Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan [CLOSED]

Started by gasmanuk , Aug 16 2005 12:37 PM

This topic is locked

#16
Michelle

Posted 25 August 2005 - 12:54 PM

Malware Removal Goddess

Retired Staff
8,928 posts

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Documents and Settings\paul.WALKER-O0ZKACUF\Local Settings\Temp\E4A.tmp

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After reboot, please open Microsoft Anti-Spyware and delete everything it has quarantined. Also, open AVG and delete anything it has quarantined, if applicable.

Please download RKFiles from HERE

Unzip RKfiles.zip to the desktop
Reboot into Safe Mode - you can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in Safe Mode, double-click RKFiles.bat to run it.
- It may take a while.
When it is finished a windows should appear with a log.
Please copy the contents of the logfile and paste them here.The log with be saved at c:\log.txt

Post a new HiJackThis log as well.

#17
gasmanuk

Posted 25 August 2005 - 03:10 PM

Member

Topic Starter
Member
42 posts

C:\Documents and Settings\paul.WALKER-O0ZKACUF\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 22:09:36, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\DSLMON.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124646577132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124646564257
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#18
Michelle

Posted 25 August 2005 - 03:56 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Are you still getting notifications about the trojan?

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to ONLY the items below before scanning:

Memory
Startup Folders
Drive - All Local Drives
Folder - then click "browse" to change the directory to C: (default is C:\Windows)
System Folders
Services
Include Sub-Directory
Scan All Files

Please make sure ALL of the above are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Edited by Michelle, 25 August 2005 - 03:56 PM.

#19
gasmanuk

Posted 26 August 2005 - 12:26 PM

Member

Topic Starter
Member
42 posts

i haven't any notifications today but my computer is running dead slow still for example sometimes when i open "my computer" i d like searching for files for about thirty seconds

i am running the scan now

thanks

#20
gasmanuk

Posted 27 August 2005 - 12:12 AM

Member

Topic Starter
Member
42 posts

Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001135.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001136.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001137.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001138.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{A662DDC7-2587-40CB-9B0B-AF0BEEC13184}\RP55\A0064058.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{A662DDC7-2587-40CB-9B0B-AF0BEEC13184}\RP55\A0064059.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001135.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001136.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001137.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{04FE4684-4DA7-43A4-949A-AF74152C8F6D}\RP2\A0001138.exe infected by "Trojan-Dropper.Win32.Agent.sf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{A662DDC7-2587-40CB-9B0B-AF0BEEC13184}\RP55\A0064058.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{A662DDC7-2587-40CB-9B0B-AF0BEEC13184}\RP55\A0064059.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.

While this scan was running microsoft antispyware ran and detected two things

SD bot (worm) and trojan.backdoor.codbot.ae

should I heal these problems and anyother that a scan finds???

#21
Michelle

Posted 27 August 2005 - 12:27 AM

Malware Removal Goddess

Retired Staff
8,928 posts

If it asks if you want to delete/heal/quarantine whatever please do it :tazz:

Please download Rootkit Revealer (link is at the very bottom of the page)

Unzip it to your desktop.
Reboot into Safe Mode. (must be done in Safe Mode!)
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Reboot into normal mode.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Edited by Michelle, 27 August 2005 - 12:47 AM.

#22
gasmanuk

Posted 27 August 2005 - 03:40 AM

Member

Topic Starter
Member
42 posts

it won't run in safe mode it keep s coming up with the error "overlap in I/0 process"

#23
Michelle

Posted 27 August 2005 - 03:41 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Try it in normal mode to see if it works there. :tazz:

#24
gasmanuk

Posted 27 August 2005 - 03:43 AM

Member

Topic Starter
Member
42 posts

it does shall i run the scan in normal mode

#25
Michelle

Posted 27 August 2005 - 03:44 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Yes please :tazz:

#26
gasmanuk

Posted 27 August 2005 - 04:34 AM

Member

Topic Starter
Member
42 posts

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 17/07/2005 22:29 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 27/08/2005 10:50 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 27/08/2005 10:49 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41 27/08/2005 10:49 0 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 27/08/2005 10:51 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\Perflib_Perfdata_630.dat 27/08/2005 10:50 16.00 KB Visible in Windows API, but not in MFT or directory index.

