Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Galore! Fake Windows Security Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 zideeq

zideeq

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 28 August 2007 - 08:50 AM

I'm getting this annoying background saying "warning! spyware threat has been detected on your pc. your computer has several fatal errors due to spyware activiy....."
and I also have this icon in the tray, some fake windows security thing, plenty of exes and dlls in system 32, windows and program file directories. I've spent at least 4 hours straight trying to fix THIS!! it keeps coming back, and it's disabled my task manager (I enable it with Run, and edit the config in Group Policy etc, delete all the exes, dlls, folders, but once I'm out of safe mode. everything comes back!!)
Posted Image
Posted Image
Posted Image


Please help, here's my log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:27:55, on 28/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: oembios32.msdn_hlp - {0B1C644A-E692-4413-A9C5-FE2EB9E4AA74} -

C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EC7C7AA-2372-4AD2-8F0B-A936440F82F4}: NameServer =

194.168.8.100,194.168.4.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EC7C7AA-2372-4AD2-8F0B-A936440F82F4}: NameServer =

194.168.8.100,194.168.4.100
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5300 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 28 August 2007 - 09:44 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum zideeq :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\oembios32.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: oembios32.msdn_hlp - {0B1C644A-E692-4413-A9C5-FE2EB9E4AA74} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

Download Systemscan and save it to your desktop.
Double-click on Systemscan.exe to run the tool.
A warning box will appear. Please read and click Ok.
When SystemScan opens, click the "Unselect all" button.
Important: under "Make your choice and than click..." check the boxes next to:

PC accounts
Recent files (60 days)
Hidden Objects


Everything else should be unchecked.
Click "Scan Now".
Another warning box will appear. Please follow the instructions and click Ok.
Systemscan will scan your computer and create a folder at C:\suspectfile to save the log files. Please be patient while the scan is in progress.
When the scan is complete, Notepad will automatically open a log file named report.txt.
This log file will show a list of all user accounts, all files/folders created in the last 60 days and any Hidden files that were found.
Copy and paste the contents of report.txt in your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 zideeq

zideeq
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 28 August 2007 - 10:06 AM

Ok

Edited by zideeq, 29 August 2007 - 04:56 AM.


#4 zideeq

zideeq
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 29 August 2007 - 04:56 AM

System Scan Report:

SystemScan - www.suspectfile.com - ver. 3.2.0

Running on: Windows XP PROFESSIONAL Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS

Date: 29/08/2007
Time: 10:48:45

Output limited to:
-Recent files
-PC accounts
-Hidden objects

===================== Accounts on this PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest
| HelpAssistant (Disabled)
| SUPPORT_388945a0 (Disabled)

### users folders

02/05/2007 16:07:29 (DIR) 0 byte 119 days old -- All Users
02/05/2007 16:19:00 (DIR) 0 byte 119 days old -- Default User
02/05/2007 16:22:45 (DIR) 0 byte 119 days old -- NetworkService
02/05/2007 19:45:48 (DIR) 0 byte 119 days old -- LocalService
28/08/2007 15:48:02 (DIR) 0 byte 1 days old -- Administrator

===================== Recent files (60 days old)=====================

----- recent files in C:\
11/08/2007 10:05:10 (DIR) 0 byte 18 days old -- Config.Msi
23/08/2007 12:31:26 (DIR) 0 byte 6 days old -- dell
27/08/2007 23:20:02 (DIR) 0 byte 2 days old -- Temp
28/08/2007 12:25:53 211 byte 1 days old -- boot.ini
28/08/2007 22:29:50 (DIR) 0 byte 1 days old -- Program Files
29/08/2007 08:20:58 (DIR) 0 byte 0 days old -- WINDOWS
29/08/2007 10:41:00 (DIR) 0 byte 0 days old -- !KillBox
29/08/2007 10:44:08 1610612736 byte 0 days old -- pagefile.sys
29/08/2007 10:48:45 (DIR) 0 byte 0 days old -- suspectfile

