PC for a day or two and tell me if everything is fine
#58
Posted 09 August 2008 - 08:19 AM
#59
Posted 09 August 2008 - 09:14 AM
>>>Known Issue (all versions) -If you have by chance "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...>>>
I am afraid I am gonna mess up. I already have Spyware Blaster, I have used it for a few months now.
As far as Secunia I found it recently and started using it. I did all the updates except I had trouble with a couple. I emailed them about this, but got no response. Macromedia Flash shows it needs updating. When I try to update it, it sends me to Adobe Flash Player. I have updated that. Adobe bought out Macromedia Flash Player. I looked under search, all programs, but could not find it, obviously it is still there because Secunia sees it.
I have most of the stuff you mentioned. I am going over the list. As far as programs, I get most of my free stuff from Major Geeks.
Edited by kelkay, 09 August 2008 - 09:14 AM.
#60
Posted 09 August 2008 - 09:36 AM
Cracks refer to illegal/hacked software - if you don't download it that's great.
I cannot tell you exactly where you got infected, my prevention speech is 'generic' so to say - I give it to everyone, and tailor it slightly to fit each users needs.
It is meant to give you a little heads up regarding what you need to watch out for and some free and simple ways to stay a bit safer.
You don't need to use ZonedOut since you are using FireFox.
Hope that's everything
Please post any questions in the thread rather than PMing me.
Regards,
Mike
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users