Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis log


  • Please log in to reply

#1
jahred

jahred

    Member

  • Member
  • PipPip
  • 15 posts
hi all.

i can't get rid of tellcom.exe/tellecom.exe. i've ran (in both normal and safe modes) updated versions of cleanup, ccleaner, spywareblaster, ad-aware, spybot, ewido, and various online scans and even when everything appears clean (according to hijackthis) tellcom.exe or tellecom.exe _always_ come back after connecting to the internet. i've tried to manually delete them, manually delete the associated registry keys, killbox the files on reboot, etc. but nothing has worked yet.

i've currently upgraded xp as far as possible, the next update is SP2. i tried to install SP2 after thinking my problems were gone but sure enough they popped up again in mid-install. :tazz:

here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:41:12 PM, on 10/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\tellecom.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Owner\My Documents\security\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellecom.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellecom.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123677769921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

any help at all would be wonderful. thanks in advance. ;)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi jahred and Welcome to GeekstoGo!

Please upload those 2 files here
http://www.thespykil...forum/index.php

C:\WINDOWS\System32\tellecom.exe

tellcom.exe

Make sure to leave a link to this post and put "For Crete" in the message box!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

The log(WinPFind.txt) will be automatically produced in the WinPFind Folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!


Click Apply>>Close>>Follow the Prompts to Restart!

Once completed-> Restart Normal and Have the PC scanned here
http://support.f-sec.../home/ols.shtml

Save the Report it generates!

Post back with a fresh HijackThis log and the logs from WinPFind and F-Secure!
  • 0

#3
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thanks for taking the time to help, crete.

after following your instructions,

--

Logfile of HijackThis v1.99.1
Scan saved at 10:26:53 PM, on 11/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\tellecom.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Documents and Settings\Owner\Desktop\security\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellecom.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Spy Cleaner] C:\PROGRA~1\SPYCLE~2\SpyCleaner.exe
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123677769921
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\LPT$VPN.769
qoologic 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\LPT$VPN.769
SAHAgent 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\LPT$VPN.769
UPX! 10/08/2005 5:33:08 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\VPTNFILE.769
qoologic 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\VPTNFILE.769
SAHAgent 10/08/2005 5:33:04 PM 15603971 C:\WINDOWS\VPTNFILE.769
UPX! 10/08/2005 5:33:06 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/08/2005 5:33:06 PM 1044560 C:\WINDOWS\vsapi32.dll
UPX! 06/12/2003 6:17:32 PM 13824 C:\WINDOWS\_g6uninst.exe

Checking %System% folder...
aspack 18/03/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 29/08/2002 9:30:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 07/10/2001 10:50:44 AM 168960 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 24/11/2001 2:58:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PTech 03/08/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 04/08/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2005 10:01:54 AM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 22/08/2001 9:30:00 PM 86030 C:\WINDOWS\SYSTEM32\msdjgk.dll
UPX! 22/08/2001 9:30:00 PM 170496 C:\WINDOWS\SYSTEM32\msiaih.dll
Umonitor 29/08/2002 9:30:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 29/08/2002 9:30:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
02/08/2005 1:06:58 PM 54156 C:\WINDOWS\QTFont.qfn
04/08/2005 1:18:50 PM 10240 C:\WINDOWS\Thumbs.db
10/08/2005 10:13:22 AM 0 C:\WINDOWS\inf\oem54.inf
04/08/2005 1:18:48 PM 7168 C:\WINDOWS\ShellNew\Thumbs.db
10/08/2005 11:10:10 AM 0 C:\WINDOWS\system32\.exe
05/08/2005 7:46:44 PM 10022 C:\WINDOWS\system32\KGyGaAvL.sys
04/08/2005 1:18:50 PM 9216 C:\WINDOWS\system32\Thumbs.db
11/08/2005 9:42:14 PM 8192 C:\WINDOWS\system32\config\default.LOG
11/08/2005 9:42:42 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
11/08/2005 9:42:28 PM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/08/2005 9:43:40 PM 114688 C:\WINDOWS\system32\config\software.LOG
11/08/2005 9:42:26 PM 995328 C:\WINDOWS\system32\config\system.LOG
10/08/2005 11:37:00 AM 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/08/2005 5:00:10 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/08/2005 5:00:10 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D6JQW8N\desktop.ini
11/08/2005 5:00:10 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O1Y3OD6V\desktop.ini
11/08/2005 5:00:10 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QKSBO6C6\desktop.ini
11/08/2005 5:00:10 PM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SOP741U4\desktop.ini
11/08/2005 9:40:50 PM 6 C:\WINDOWS\Tasks\SA.DAT
04/08/2005 1:18:50 PM 9728 C:\WINDOWS\Web\Thumbs.db

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
10/10/2004 9:28:54 AM 63800 C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
26/09/2003 3:46:40 AM 12358 C:\Documents and Settings\Owner\Application Data\PFP100JCM.{PB
26/09/2003 3:46:40 AM 61678 C:\Documents and Settings\Owner\Application Data\PFP100JPR.{PB
17/05/2004 8:49:48 AM 150230 C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
Outpost Firewall C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
Microsoft Telecom Center tellecom.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Microsoft Telecom Center tellecom.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/08/2005 9:53:19 PM

--

f-prot


Finished: 1 virus found

Scanned files: 91451 Warning: 1 file(s) still infected!