----- recent files in C:\WINDOWS\
10/07/2007 11:54:40 316640 byte 50 days old -- WMSysPr9.prx
10/07/2007 11:54:47 (DIR) 0 byte 50 days old -- RegisteredPackages
19/07/2007 22:59:56 243 byte 41 days old -- IE4 Error Log.txt
26/07/2007 22:26:30 1122 byte 34 days old -- wmsetup10.log
11/08/2007 10:05:10 (DIR) 0 byte 18 days old -- Installer
12/08/2007 10:47:15 (DIR) 0 byte 17 days old -- Minidump
23/08/2007 12:32:34 0 byte 6 days old -- setuperr.log
23/08/2007 21:41:35 146039 byte 6 days old -- wmsetup.log
27/08/2007 13:39:02 49 byte 2 days old -- NeroDigital.ini
28/08/2007 11:16:47 (DIR) 0 byte 1 days old -- Temp
28/08/2007 11:51:08 (DIR) 0 byte 1 days old -- inf
28/08/2007 12:01:45 (DIR) 0 byte 1 days old -- Downloaded Installations
28/08/2007 12:10:17 (DIR) 0 byte 1 days old -- CSC
28/08/2007 12:25:53 227 byte 1 days old -- system.ini
28/08/2007 12:25:53 634 byte 1 days old -- win.ini
28/08/2007 12:40:47 172107 byte 1 days old -- setupact.log
28/08/2007 12:42:38 (DIR) 0 byte 1 days old -- Tasks
28/08/2007 15:59:11 13312 byte 1 days old -- pbar.dll
28/08/2007 15:59:12 30720 byte 1 days old -- 764.exe
28/08/2007 15:59:13 32000 byte 1 days old -- 7search.dll
28/08/2007 15:59:13 30976 byte 1 days old -- flt.dll
28/08/2007 15:59:14 16640 byte 1 days old -- wml.exe
28/08/2007 15:59:16 20480 byte 1 days old -- absolute key logger.lnk
28/08/2007 15:59:16 29440 byte 1 days old -- vxddsk.exe
28/08/2007 15:59:19 8704 byte 1 days old -- hotporn.exe
28/08/2007 15:59:19 25856 byte 1 days old -- dp0.dll
28/08/2007 15:59:19 21504 byte 1 days old -- ngd.dll
28/08/2007 15:59:20 29440 byte 1 days old -- xxxvideo.exe
28/08/2007 15:59:22 32768 byte 1 days old -- ie_32.exe
28/08/2007 15:59:23 14080 byte 1 days old -- aconti.log
28/08/2007 15:59:23 23552 byte 1 days old -- aconti.exe
28/08/2007 15:59:24 30464 byte 1 days old -- acontidialer.txt
28/08/2007 15:59:28 28416 byte 1 days old -- spredirect.dll
28/08/2007 15:59:29 15872 byte 1 days old -- adbar.dll
28/08/2007 15:59:29 25088 byte 1 days old -- jd2002.dll
28/08/2007 15:59:31 15104 byte 1 days old -- cbinst$.exe
28/08/2007 15:59:31 20480 byte 1 days old -- liqad$.exe
28/08/2007 15:59:32 10496 byte 1 days old -- kkcomp$.exe
28/08/2007 15:59:32 14848 byte 1 days old -- kkcomp.exe
28/08/2007 15:59:32 20480 byte 1 days old -- liqad.exe
28/08/2007 15:59:32 27136 byte 1 days old -- liqad.dll
28/08/2007 15:59:33 27136 byte 1 days old -- kkcomp.dll
28/08/2007 15:59:33 16128 byte 1 days old -- xadbrk_.exe
28/08/2007 15:59:34 31488 byte 1 days old -- xadbrk.exe
28/08/2007 15:59:35 31232 byte 1 days old -- xadbrk.dll
28/08/2007 15:59:35 21760 byte 1 days old -- fhfmm-Uninstaller.exe
28/08/2007 15:59:35 19456 byte 1 days old -- fhfmm.exe
28/08/2007 15:59:36 15872 byte 1 days old -- liqui-Uninstaller.exe
28/08/2007 15:59:36 18432 byte 1 days old -- liqui.exe
28/08/2007 15:59:37 11008 byte 1 days old -- eventlowg.dll
28/08/2007 15:59:37 18688 byte 1 days old -- daxtime.dll
28/08/2007 15:59:37 30976 byte 1 days old -- liqui.dll
28/08/2007 21:03:50 1082 byte 1 days old -- setupapi.log
28/08/2007 22:29:52 20736 byte 1 days old -- iexplorr23.dll
28/08/2007 22:29:53 24064 byte 1 days old -- pbsysie.dll
28/08/2007 22:29:53 18688 byte 1 days old -- wbeInst$.exe
28/08/2007 22:29:53 19456 byte 1 days old -- wbeCheck.exe
28/08/2007 22:29:54 19200 byte 1 days old -- settn.dll
28/08/2007 22:29:54 18688 byte 1 days old -- kvnab$.exe
28/08/2007 22:29:54 16128 byte 1 days old -- kvnab.exe
28/08/2007 22:29:54 22528 byte 1 days old -- hcwprn.exe
28/08/2007 22:29:55 24576 byte 1 days old -- kvnab.dll
29/08/2007 08:20:58 20992 byte 0 days old -- aconti.sdb
29/08/2007 08:20:58 24832 byte 0 days old -- aconti.ini
29/08/2007 08:57:54 18432 byte 0 days old -- winh32.exe
29/08/2007 10:36:21 1671 byte 0 days old -- default.htm
29/08/2007 10:42:45 722 byte 0 days old -- WindowsUpdate.log
29/08/2007 10:44:07 (DIR) 0 byte 0 days old -- system32
29/08/2007 10:45:05 0 byte 0 days old -- 0.log
29/08/2007 10:45:29 112784 byte 0 days old -- ntbtlog.txt

