Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Issues :adware.chiem.b


  • Please log in to reply
27 replies to this topic

#1 petri dish

petri dish

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 03:30 AM

HEEEEEEEEEEEEEEEEEEELP!!! have been fighting dis infection for months now n i mean day n night .......finally decided to give up !!! someone please solve dis.....

am using a dual boot: win 98se [C:] / win xp sp2+ [D: (infected)]

((((((((((((((((((((((((((((((((((general issues)))))))))))))))))))))))))))))))))))))))))))))))))))))
slow startup, ustable system,unreliable erratic mouse,(partial system user hijacked,control panel in user hijacked....however administrator and safe mode working properly), most A.V. dont work, hang or donot update

((((((((((((((((((((((((((THE NORTON ISSUES))))))))))))))))))))))))))))))))))))))))))))))))))))))

also had installed norton long back so had da RECYCLER left behind downloaded the removal tool ,but the RECYCLER refuses 2 go and comes back after every delete.
RECYCLER contains file:s-1-5-21-1417001333-1450960922-8392-22115-1003
also , persistent D:\windows\TEMP: Perflib_Perfdata_6c8.dat


P.S.:had followed this link http://forum.malwareremoval.com/viewtopic.php?p=200182
but cud not delete temp files



(((((((((((((((((((((((((((((((((((((((((((((((((((((((((AVG)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
AVG:
| file | result | path |
| hosts | change | D:\windows\system32\drivers\etc\hosts |

(((((((((((((((((((((((((((((((((((((((((((UNIBLUE)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))


UNIBLUE (persistent errors):
SPY ERASER- 1) HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\ p3p\history\qksrv.net\\

2)HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\p3p\history\links senergy.com\\

3)HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\p3p\history\fastclick.net\\

4)HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\p3p\history\commission-junction.com\\

5)HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\p3p\history\bfast.com\\

6)HKEY_CURRENT_USER\software\microsoft\windows\curre\ntversion\internet settings\p3p\history\fastclick.com\\


DETECTED AS :ADWARE.CHIEM.B


(((((((((((((((((((((((((((((((((((((((((((((((((((SOPHO ROOTKIT))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

HIDDEN REGISTRY VALUE:

\HKEY_USERS\S-1-5-18\software\Microsoft\MediaPlayer\setup\CreatedLinks\Shortcut0
\HKEY_USERS\S-1-5-18\software\Microsoft\MediaPlayer\setup\CreatedLinks\Shortcut1
\HKEY_USERS\S-1-5-18\software\Microsoft\MediaPlayer\Prefrences\LastPlaylist
\HKEY_USERS\S-1-5-18\software\Microsoft\WindowsMedia\WMSDK\GenralVolumeSerialNumber
\HKEY_USERS\S-1-5-18\software\Microsoft\WindowsMedia\WMSDK\NameSpace\Localdeta
\HKEY_USERS\S-1-5-18\software\Microsoft\WindowsMedia\WMSDK\Namespace\RemoteDelta

((((((((((((((((((((((((((((((((((((((((((((((((((((((MY HJT LOG))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:06 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908907968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908881640
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C55EC6-2BA1-4C13-AEF8-CAA7A7D4A642}: NameServer = 203.94.227.70,203.94.243.70
O23 - Service: 021086AB - Unknown owner - D:\WINDOWS\system32\021086AB.exe
O23 - Service: 36CE37A0 - Unknown owner - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7129 bytes

P.S.: also worth a mention .......was infected with 1) Dp Trojan
unique code-6Q5SS ...............(SPYSWEEPER)

2)Active Key Logger_02_09_2007_04
12.asq41
these infections arent showing any signs ,so am assuming 4da moment they r
gone.....but cud jus be da rootkit
happy virus hunting .....over 2u ;)

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 10 September 2007 - 09:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum petri dish :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 10:40 AM

hey thnks 4da speedy reply :thumbsup:


heres ur sdfix report:



SDFix: Version 1.103

Run by Administrator on Mon 09/10/2007 at 08:30 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File



and da combofix:


ComboFix 07-09-10.6 - "hemant" 2007-09-10 20:52:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.155 [GMT 5.5:30]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\DOCUME~1\hemant\APPLIC~1\install.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-10 20:51 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-09-10 20:33 1,331 --a------ D:\DOCUME~1\HEMANT~1.COM\clean.reg
2007-09-10 20:28 <DIR> d-------- D:\WINDOWS\ERUNT
2007-09-09 11:55 6,656 --a------ D:\WINDOWS\system32\021086AB.exe
2007-09-09 05:17 290 --a------ D:\WINDOWS\fix.reg
2007-09-06 20:55 <DIR> d--h----- D:\WINDOWS\system32\GroupPolicy
2007-09-05 22:51 <DIR> d-------- D:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot
2007-09-05 22:51 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Webroot
2007-09-05 22:47 23,864 --a------ D:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-05 22:47 21,816 --a------ D:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-05 22:47 20,280 --a------ D:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-05 22:47 163,128 --a------ D:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-05 22:47 1,521,464 --a------ D:\WINDOWS\WRSetup.dll
2007-09-05 22:47 <DIR> d-------- D:\Program Files\Webroot
2007-09-05 22:47 <DIR> d-------- D:\DOCUME~1\LOCALS~1.000\APPLIC~1\Webroot
2007-09-05 22:47 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot
2007-09-05 22:40 164 --a------ D:\install.dat
2007-09-05 20:13 <DIR> d-------- D:\!KillBox
2007-09-05 18:36 <DIR> d-------- D:\Program Files\Sana Security
2007-09-05 17:16 <DIR> d-------- D:\Program Files\Sophos
2007-09-05 04:49 3,968 --a------ D:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-04 10:04 <DIR> d-------- D:\Program Files\Lavasoft
2007-09-04 10:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-09-04 01:24 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\SecurityScans
2007-09-01 23:58 <DIR> d-------- D:\Program Files\Uniblue
2007-09-01 23:58 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Uniblue
2007-09-01 04:02 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Help
2007-09-01 00:20 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Google
2007-08-31 23:48 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-08-31 01:23 76,560 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-30 23:14 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Ahead
2007-08-30 22:35 306,688 --a------ D:\WINDOWS\IsUninst.exe
2007-08-28 03:21 <DIR> d-------- D:\Program Files\Turtle Odyssey 2
2007-08-28 03:05 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ScreenSeven
2007-08-27 07:07 <DIR> d-------- D:\Program Files\Professor Fizzwizzle And The Molten Mystery
2007-08-27 06:50 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\ScreenSeven
2007-08-27 06:49 <DIR> d-------- D:\Program Files\VIVA MEDIA
2007-08-27 06:49 <DIR> d-------- D:\Program Files\OXXOGames
2007-08-27 01:54 <DIR> d-------- D:\Program Files\Alawar
2007-08-27 00:35 <DIR> d-------- D:\Program Files\War Chess
2007-08-27 00:35 <DIR> d-------- D:\Program Files\ReflexiveArcade
2007-08-26 02:00 <DIR> d-------- D:\DOCUME~1\HEMANT~1\LOCALS~1
2007-08-25 20:44 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Trymedia
2007-08-25 20:43 <DIR> d-------- D:\Program Files\Master of Defense
2007-08-25 20:43 <DIR> d-------- D:\Program Files\BFG
2007-08-25 16:28 <DIR> d-a------ D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-08-24 11:27 <DIR> d-------- D:\quest for camelot
2007-08-24 02:34 380,928 --a------ D:\WINDOWS\system32\srkey.exe
2007-08-22 03:09 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\HouseCall 6.6
2007-08-22 02:26 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\DoctorWeb
2007-08-18 15:26 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\ieSpell
2007-08-16 10:45 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Comodo
2007-08-16 10:26 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Comodo
2007-08-16 10:21 <DIR> d-------- D:\Program Files\Comodo
2007-08-16 09:52 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2007-08-15 23:04 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-08-15 23:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-15 17:08 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-08-15 10:11 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-08-15 00:01 118,784 --a------ D:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-15 00:01 <DIR> d-------- D:\Program Files\SpywareBlaster
2007-08-13 11:54 <DIR> d-------- D:\Program Files\FLV Player
2007-08-13 11:54 <DIR> d-------- D:\Program Files\Common Files\SWF Studio
2007-08-11 08:20 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\.housecall6.6
2007-08-10 16:28 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SRS Labs
2007-08-10 16:24 <DIR> d-------- D:\Program Files\SoundSpectrum
2007-08-10 16:12 204,800 --a------ D:\WINDOWS\system32\lsvxdec.dll
2007-08-10 16:12 <DIR> d-------- D:\Program Files\Espre
2007-08-10 11:28 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 20:58 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Orbit
2007-09-10 20:52 0 d-------- D:\WINDOWS\system32\drivers\???????
2007-09-09 22:48 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\uTorrent
2007-09-09 21:26 --------- d-------- D:\Program Files\Trend Micro
2007-09-08 22:07 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\AdobeUM
2007-09-08 03:20 --------- d-------- D:\Program Files\QuickTime
2007-09-04 10:00 --------- d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 00:18 --------- d-------- D:\Program Files\Winamp
2007-09-02 00:18 --------- d-------- D:\Program Files\ratDVD
2007-09-02 00:18 --------- d-------- D:\Program Files\LimeWire
2007-09-02 00:18 --------- d-------- D:\Program Files\JAlbum
2007-09-02 00:18 --------- d-------- D:\Program Files\ieSpell
2007-09-02 00:18 --------- d-------- D:\Program Files\DivX
2007-09-02 00:18 --------- d-------- D:\Program Files\AC3Filter
2007-09-01 18:53 --------- d--h----- D:\Program Files\InstallShield Installation Information
2007-09-01 02:08 --------- d-------- D:\Program Files\Google
2007-08-30 23:05 --------- d-------- D:\Program Files\Ahead
2007-08-30 15:32 --------- d-------- D:\Program Files\Orbitdownloader
2007-08-26 02:01 --------- d-------- D:\Program Files\Real
2007-08-14 09:38 --------- d-------- D:\Program Files\Windows Live Safety Center
2007-08-11 00:30 --------- d-------- D:\Program Files\XP Repair Pro 2007
2007-08-07 13:58 8320 --a------ D:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ D:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-04 01:32 --------- d-------- D:\Program Files\Return to Castle Wolfenstein
2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ D:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ D:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ D:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ D:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ D:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ D:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ D:\WINDOWS\system32\muweb.dll
2007-07-26 01:03 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Apple Computer
2007-07-24 09:47 --------- d-------- D:\Program Files\Apple Software Update
2007-07-24 09:47 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer
2007-07-24 09:47 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-07-16 05:55 28400 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
2007-07-13 23:54 --------- d-------- D:\Program Files\Combined Community Codec Pack
2007-07-13 22:38 359808 --a------ D:\WINDOWS\system32\drivers\tcpip.sys
2007-07-11 14:37 6272 --a------ D:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-11 03:48 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-11 03:48 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2007-07-10 16:03 --------- d-------- D:\Program Files\Microsoft IntelliType Pro
2007-07-10 16:03 --------- d-------- D:\Program Files\Microsoft IntelliPoint
2007-06-26 11:38 1104896 --a------ D:\WINDOWS\system32\msxml3.dll
2007-06-19 19:01 282112 --a------ D:\WINDOWS\system32\gdi32.dll
2007-06-13 15:53 1033216 --a------ D:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 19:12 D:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="D:\WINDOWS\System32\igfxtray.exe" [2003-03-11 07:54]
"HotKeysCmds"="D:\WINDOWS\System32\hkcmd.exe" [2003-03-11 07:41]
"type32"="D:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 14:21]
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 14:20]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 09:53]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-09-08 03:20]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:26]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 21:25]
"Uniblue SpeedUpMyPC"="D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-05-23 14:03]
"Uniblue SpyEraser"="D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-08-27 08:57]
"Uniblue RegistryBooster2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18]

D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Orbit.lnk - D:\Program Files\Orbitdownloader\orbitdm.exe [2007-07-20 21:31:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=1 (0x1)
"DisableLockWorkstation"=1 (0x1)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;D:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 dmsmbios;dmsmbios;\??\D:\WINDOWS\System32\dmsmbios.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 MQAC;Message Queuing access control;\??\D:\WINDOWS\System32\drivers\mqac.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;D:\WINDOWS\system32\DRIVERS\point32.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\D:\WINDOWS\System32\drivers\RMCast.sys
S2 MSMQ;Message Queuing;D:\WINDOWS\System32\mqsvc.exe
S2 MSMQTriggers;Message Queuing Triggers;D:\WINDOWS\System32\mqtgsvc.exe
S3 021086AB;021086AB;D:\WINDOWS\system32\021086AB.exe
S3 chkproc1;chkproc1;\??\F:\inst\A.V\anti rootkits\New Folder\Helios\chkproc.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\D:\WINDOWS\system32\1.tmp
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);D:\WINDOWS\system32\drivers\srs_sscfilter.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-04 03:37:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-01 18:46:36 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-01 18:46:34 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-04 10:00:34 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-09-09 20:30:01 D:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:27:48 D:\WINDOWS\Tasks\wrSpySweeper_L839459EBFA0144749C797320F4AECA51.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:27:56 D:\WINDOWS\Tasks\wrSpySweeper_LA302B9CBFD9F4FB3B10C7B05DE4B0C08.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:28:06 D:\WINDOWS\Tasks\wrSpySweeper_LEE27FDE149154B1292FB0AF740748F87.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 20:56:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 20:59:36 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-09-10 20:59
.
--- E O F ---

Edited by petri dish, 10 September 2007 - 11:13 AM.


#4 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 11:06 AM

hey sorry dat was supposed 2 be a smily in da previous post.........thought it was smilliing wid its eyes closed .jus ended up giving a totally wrong meanin 2 it all ....oops sorry again!!! :thumbsup: cheers mate...
ne ways :
jus realised had run da previous scans as administrator now tried da same as hemant(infected admin user) so posting em....

here goes ur sdfix
SDFix: Version 1.103

Run by hemant on Mon 09/10/2007 at 09:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File


and ur combofix:
ComboFix 07-09-10.6 - "hemant" 2007-09-10 21:22:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT 5.5:30]
.

((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-10 20:51 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-09-10 20:33 1,331 --a------ D:\DOCUME~1\HEMANT~1.COM\clean.reg
2007-09-10 20:28 <DIR> d-------- D:\WINDOWS\ERUNT
2007-09-09 11:55 6,656 --a------ D:\WINDOWS\system32\021086AB.exe
2007-09-09 05:17 290 --a------ D:\WINDOWS\fix.reg
2007-09-06 20:55 <DIR> d--h----- D:\WINDOWS\system32\GroupPolicy
2007-09-05 22:51 <DIR> d-------- D:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot
2007-09-05 22:51 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Webroot
2007-09-05 22:47 23,864 --a------ D:\WINDOWS\system32\drivers\sskbfd.sys
2007-09-05 22:47 21,816 --a------ D:\WINDOWS\system32\drivers\sshrmd.sys
2007-09-05 22:47 20,280 --a------ D:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-09-05 22:47 163,128 --a------ D:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-05 22:47 1,521,464 --a------ D:\WINDOWS\WRSetup.dll
2007-09-05 22:47 <DIR> d-------- D:\Program Files\Webroot
2007-09-05 22:47 <DIR> d-------- D:\DOCUME~1\LOCALS~1.000\APPLIC~1\Webroot
2007-09-05 22:47 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot
2007-09-05 22:40 164 --a------ D:\install.dat
2007-09-05 20:13 <DIR> d-------- D:\!KillBox
2007-09-05 18:36 <DIR> d-------- D:\Program Files\Sana Security
2007-09-05 17:16 <DIR> d-------- D:\Program Files\Sophos
2007-09-05 04:49 3,968 --a------ D:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-04 10:04 <DIR> d-------- D:\Program Files\Lavasoft
2007-09-04 10:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-09-04 01:24 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\SecurityScans
2007-09-01 23:58 <DIR> d-------- D:\Program Files\Uniblue
2007-09-01 23:58 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Uniblue
2007-09-01 04:02 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Help
2007-09-01 00:20 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Google
2007-08-31 23:48 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-08-31 01:23 76,560 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-30 23:14 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Ahead
2007-08-30 22:35 306,688 --a------ D:\WINDOWS\IsUninst.exe
2007-08-28 03:21 <DIR> d-------- D:\Program Files\Turtle Odyssey 2
2007-08-28 03:05 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\ScreenSeven
2007-08-27 07:07 <DIR> d-------- D:\Program Files\Professor Fizzwizzle And The Molten Mystery
2007-08-27 06:50 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\ScreenSeven
2007-08-27 06:49 <DIR> d-------- D:\Program Files\VIVA MEDIA
2007-08-27 06:49 <DIR> d-------- D:\Program Files\OXXOGames
2007-08-27 01:54 <DIR> d-------- D:\Program Files\Alawar
2007-08-27 00:35 <DIR> d-------- D:\Program Files\War Chess
2007-08-27 00:35 <DIR> d-------- D:\Program Files\ReflexiveArcade
2007-08-26 02:00 <DIR> d-------- D:\DOCUME~1\HEMANT~1\LOCALS~1
2007-08-25 20:44 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Trymedia
2007-08-25 20:43 <DIR> d-------- D:\Program Files\Master of Defense
2007-08-25 20:43 <DIR> d-------- D:\Program Files\BFG
2007-08-25 16:28 <DIR> d-a------ D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-08-24 11:27 <DIR> d-------- D:\quest for camelot
2007-08-24 02:34 380,928 --a------ D:\WINDOWS\system32\srkey.exe
2007-08-22 03:09 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\HouseCall 6.6
2007-08-22 02:26 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\DoctorWeb
2007-08-18 15:26 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\ieSpell
2007-08-16 10:45 <DIR> d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Comodo
2007-08-16 10:26 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Comodo
2007-08-16 10:21 <DIR> d-------- D:\Program Files\Comodo
2007-08-16 09:52 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2007-08-15 23:04 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-08-15 23:04 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-15 17:08 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-08-15 10:11 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-08-15 00:01 118,784 --a------ D:\WINDOWS\system32\MSSTDFMT.DLL
2007-08-15 00:01 <DIR> d-------- D:\Program Files\SpywareBlaster
2007-08-13 11:54 <DIR> d-------- D:\Program Files\FLV Player
2007-08-13 11:54 <DIR> d-------- D:\Program Files\Common Files\SWF Studio
2007-08-11 08:20 <DIR> d-------- D:\DOCUME~1\ADMINI~1.COM\.housecall6.6
2007-08-10 16:28 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SRS Labs
2007-08-10 16:24 <DIR> d-------- D:\Program Files\SoundSpectrum
2007-08-10 16:12 204,800 --a------ D:\WINDOWS\system32\lsvxdec.dll
2007-08-10 16:12 <DIR> d-------- D:\Program Files\Espre
2007-08-10 11:28 <DIR> d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 21:22 0 d-------- D:\WINDOWS\system32\drivers\???????
2007-09-10 21:20 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Orbit
2007-09-09 22:48 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\uTorrent
2007-09-09 21:26 --------- d-------- D:\Program Files\Trend Micro
2007-09-08 22:07 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\AdobeUM
2007-09-08 03:20 --------- d-------- D:\Program Files\QuickTime
2007-09-04 10:00 --------- d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 00:18 --------- d-------- D:\Program Files\Winamp
2007-09-02 00:18 --------- d-------- D:\Program Files\ratDVD
2007-09-02 00:18 --------- d-------- D:\Program Files\LimeWire
2007-09-02 00:18 --------- d-------- D:\Program Files\JAlbum
2007-09-02 00:18 --------- d-------- D:\Program Files\ieSpell
2007-09-02 00:18 --------- d-------- D:\Program Files\DivX
2007-09-02 00:18 --------- d-------- D:\Program Files\AC3Filter
2007-09-01 18:53 --------- d--h----- D:\Program Files\InstallShield Installation Information
2007-09-01 02:08 --------- d-------- D:\Program Files\Google
2007-08-30 23:05 --------- d-------- D:\Program Files\Ahead
2007-08-30 15:32 --------- d-------- D:\Program Files\Orbitdownloader
2007-08-26 02:01 --------- d-------- D:\Program Files\Real
2007-08-14 09:38 --------- d-------- D:\Program Files\Windows Live Safety Center
2007-08-11 00:30 --------- d-------- D:\Program Files\XP Repair Pro 2007
2007-08-07 13:58 8320 --a------ D:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ D:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-04 01:32 --------- d-------- D:\Program Files\Return to Castle Wolfenstein
2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ D:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ D:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ D:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ D:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ D:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ D:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ D:\WINDOWS\system32\muweb.dll
2007-07-26 01:03 --------- d-------- D:\DOCUME~1\HEMANT~1.COM\APPLIC~1\Apple Computer
2007-07-24 09:47 --------- d-------- D:\Program Files\Apple Software Update
2007-07-24 09:47 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer
2007-07-24 09:47 --------- d-------- D:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-07-16 05:55 28400 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
2007-07-13 23:54 --------- d-------- D:\Program Files\Combined Community Codec Pack
2007-07-13 22:38 359808 --a------ D:\WINDOWS\system32\drivers\tcpip.sys
2007-07-11 14:37 6272 --a------ D:\WINDOWS\system32\drivers\AWRTPD.sys
2007-07-11 03:48 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-11 03:48 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2007-07-10 16:03 --------- d-------- D:\Program Files\Microsoft IntelliType Pro
2007-07-10 16:03 --------- d-------- D:\Program Files\Microsoft IntelliPoint
2007-06-26 11:38 1104896 --a------ D:\WINDOWS\system32\msxml3.dll
2007-06-19 19:01 282112 --a------ D:\WINDOWS\system32\gdi32.dll
2007-06-13 15:53 1033216 --a------ D:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_205910.12 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 5,566,464 2007-09-10 15:44:20 D:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 172,032 2007-09-10 15:44:20 D:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 223,448 2007-09-10 15:49:24 D:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-09-10 15:49:24 D:\WINDOWS\Temp\Perflib_Perfdata_640.dat
.
----a-w 3,194,880 2007-09-10 14:59:30 D:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 143,360 2007-09-10 14:59:30 D:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 223,453 2007-09-10 15:26:35 D:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 19:12 D:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="D:\WINDOWS\System32\igfxtray.exe" [2003-03-11 07:54]
"HotKeysCmds"="D:\WINDOWS\System32\hkcmd.exe" [2003-03-11 07:41]
"type32"="D:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 14:21]
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 14:20]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-17 09:53]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-09-08 03:20]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:26]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 21:25]
"Uniblue SpeedUpMyPC"="D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-05-23 14:03]
"Uniblue SpyEraser"="D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-08-27 08:57]
"Uniblue RegistryBooster2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18]

D:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Orbit.lnk - D:\Program Files\Orbitdownloader\orbitdm.exe [2007-07-20 21:31:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=1 (0x1)
"DisableLockWorkstation"=1 (0x1)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;D:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 dmsmbios;dmsmbios;\??\D:\WINDOWS\System32\dmsmbios.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 MQAC;Message Queuing access control;\??\D:\WINDOWS\System32\drivers\mqac.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;D:\WINDOWS\system32\DRIVERS\point32.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\D:\WINDOWS\System32\drivers\RMCast.sys
S2 MSMQ;Message Queuing;D:\WINDOWS\System32\mqsvc.exe
S2 MSMQTriggers;Message Queuing Triggers;D:\WINDOWS\System32\mqtgsvc.exe
S3 021086AB;021086AB;D:\WINDOWS\system32\021086AB.exe
S3 chkproc1;chkproc1;\??\F:\inst\A.V\anti rootkits\New Folder\Helios\chkproc.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\D:\WINDOWS\system32\1.tmp
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);D:\WINDOWS\system32\drivers\srs_sscfilter.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-04 03:37:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-01 18:46:36 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-01 18:46:34 D:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-04 10:00:34 D:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-09-09 20:30:01 D:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:27:48 D:\WINDOWS\Tasks\wrSpySweeper_L839459EBFA0144749C797320F4AECA51.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:27:56 D:\WINDOWS\Tasks\wrSpySweeper_LA302B9CBFD9F4FB3B10C7B05DE4B0C08.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
"2007-09-05 23:28:06 D:\WINDOWS\Tasks\wrSpySweeper_LEE27FDE149154B1292FB0AF740748F87.job"
- D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 21:24:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 21:25:31
D:\ComboFix-quarantined-files.txt ... 2007-09-10 21:25
D:\ComboFix2.txt ... 2007-09-10 20:59
.
--- E O F ---