C:\WINDOWS\system32\tellecom.exe Backdoor.Win32.Rbot.gen

--

it should be noted that there are definitely more suspicious files floating around. i've ceased trying to fight the re-appearence of tellecom.exe and as such some other problematic files i've seen before are coming back.. 'rasautou.exe', 'ntdetect.exe', and so forth. :tazz:
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,You said you have Pocket Killbox and I see Ewido!

Get Ewido Updated

Download and Run the TVMedia Removal tool
http://www.majorgeek...wnload4368.html

Go to Add\Remove Programs and Remove these if they exist

TVMedia
ZSearch
Lycos
IGetNet
SpyKiller
SpyCleaner.exe
POPUPWATCH
<< BulletProofSoft.com\SpywareRemover\popup-watch

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!!
Exit Program!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Copy&Paste Each entry below into Killbox and use the Instructions that follow!


C:\WINDOWS\QTFont.qfn
C:\WINDOWS\_g6uninst.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\System32\tellcom.exe
C:\WINDOWS\System32\tellecom.exe
C:\WINDOWS\SYSTEM32\msdjgk.dll
C:\WINDOWS\SYSTEM32\msiaih.dll
C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
C:\Program Files\BulletProofSoft.com
C:\Program Files\Lycos
C:\Program Files\SpyKiller
C:\Program Files\SpyCleaner
C:\Program Files\TV Media
C:\Program Files\zSearch


As you Paste each into Killbox,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete!

Scan the System with Ewido-> Clean all it finds and be sure to click the tab to Save a Report!

Restart Normal and Have the PC Scanned here
http://www.kaspersky...oduct=161744315

If the Option to Delete any positive identifications is available,choose that,other wise make some kind of record or log of what the Scanner found and post it here!

Post back with a fresh HijackThis log and the results from Ewido and Kaspersky!
  • 0

#5
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
whoo ok, here we go. i had to use the 'kill on reboot' option to get rid of the '.exe' file. otherwise the computer would halt and a blue warning screen would come up. ewido found only tellecom.exe in safe mode and cleaned it. kaspersky found a lot of things. tellecom.exe is back again as well.

ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:04:39 PM, 12/08/2005
+ Report-Checksum: 1554095D

+ Scan result:

C:\!Submit\tellecom.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

--

kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 12, 2005 13:51:17
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 12/08/2005
Kaspersky Anti-Virus database records: 134862
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93982
Number of viruses found: 5
Number of infected objects: 43
Number of suspicious objects: 22
Duration of the scan process: 5661 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip/ieux32.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller1.zip/appnm32.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller1.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller3.zip/winlg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller4.zip/sdkyu.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller4.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller5.zip/msca32.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller5.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller6.zip/d3oi32.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller6.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller7.zip/crlr32.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller7.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller8.zip/mfcog.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller8.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller9.zip/appuy.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchFeatInstaller9.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy9.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy9.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez.zip/winky.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Klez.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/22 Oct 2004 00:13 from johnpayne:gutted/creme_de_gruyere.zip/creme_de_gruyere.jpg .scr Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/22 Oct 2004 00:13 from johnpayne:gutted/creme_de_gruyere.zip Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/31 Oct 2004 23:14 from Mary Lu McConnell:Hi/desktop.zip/desktop.txt .scr Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/31 Oct 2004 23:14 from Mary Lu McConnell:Hi/desktop.zip Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/12 Nov 2004 20:21 from euroslat:I'm in love/desktop.zip/desktop.txt .scr Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst/Hotmail/Deleted Items/12 Nov 2004 20:21 from euroslat:I'm in love/desktop.zip Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\OutlookHotmail-00000005.pst Infected: Email-Worm.Win32.Mabutu.a
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0138976.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0138976.exe Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139012.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139013.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139013.exe Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139043.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139043.exe Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP755\A0139044.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP757\A0139970.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP757\A0142166.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP757\A0143182.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\$NtUninstallKB896358$\hh.exe:aqupf:$DATA Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\desktop.ini:llmgq:$DATA Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\regedit.exe:wjmmg:$DATA Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\dllcache\regedit.exe:wjmmg:$DATA Infected: Trojan-Downloader.Win32.WinShow.ak
C:\WINDOWS\system32\tellecom.exe Infected: Backdoor.Win32.Rbot.gen

Scan process completed.