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
01/07/2007 13:09:21 (DIR) 0 byte 59 days old -- Macromed
02/07/2007 20:36:50 124472 byte 58 days old -- DivXCodecUpdateChecker.exe
02/07/2007 20:36:50 12288 byte 58 days old -- DivXWMPExtType.dll
02/07/2007 20:37:25 352401 byte 58 days old -- DivXMedia.ax
02/07/2007 20:37:27 638976 byte 58 days old -- divxdec.ax
02/07/2007 20:37:35 823296 byte 58 days old -- divx_xx0c.dll
02/07/2007 20:37:35 823296 byte 58 days old -- divx_xx07.dll
02/07/2007 20:37:35 740442 byte 58 days old -- DivX.dll
02/07/2007 20:37:35 802816 byte 58 days old -- divx_xx11.dll
02/07/2007 20:37:38 57344 byte 58 days old -- dpv11.dll
02/07/2007 20:37:38 344064 byte 58 days old -- dpus11.dll
02/07/2007 20:37:38 593920 byte 58 days old -- dpuGUI11.dll
02/07/2007 20:37:38 294912 byte 58 days old -- dpu10.dll
02/07/2007 20:37:38 294912 byte 58 days old -- dpu11.dll
02/07/2007 20:37:39 53248 byte 58 days old -- dpuGUI10.dll
02/07/2007 20:37:41 196608 byte 58 days old -- dtu100.dll
02/07/2007 20:37:41 73728 byte 58 days old -- dpl100.dll
02/07/2007 20:41:04 200704 byte 58 days old -- ssldivx.dll
02/07/2007 20:41:04 1044480 byte 58 days old -- libdivx.dll
02/07/2007 20:41:09 39672 byte 58 days old -- vxblock.dll
02/07/2007 20:41:10 116472 byte 58 days old -- pxcpyi64.exe
02/07/2007 20:41:10 118520 byte 58 days old -- pxinsi64.exe
02/07/2007 20:41:13 3596288 byte 58 days old -- qt-dx331.dll
02/07/2007 20:41:16 4816 byte 58 days old -- divxsm.tlb
02/07/2007 20:41:16 524288 byte 58 days old -- DivXsm.exe
03/08/2007 12:00:09 (DIR) 0 byte 26 days old -- Restore
04/08/2007 20:37:19 (DIR) 0 byte 25 days old -- dllcache
28/08/2007 11:46:42 (DIR) 0 byte 1 days old -- GroupPolicy
28/08/2007 11:49:33 (DIR) 0 byte 1 days old -- drivers
28/08/2007 12:10:17 2126 byte 1 days old -- wpa.dbl
28/08/2007 12:42:37 (DIR) 0 byte 1 days old -- 1033
28/08/2007 15:59:14 29696 byte 1 days old -- wml.exe
28/08/2007 15:59:15 28928 byte 1 days old -- vxddsk.exe
28/08/2007 15:59:21 (DIR) 0 byte 1 days old -- acespy
28/08/2007 15:59:28 28928 byte 1 days old -- ESHOPEE.exe
28/08/2007 15:59:37 10240 byte 1 days old -- msole32.exe
28/08/2007 21:03:47 (DIR) 0 byte 1 days old -- CatRoot2
28/08/2007 22:29:51 11520 byte 1 days old -- ace16win.dll
29/08/2007 08:19:52 12 byte 0 days old -- gtv_sd.bin
29/08/2007 08:19:52 92 byte 0 days old -- sznf.ascii
29/08/2007 08:20:27 4 byte 0 days old -- stfv.bin