#27
Michelle

Posted 27 August 2005 - 09:36 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Edited by Michelle, 27 August 2005 - 01:31 PM.

#28
gasmanuk

Posted 28 August 2005 - 12:23 AM

Member

Topic Starter
Member
42 posts

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,64,00,33,00,34,00,37,00,70,00,72,\
00,74,00,2e,00,73,00,79,00,73,00,00,00
"Group"="SCSI miniport"
"Tag"=dword:00000021

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg]
"khjeh"=hex:90,01,00,00,f1,ad,a4,20,c2,a7,67,8a,a0,5b,22,7f,02,74,80,25,0b,fa,\
41,40,05,e9,98,15,84,b8,7a,aa,97,74,3a,b0,fe,5a,a0,f3,ce,f5,6b,6f,4a,26,b9,\
77,3f,53,1e,7b,a0,9f,84,d0,5d,4d,ff,de,bc,43,3b,ef,4e,97,a6,ed,07,c4,1f,53,\
61,72,b2,23,b0,29,e6,1a,13,9a,b8,d4,8a,23,bf,e1,12,e9,3d,c3,e6,14,d4,72,e3,\
10,d2,c1,1c,f6,53,08,f9,0e,39,fe,28,c3,4e,23,0a,3d,d3,aa,73,80,4f,ef,8d,ad,\
c5,52,ec,d6,d4,a1,df,50,db,01,86,ae,ec,83,f6,70,56,87,f2,3a,f4,7b,67,8b,89,\
7c,48,70,91,31,c5,0a,23,62,c4,76,66,1a,76,fa,bc,5e,ef,bd,ec,bf,69,88,7b,cf,\
18,5b,dc,4c,db,33,7b,50,d2,bf,a1,a8,9a,17,d9,ae,8e,b4,3e,c3,ab,fa,7c,82,44,\
28,23,e9,e1,dd,18,c6,b0,f9,81,88,f2,bb,c4,89,db,20,05,08,35,e5,97,c3,f4,43,\
ad,de,07,af,b0,48,ae,e9,d3,6e,fe,d8,3c,57,1a,de,a4,90,af,06,5d,2e,f0,43,99,\
d5,4d,eb,03,1c,ec,58,7f,30,be,93,54,e8,d7,3d,9c,4b,11,29,8f,35,e0,bb,d2,c7,\
83,d7,08,33,7a,92,5b,dc,02,c1,77,14,b6,35,d6,f7,93,13,e1,dc,6c,8b,7a,1d,e9,\
97,3e,d2,58,c7,d6,39,ba,e6,b0,f7,03,b8,84,60,bd,b7,e0,29,dc,bf,ad,9f,4f,91,\
f4,bc,76,cc,fc,5e,e6,cd,5b,18,82,90,6c,e5,17,c1,7c,88,98,96,79,66,b5,4e,33,\
f4,f4,a1,7e,27,e6,38,f2,a5,bf,24,6e,f7,19,7d,79,a9,48,eb,71,59,4b,97,70,74,\
82,53,44,8b,8a,45,91,18,5e,fb,11,82,5b,7f,5d,f7,94,3f,a9,6b,d1,5c,b5,99,e0,\
b3,50,da

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Parameters\PnpInterface]
"0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Enum]
"0"="PCI\\d347prt\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"AudioDeck" = "C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 " ["VIA Technologies, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "paul" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"DSLMON" -> shortcut to: "C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\DSLMON.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 55 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 163 seconds.
---------- (total run time: 308 seconds)

#29
Michelle

Posted 28 August 2005 - 01:28 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Download f-bot.exe to your desktop.

Double-click f-bot.exe to run the program.
Once it's done, reboot your computer.
Post a new HiJackThis log
Let me know if you're still getting notifications!

Edited by Michelle, 28 August 2005 - 01:29 AM.

#30
gasmanuk

Posted 28 August 2005 - 04:51 AM

Member

Topic Starter
Member
42 posts

running now...

yes i keep getting avg popping up with the trojan sdbot.egy ie another one that keeps popping up each time i have to restart my pc. Do you think i should install avg's firewall or another type????

Also can you tell me how to check my ram and what sort of video card I have as It may be that I have a hardware problem I probably ain't but its running so slow i can't understand it.

in the time it took me to type this avg came up with the trojan above three times.....