Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.graybird And Infostealer.wowcraft


  • Please log in to reply
32 replies to this topic

#1 phelin

phelin

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 21 July 2007 - 04:38 AM

Symantec told me to restart comp in safe mode, then press ctrl+alt+delete, select processes look for Svch0st.exe then end the process. But there are more than
one of these and everytime I try it tells me windows occurred some kind of error and has to shut down. When i tried to restart in safe mode a bunch of words appeared on my screen for about a min then the computer restarted and wouldn't resart even normally, so i had to perform a system recovery but is til have the trojans: Backdoor.Sdbot, IRC-Sdbot, Backdoor.IRC.Sdbot, BKDR.SDBOT.B, Troj/Sdbot, Win32.Sdbot.14176 and Backdoor.Graybird, Backdoor.ARR Infostealer.Wowcraft, PWSteal.Wowcraft. here is my HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:44:00 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldusa.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.worldusa.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.worldusa.com/search.php?sa=Sear...D%3A11&q=%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184836970078
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

BC AdBot (Login to Remove)

 


#2 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 21 July 2007 - 04:44 AM

I only have about 4 gb on my itunes and the rest os supposed to be used up by my programs but i dont have that may on my computer what does this mean?

#3 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 28 July 2007 - 01:00 PM

Hello phelin, sorry for the delay. I'm just looking over your log and will get back to you soon.

#4 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 28 July 2007 - 05:30 PM

Hello phelin

One or more of the items you need to remove is a backdoor application can allow attackers to access your computer,
stealing passwords, credit card info, and personal data. From a clean computer, change ALL your on-line passwords for
email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
If you do any on-line banking, or store any financial information on this system, you should immediately call
your financial institution and advise them of the situation so you can secure your accounts. Do NOT change passwords
or do any transactions while using the infected computer because the attacker will get the new passwords and
transaction information.

The best course of action to take is to reformat your PC as there are a lot of nasty infections on it that we may not even
be able to fully get rid of for sure. The backdoor application has probably changed many settings and infected a lot of files.

Please read these topics before you make your decision

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

However if you want to go ahead and try clean up your PC, let me know and we will get started!

#5 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 28 July 2007 - 10:28 PM

Thanks for the help I would really like to try to clean up my computer.

#6 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 29 July 2007 - 11:14 AM

Hello phelin

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


We need to put HijackThis in a permanent folder, please do the following :

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.
Exit this folder now and do not run Hijackthis, we will be using it later




I see you have SpywareBot installed. This is considered a Rogue anti-spyware product that is of dubious nature and gives
false positives, you can read more about it here. I recommend uninstalling it(I will recommend better free programs later), so please go to Start >
Control Panel > Add or Remove Programs > Remove SpywareBot



I notice you are using two firewalls(Norton Internet Security and PC Tools Firewall Plus), this can lead to conflicts, PC
slowdown and many other problems. You need to uninstall one of these programs, I recommend keeping Norton Internet Security, so please go to Start > Control Panel > Add or Remove Programs > Remove PC Tools Firewall Plus



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Double click the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply please post the following : the SDFix report, the Dr. Web Cureit report, a new HijackThis log, tell me how it went removing those programs, and tell me how your PC is running now and if you had any problems.

#7 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 29 July 2007 - 02:59 PM

SDFix: Version 1.83

Run by HP_Administrator - Sun 07/29/2007 - 12:36:12.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\HP_ADM~1\Desktop\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArtSmall.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Large.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Small.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\desktop.ini
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\Folder.jpg
C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL
C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll
C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll
C:\Program Files\Online Services\Canada\KOL\client.exe
C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe
C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe
C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE
C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe
C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip
C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip

Finished






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:11 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Service Manager.lnk.disabled
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184836970078
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10153 bytes

#8 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 29 July 2007 - 04:32 PM

Hello phelin, don' t forget to post the Dr. Web Cureit report and tell me how it went removing those programs, and tell me how your PC is running now and if you had any problems.

#9 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 30 July 2007 - 02:19 AM

Process.exe;C:\Documents and Settings\HP_Administrator\Desktop\SDFix\apps;Tool.Prockill;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
sb6adts.htc\Script.0;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\sb6adts.htc;Probably SCRIPT.Virus;;
sb6adts.htc;C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts;Archive contains infected objects;Moved.;
firstopt.js;D:\I386\APPS\APP04697;Probably SCRIPT.Virus;Incurable.Moved.;

#10 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 30 July 2007 - 07:05 AM

Hello phelin, you seem to have ran an old version of SDFix, so please delete your version of SDFix, and download it again from
here and save it to your Desktop.. Then follow these instructions

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum


#11 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 01 August 2007 - 02:39 AM

SDFix: Version 1.83

Run by Administrator - Tue 07/31/2007 - 23:19:59.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArtSmall.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Large.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Small.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\desktop.ini
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\Folder.jpg
C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL
C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll
C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll
C:\Program Files\Online Services\Canada\KOL\client.exe
C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe
C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe
C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE
C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe
C:\Documents and Settings\HP_Administrator\Desktop\SDFix\dummy.sys
C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip
C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip

Finished

#12 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 01 August 2007 - 04:04 PM

Hello phelin, you seem to still be using the old version of SDFix. It's very important that we use the latest version, so we need to try again, so please do the following :

Delete the SDFix folder at C:\sdfix

Delete the sdfix folder on your desktop

Delete any copies of SDFix you have on your PC, once you have done that try download and run it again from here

#13 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 04 August 2007 - 01:57 PM

Ok so here's the new report using the SDFix 1.95
I still have the trojan on my computer


SDFix: Version 1.95

Run by Administrator on Sat 08/04/2007 at 01:13 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\HP_ADM~1\MYDOCU~1\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:Enabled:DISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:Enabled:DISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArtSmall.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Large.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\AlbumArt_{D83A12A7-7C36-46E1-A0C9-70FF862AF40D}_Small.jpg
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\desktop.ini
C:\Documents and Settings\cecy\My Documents\My Music\iTunes\iTunes Music\Alvaro Torres ft Mochy y Alexandra\www.lomaximoproductions.com\Folder.jpg
C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL
C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll
C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll
C:\Program Files\Online Services\Canada\KOL\client.exe
C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe
C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe
C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe
C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE
C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe
C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe
C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe
C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe
C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe
C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe
C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe
C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip
C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip

Finished

#14 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 05 August 2007 - 01:22 PM

Hello phelin, why do you still think you have a trojan on your PC?


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.


So post the two DSS texts in full and the GMER results in your next reply.

#15 phelin

phelin
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:52 AM

Posted 07 August 2007 - 03:01 AM

After I finished with the sdfix I ran norton and it said it was atill on my computer

these logs are too big how can i post them without having to break them in to little chunks?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users