----- recent files in C:\WINDOWS\system32\drivers\

----- recent files in C:\WINDOWS\temp\
23/08/2007 06:20:50 113 byte 6 days old -- DFC5A2B2.TMP

----- recent files in C:\Program Files\
08/07/2007 18:38:06 (DIR) 0 byte 52 days old -- Trend Micro
09/07/2007 12:36:20 (DIR) 0 byte 51 days old -- DivX
10/07/2007 11:54:48 (DIR) 0 byte 50 days old -- Windows Media Player
10/07/2007 11:55:18 (DIR) 0 byte 50 days old -- Winamp
26/07/2007 22:44:28 (DIR) 0 byte 34 days old -- Riva
31/07/2007 10:50:32 (DIR) 0 byte 29 days old -- SpectralDesign
31/07/2007 10:50:33 (DIR) 0 byte 29 days old -- VstPlugins
31/07/2007 12:30:50 (DIR) 0 byte 29 days old -- Mozilla Firefox
03/08/2007 10:29:59 (DIR) 0 byte 26 days old -- Quick AVI Splitter
04/08/2007 20:12:10 (DIR) 0 byte 25 days old -- Red Kawa
08/08/2007 13:34:58 (DIR) 0 byte 21 days old -- VideoLAN
13/08/2007 12:32:09 (DIR) 0 byte 16 days old -- PQDVD
15/08/2007 21:39:43 (DIR) 0 byte 14 days old -- Common Files
22/08/2007 18:03:22 (DIR) 0 byte 7 days old -- MessengerDiscovery
28/08/2007 12:34:25 (DIR) 0 byte 1 days old -- Eusing Free Registry Cleaner
28/08/2007 15:59:18 (DIR) 0 byte 1 days old -- akl
28/08/2007 15:59:18 (DIR) 0 byte 1 days old -- p2pnetworks
28/08/2007 15:59:27 (DIR) 0 byte 1 days old -- e-zshopper
28/08/2007 22:29:50 (DIR) 0 byte 1 days old -- 3721
28/08/2007 22:29:51 (DIR) 0 byte 1 days old -- Accoona
28/08/2007 22:29:52 (DIR) 0 byte 1 days old -- amsys

----- recent files in C:\Program Files\Common Files\
24/07/2007 22:01:36 (DIR) 0 byte 36 days old -- Microsoft Shared
11/08/2007 10:04:53 (DIR) 0 byte 18 days old -- Symantec Shared
15/08/2007 21:39:43 (DIR) 0 byte 14 days old -- Adobe Systems Shared

----- recent files in C:\Documents and Settings\Administrator\Application Data\
10/07/2007 23:39:14 (DIR) 0 byte 50 days old -- DivX
01/08/2007 17:20:35 (DIR) 0 byte 28 days old -- BearShare
08/08/2007 13:47:03 (DIR) 0 byte 21 days old -- vlc
21/08/2007 18:07:11 (DIR) 0 byte 8 days old -- Azureus
27/08/2007 15:45:38 (DIR) 0 byte 2 days old -- Adobe
27/08/2007 23:40:17 (DIR) 0 byte 2 days old -- Google

----- recent files in C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
28/08/2007 14:29:22 16384 byte 1 days old -- Perflib_Perfdata_ec8.dat
28/08/2007 15:58:00 32768 byte 1 days old -- ~DFB347.tmp
28/08/2007 16:03:01 156 byte 1 days old -- dw.log
28/08/2007 20:19:29 32768 byte 1 days old -- ~DF6DFA.tmp
28/08/2007 20:19:32 32768 byte 1 days old -- ~DF910F.tmp
28/08/2007 21:03:18 32768 byte 1 days old -- ~DF983.tmp
28/08/2007 21:33:30 65536 byte 1 days old -- ~DFA744.tmp
28/08/2007 22:27:45 32768 byte 1 days old -- ~DF7ECF.tmp
28/08/2007 22:28:46 32768 byte 1 days old -- ~DF7007.tmp
28/08/2007 23:20:35 (DIR) 0 byte 1 days old -- MessengerCache
29/08/2007 08:17:58 32768 byte 0 days old -- ~DF379E.tmp
29/08/2007 08:50:08 65536 byte 0 days old -- ~DF8511.tmp
29/08/2007 10:40:59 16384 byte 0 days old -- ~DF9892.tmp
29/08/2007 10:47:40 16384 byte 0 days old -- ~DF4827.tmp
29/08/2007 10:48:46 (DIR) 0 byte 0 days old -- nsu4.tmp

===================== Hidden Objects =====================

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 10:49:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\mad_gang_star@hotmail.com\SharingMetadata\cute_sunnah@hotmail.co.uk\DFSR\Staging\CS{FE09A509-E747-847D-8A36-4B177C6B6BB3}\01\10-{FE09A509-E747-847D-8A36-4B177C6B6BB3}-v1-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\mad_gang_star@hotmail.com\SharingMetadata\cute_sunnah@hotmail.co.uk\DFSR\Staging\CS{FE09A509-E747-847D-8A36-4B177C6B6BB3}\11\11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 21432 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\mad_gang_star@hotmail.com\SharingMetadata\cute_sunnah@hotmail.co.uk\DFSR\Staging\CS{FE09A509-E747-847D-8A36-4B177C6B6BB3}\11\11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1542 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\mad_gang_star@hotmail.com\SharingMetadata\cute_sunnah@hotmail.co.uk\DFSR\Staging\CS{FE09A509-E747-847D-8A36-4B177C6B6BB3}\11\11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-{9B7981E3-6FB2-4A57-8B2F-DFF2150FB07D}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2360 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\zideeq@hotmail.com\SharingMetadata\katz_560@hotmail.com\DFSR\Staging\CS{84DBAA08-775E-6129-815D-20630A34DF30}\01\10-{84DBAA08-775E-6129-815D-20630A34DF30}-v1-{08439FC4-0204-41E6-A7A4-3B93C2ABD72E}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5


===================== Checking Rustock rootkit =====================



==========================================
Scan completed in 4.6 minutes
End of report

HiJack This Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:11, on 29/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu4.tmp\ofbyyykl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EC7C7AA-2372-4AD2-8F0B-A936440F82F4}: NameServer = 194.168.8.100,194.168.4.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EC7C7AA-2372-4AD2-8F0B-A936440F82F4}: NameServer = 194.168.8.100,194.168.4.100
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 2327 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 29 August 2007 - 05:44 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following blue text inside the quote box below:

Files to delete:
C:\WINDOWS\pbar.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.exe
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\spredirect.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\liqui.dll
C:\WINDOWS\setupapi.log
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\aconti.sdb
C:\WINDOWS\aconti.ini
C:\WINDOWS\winh32.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\msole32.exe
C:\WINDOWS\ace16win.dll
C:\WINDOWS\gtv_sd.bin
C:\WINDOWS\sznf.ascii
C:\WINDOWS\stfv.bin

Folders to delete:
C:\Program Files\p2pnetworks
C:\Program Files\e-zshopper
C:\Program Files\3721
C:\Program Files\Accoona

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt in your next reply.


Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log.
Posted Image
Posted Image

#6 zideeq

zideeq
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:41 PM

Posted 29 August 2007 - 06:46 AM

Ok I got upto the point where I used Smitfraud Remover while I was wiating for a reply LOL.

so I used it, then downloaded AVG Antispyware and did a reg clean. and now everything is looking well!! :thumbsup:

thanks for the help, really appreciate it! now I can finally get back to making music!!

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 29 August 2007 - 07:09 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users