--

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:33 PM, on 12/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\tellecom.exe
C:\Documents and Settings\Owner\Desktop\security\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellecom.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Spy Cleaner] C:\PROGRA~1\SPYCLE~2\SpyCleaner.exe
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123677769921
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--

i'm in over my head. :tazz:
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,I see this little Bazza wants to be Stubborn!

No Worries,I am twice as stubborn!

First i need some research material if you dont mind!

Download Process Explorer from here
http://www.sysintern...ssExplorer.html

Scroll to the bottom of the page and click the link that applies to your operating system!

If you are unsure which to download,just download the 32 bit version

Once Downloaded,Unzip it and Double Click Procexp.exe to launch it!

Once opened-> Locate and Double Click "tellecom.exe"

Click Strings-> Put a tick in Memory-> Give it a second to load and Click Save!

Once that log is Saved-> Double click every running process and then click "Threads"

Look for "tellecom.exe" under each process!

I need to know which processes you find Tellecom.exe under!

Next, Download this Registry Search Tool
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter "tellecom.exe" for a complete search in the Registry!

Once the Notepad Page is produced-> Post that along with the Strings log from Process Explorer!

What Antivirus Software are you running? Freedom??
  • 0

#7
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
the procexp log is enormous and is causing problems with the BBCode so i'm going to attach it.

regsearch log:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "tellecom.exe" 13/08/2005 6:59:21 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Telecom Center"="tellecom.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Telecom Center"="tellecom.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Telecom Center"="tellecom.exe"

[HKEY_USERS\S-1-5-21-3620571132-1180580824-4246732858-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="C:\\Documents and Settings\\Owner\\Desktop\\tellecom.exe.txt"

[HKEY_USERS\S-1-5-21-3620571132-1180580824-4246732858-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"a"="C:\\WINDOWS\\system32\\tellecom.exe"

[HKEY_USERS\S-1-5-21-3620571132-1180580824-4246732858-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"d"="C:\\Documents and Settings\\Owner\\Desktop\\tellecom.exe.txt"

[HKEY_USERS\S-1-5-21-3620571132-1180580824-4246732858-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Telecom Center"="tellecom.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Telecom Center"="tellecom.exe"

--

i had to reboot once (locked up when i tried to save a log in procexp, happens a lot in different apps since tellcom and now tellecom's appearence), but before i did i noticed tellecom.exe under an svchost.exe tab. it doesn't appear there now, however. it also appears under an explorer.exe tab.

i can't find it anywhere in the threads of any of the processes (other than its own), after checking multiple times. my AV software is currently ewido.. i was running naked prior to this mess, had only ad-aware and spybot. :tazz:

Attached Files


  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you find tellecom.exe running under any of the other processes?

I have just got it uploaded and will have to spend some time with it!


Since there isnt an AV on board,I want you to use the link below and Install Kaspersky and run it just as described in the link!

At the end of 30 days,You can choose from a list of free Antivirus Software I will provide!

Kaspersky has the best reputation for disinfecting and repairing files!

Make sure to get the extended database before you scan!

Here is the link
http://www.bleepingc...rvs-t11662.html

Once all is Completed,post back with a fresh HijackThis log and as much Info about the Scan as possible!
  • 0

#9
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hi crete, have been busy over the weekend and will scan the pc today. :tazz:
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
See if you can locate this file and upload it!

tellcom.exe(C:\WINDOWS\System32\tellcom.exe)

Please upload here
http://www.thespykil...forum/index.php

Edited by Cretemonster, 17 August 2005 - 07:15 AM.

  • 0

Advertisements


#11
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
tellcom.exe seems to have disappeared ever since tellecom.exe started popping up. doesn't seem to be anywhere on my hard drive after a search.
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Do the Kaspersky AV!

Those WinShow entries are sticky and the extended database from Kaspersky will allow disinfection properly!

No need in us tinkering with these when there is AV Software that will do it properly!

Too Risky to handle manually!

Follow the link just as its laid out and I think we will see some good progress after its done!
  • 0

#13
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok! after scanning once in normal and then again in safe mode kaspersky disinfected a lot of stuff the first time and found nothing the second time (in safe mode).

tellecom.exe is nowhere to be found, but i'm not sure why.. i don't think kaspersky even detected it? but after running ccleaner to clean up temporary files and the registry tellecom.exe doesn't even appear in the hijackthis scan.

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:39 PM, on 17/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\security\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123677769921
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C3F00CB-136E-4982-8240-FC30B2366A51}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

the kaspersky logs are delimited so i'll attach them. (report is in normal mode, report2 is in safe mode)

everything seems to be ok, but i'm still wary. should i attempt the sp2 upgrade?
  • 0

#14
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hmm the attachments don't seem to be working for some reason.
  • 0

#15
jahred

jahred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ahh the attachments are .csv files which are apparently not allowed.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP