Internet Explorer Hijacked

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal > Misplaced HJT Logs

2 Pages

1 2 >

Internet Explorer Hijacked, seems virus infection

Options

onlyforyou View Member Profile	May 17 2008, 12:20 PM Post #1
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	I got some strange behaviour from IE,it is extremely slow and I cannot even google search. I am using Maxthon also, that runs fine but following URL keeps poping up all the time:http://83.149.75.33/info.png?cmp=ghrnc_return&uid=F1D607E8222811DD9816153908CFFFFF&guid=F7A04F45561A43D591CBC517EEF71D95&affid=153908&lid=http&z=lt Some days back I accidently had some exe file on system and I runned it without scanning and my NOD32 poped and all this has actually started since then, my system laoding is also gone very slow. Though I have blocked above mentioned address but it doesnt help. Also automatics updates have got disabled and cannot re-enable, i tried from services.msc enabling BITS and event log and then automatic updates but didnt work. -- Im using windows XP Pro SP2, maxthon/IE browser. thnks This post has been edited by onlyforyou: May 17 2008, 12:28 PM

boopme View Member Profile	May 17 2008, 12:57 PM Post #2
To INSANITY and BEYOND !! Group: Moderator Posts: 7,016 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Welcome to the forum. Please run these tools and post back 2 logs and tell us how your machine is now. Please download ATF Cleaner by Atribune & save it to your desktop. Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". NEXT Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. NOW: Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. -------------------- Can you spare some PC cycles to help FIND A CURE .. BC FOLDING TEAM Click me /info.. ThoughtVent a goodplace to discuss.<<>>>Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....

onlyforyou View Member Profile	May 18 2008, 02:50 AM Post #3
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	Here is the MBAM log: Malwarebytes' Anti-Malware 1.12 Database version: 760 Scan type: Quick Scan Objects scanned: 40838 Time elapsed: 6 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ircleeka.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\448f67f3 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM47bc546f (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\ircleeka.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\akeelcri.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sbkpnxsy.dll (Trojan.Agent) -> Delete on reboot.

onlyforyou View Member Profile	May 18 2008, 03:06 AM Post #4
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/18/2008 at 02:40 PM Application Version : 4.0.1154 Core Rules Database Version : 3463 Trace Rules Database Version: 1454 Scan type : Complete Scan Total Scan Time : 00:38:08 Memory items scanned : 574 Memory threats detected : 2 Registry items scanned : 7846 Registry threats detected : 10 File items scanned : 20617 File threats detected : 5 Trojan.Vundo-Variant/Small-GEN C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL Trojan.Vundo-Variant/Small HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32 HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32 HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2AA0726C-95B7-4216-AA43-B5BDD524892F} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtsQGwv Adware.Tracking Cookie C:\Documents and Settings\Raj_Malik\Cookies\raj_malik@clickbank[2].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@imrworldwide[3].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@2o7[3].txt SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/18/2008 at 02:40 PM Application Version : 4.0.1154 Core Rules Database Version : 3463 Trace Rules Database Version: 1454 Scan type : Complete Scan Total Scan Time : 00:38:08 Memory items scanned : 574 Memory threats detected : 2 Registry items scanned : 7846 Registry threats detected : 10 File items scanned : 20617 File threats detected : 5 Trojan.Vundo-Variant/Small-GEN C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL Trojan.Vundo-Variant/Small HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32 HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32 HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2AA0726C-95B7-4216-AA43-B5BDD524892F} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtsQGwv Adware.Tracking Cookie C:\Documents and Settings\Raj_Malik\Cookies\raj_malik@clickbank[2].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@imrworldwide[3].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@2o7[3].txt

onlyforyou View Member Profile	May 18 2008, 03:08 AM Post #5
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/18/2008 at 02:40 PM Application Version : 4.0.1154 Core Rules Database Version : 3463 Trace Rules Database Version: 1454 Scan type : Complete Scan Total Scan Time : 00:38:08 Memory items scanned : 574 Memory threats detected : 2 Registry items scanned : 7846 Registry threats detected : 10 File items scanned : 20617 File threats detected : 5 Trojan.Vundo-Variant/Small-GEN C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL C:\WINDOWS\SYSTEM32\AWTSQGWV.DLL Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL C:\WINDOWS\SYSTEM32\IIFGDTRK.DLL Trojan.Vundo-Variant/Small HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F} HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32 HKCR\CLSID\{2AA0726C-95B7-4216-AA43-B5BDD524892F}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5} HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32 HKCR\CLSID\{A4FAB4DB-17A0-473C-94D6-D1C663CB00B5}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2AA0726C-95B7-4216-AA43-B5BDD524892F} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtsQGwv Adware.Tracking Cookie C:\Documents and Settings\Raj_Malik\Cookies\raj_malik@clickbank[2].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@imrworldwide[3].txt C:\Documents and Settings\Raj_Malik\Application Data\Thinstall\WLM Lite\%Profile%\Cookies\raj_malik@2o7[3].txt

onlyforyou View Member Profile	May 18 2008, 03:17 AM Post #6
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	Thank you very much for ur support. In between I saw yesterday UAservice.exe running in process manager and I have disable it in Autoruns. Seems this is trojan(google search). Now its not there in process manager but how can I make sure that it has been removed from my system. Otherwise my system booting looks now faster and i dont see popups anymore. PS. I have some problem with bleeping computer site (on maxthon only) this dialog appears:IE cannot download iframe.html from www.bleeping computer.com. IE was unable to open this internet site...... and one download window also is there showing 0% download.(actually threesuch instances pop-up when I open bleepign computer.com and sign in).

DaChew View Member Profile	May 18 2008, 06:07 AM Post #7
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963	83.149.75.33 another amsterdam infection http://www.malwareremoval.com/tutorials/safemodeboot.php please boot into safe mode and run ATF cleaner and then a complete scan with SAS save the log reboot run another scan from normal mode with MBAM This post has been edited by DaChew: May 18 2008, 06:07 AM -------------------- K.I.S.S. Chewy

onlyforyou View Member Profile	May 18 2008, 10:18 AM Post #8
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	I did so..but there is nothing..but problem with bleepingcomputer.com persists.

DaChew View Member Profile	May 18 2008, 02:33 PM Post #9
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963	http://www.bleepingcomputer.com/forums/topic131299.html you might want to print up these directions and follow them exactly -------------------- K.I.S.S. Chewy

onlyforyou View Member Profile	May 19 2008, 02:11 AM Post #10
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	SDFix: Version 1.183 Run by Raj_Malik on Mon 05/19/2008 at 01:16 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-19 13:33:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:27b5fd83 "s2"=dword:98b21b20 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\ d\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:61,16,e4,15,9d,d5,47,d8,1f,ee,99,2c,ed,f9,5b,d5,b6,17,32,e7,72,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,12,75,59,ea,2b,46,28,c5,a6,33,a4,82,52,f5,68,9c,a4,.. "khjeh"=hex:08,28,91,80,29,07,31,d3,73,df,80,d8,1f,95,c4,b9,26,c9,43,f4,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:07,e3,63,7f,6b,5b,c5,72,ec,80,08,78,4b,17,de,dc,53,b8,dc,3c,79,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\ d\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:61,16,e4,15,9d,d5,47,d8,1f,ee,99,2c,ed,f9,5b,d5,b6,17,32,e7,72,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,12,75,59,ea,2b,46,28,c5,a6,33,a4,82,52,f5,68,9c,a4,.. "khjeh"=hex:08,28,91,80,29,07,31,d3,73,df,80,d8,1f,95,c4,b9,26,c9,43,f4,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:07,e3,63,7f,6b,5b,c5,72,ec,80,08,78,4b,17,de,dc,53,b8,dc,3c,79,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE::Enabled:Microsoft Office Outlook" "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE::Enabled:Microsoft Office Groove" "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE::Enabled:Microsoft Office OneNote" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\Maxthon2\\Maxthon.exe"="C:\\Program Files\\Maxthon2\\Maxthon.exe::Enabled:Maxthon Browser" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe::Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe::Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe::Enabled:Orb Stream Client" "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe::Enabled:Google Talk" "C:\\Program Files\\Need For Speed - Porsche Unleashed\\Porsche.exe"="C:\\Program Files\\Need For Speed - Porsche Unleashed\\Porsche.exe::Enabled:Porsche" "C:\\DOCUME~1\\RAJ_MA~1\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\RAJ_MA~1\\LOCALS~1\\Temp\\svchost.exe::Enabled:381E073305C678F4" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\ d\\Portable_LimeWire_Pro_4[1].12.3\\Portable_LimeWire_Pro_4.12.3\\LimeWire.exe"="C:\\ d\\Portable_LimeWire_Pro_4[1].12.3\\Portable_LimeWire_Pro_4.12.3\\LimeWire.exe::Enabled:LimeWire" "C:\\DOCUME~1\\ADMINS~1\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\ADMINS~1\\LOCALS~1\\Temp\\svchost.exe::Enabled:3F28243215C678F4" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Mon 4 Feb 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Thu 15 May 2008 1,555,744 ..SH. --- "C:\WINDOWS\system32\afdjaamu.tmp" Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BITF.tmp" Sun 30 Dec 2007 444 ...HR --- "C:\Documents and Settings\Raj_Malik\Application Data\SecuROM\UserData\securom_v7_01.bak" Thu 3 Jan 2008 2,855 A..H. --- "C:\Documents and Settings\All Users\Start Menu\Programs\Landvermesser\Finderbar\eraserd.pif" Finished!

onlyforyou View Member Profile	May 19 2008, 02:15 AM Post #11
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	QUOTE(onlyforyou @ May 19 2008, 03:11 PM) SDFix: Version 1.183 Run by Raj_Malik on Mon 05/19/2008 at 01:16 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-19 13:33:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:27b5fd83 "s2"=dword:98b21b20 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\ d\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:61,16,e4,15,9d,d5,47,d8,1f,ee,99,2c,ed,f9,5b,d5,b6,17,32,e7,72,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,12,75,59,ea,2b,46,28,c5,a6,33,a4,82,52,f5,68,9c,a4,.. "khjeh"=hex:08,28,91,80,29,07,31,d3,73,df,80,d8,1f,95,c4,b9,26,c9,43,f4,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:07,e3,63,7f,6b,5b,c5,72,ec,80,08,78,4b,17,de,dc,53,b8,dc,3c,79,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\ d\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:61,16,e4,15,9d,d5,47,d8,1f,ee,99,2c,ed,f9,5b,d5,b6,17,32,e7,72,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,12,75,59,ea,2b,46,28,c5,a6,33,a4,82,52,f5,68,9c,a4,.. "khjeh"=hex:08,28,91,80,29,07,31,d3,73,df,80,d8,1f,95,c4,b9,26,c9,43,f4,1e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:07,e3,63,7f,6b,5b,c5,72,ec,80,08,78,4b,17,de,dc,53,b8,dc,3c,79,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE::Enabled:Microsoft Office Outlook" "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE::Enabled:Microsoft Office Groove" "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE::Enabled:Microsoft Office OneNote" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\Maxthon2\\Maxthon.exe"="C:\\Program Files\\Maxthon2\\Maxthon.exe::Enabled:Maxthon Browser" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe::Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe::Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe::Enabled:Orb Stream Client" "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe::Enabled:Google Talk" "C:\\Program Files\\Need For Speed - Porsche Unleashed\\Porsche.exe"="C:\\Program Files\\Need For Speed - Porsche Unleashed\\Porsche.exe::Enabled:Porsche" "C:\\DOCUME~1\\RAJ_MA~1\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\RAJ_MA~1\\LOCALS~1\\Temp\\svchost.exe::Enabled:381E073305C678F4" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\ d\\Portable_LimeWire_Pro_4[1].12.3\\Portable_LimeWire_Pro_4.12.3\\LimeWire.exe"="C:\\ d\\Portable_LimeWire_Pro_4[1].12.3\\Portable_LimeWire_Pro_4.12.3\\LimeWire.exe::Enabled:LimeWire" "C:\\DOCUME~1\\ADMINS~1\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\ADMINS~1\\LOCALS~1\\Temp\\svchost.exe::Enabled:3F28243215C678F4" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 14 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Mon 4 Feb 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe" Thu 15 May 2008 1,555,744 ..SH. --- "C:\WINDOWS\system32\afdjaamu.tmp" Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BITF.tmp" Sun 30 Dec 2007 444 ...HR --- "C:\Documents and Settings\Raj_Malik\Application Data\SecuROM\UserData\securom_v7_01.bak" Thu 3 Jan 2008 2,855 A..H. --- "C:\Documents and Settings\All Users\Start Menu\Programs\Landvermesser\Finderbar\eraserd.pif" Finished! SDFix didnot find anything..moreover the problems with IE and maxthon are also gone. However should I do with this file C\windows system32\UAservice.exe (should I delete it or leave it as such) This post has been edited by onlyforyou: May 19 2008, 02:17 AM

DaChew View Member Profile	May 19 2008, 06:05 AM Post #12
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963	I wish I had an easy answer for that one, it's part of secure rom, game protection, but your P2P with backdoor trojans and possible rootkit are enough for me to reccomend flatten and rebuild I did a google search for one of your apps, went to the safest looking of the 3 hits, IE went into total meltdown running scripts, I got out by shutdown. http://www.microsoft.com/technet/community...gmt/sm0504.mspx -------------------- K.I.S.S. Chewy

onlyforyou View Member Profile	May 19 2008, 08:19 AM Post #13
Member Group: Members Posts: 33 Joined: 5-July 07 Member No.: 141,572	which app you are talking about? But unfortunately I have no time to build system from scratch again. Can you please recommend me some other alternative. I wish all this would have happened 6months back. I have no choice of flattening the system.

DaChew View Member Profile	May 19 2008, 10:38 AM Post #14
Visiting Alien Group: Members Posts: 3,942 Joined: 20-May 07 From: millenium falcon Member No.: 131,963	QUOTE you can lead a horse to water, but you can't make it drink a universal truth . QUOTE I am very grateful for your help, it is much appreciated. Point taken about the p2p! Like I said in my topic it strengthens your faith in man to see people helping each other out for no reward, it is a dying trait another response i got to my P2P lecture like a jedi master from finland once said, if you don't want to take my advise I will make you a deal and not give it I would try to learn more about backdoor trojans and rootkits or enlist the help of a trained expert in their removal http://www.bleepingcomputer.com/forums/topic34773.html -------------------- K.I.S.S. Chewy

onlyforyou View Member Profile	May 20 2008, 09:56 AM Post #15