jus incase if u find ne diffrence

Edited by petri dish, 10 September 2007 - 11:19 AM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 10 September 2007 - 12:57 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
D:\WINDOWS\system32\021086AB.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop 021086AB
sc stop 36CE37A0
sc delete 021086AB
sc delete 36CE37A0

Restart your pc.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following if still present,by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O23 - Service: 021086AB - Unknown owner - D:\WINDOWS\system32\021086AB.exe
O23 - Service: 36CE37A0 - Unknown owner - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#6 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 09:57 PM

okay Richie done dat
din find any of the entries u mentioned earlier ,on rjt heres ur log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:44 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1417001333-1450960922-839522115-1003\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'hemant')
O4 - HKUS\S-1-5-21-1417001333-1450960922-839522115-1003\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (User 'hemant')
O4 - HKUS\S-1-5-21-1417001333-1450960922-839522115-1003\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User 'hemant')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908907968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908881640
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C55EC6-2BA1-4C13-AEF8-CAA7A7D4A642}: NameServer = 203.94.227.70,203.94.243.70
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6609 bytes

P.S: also thought wud mention rjt hanged in the first attempt. errordetail:

an unexpected error has occured at procedure:modMain_ChekotherItem()
error#70-permission denied
windowsNT 5.01.26.0
MSIE Version:7.0.5730.11
Hijack This Version :2.0.2

so re installed it and ran a scan

also bad news on da superav front, did scan da computer and it did identify 4 infections 2 of which were cookies but theres no log file under statics. also had 2 update virus def thrice .even though it was updated sucessfully da first time around.and it din start up after reboot .i had to manually start it.....which is when it asked 4 a update for the third time

so am gonnatry doing it all over again from da start jus in case had missed somthin .
also recycler and da temp files are still there
Perflib_Perfdata_620.dat
Perflib_Perfdata_634.dat

Edited by petri dish, 11 September 2007 - 12:55 AM.


#7 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 10:51 PM

hey ...jus one question are all da steps frm start to end in safe mode or only
step 1: "In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script."

#8 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 September 2007 - 11:47 PM

okay did it all over again ,the third time, n got it right ,guess 3's my lucky number.think had 4gotten 2 reboot after bat file execution ...sorrry abt dat
so heres da super anti spy log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/11/2007 at 10:08 AM

Application Version : 3.9.1008

Core Rules Database Version : 3303
Trace Rules Database Version: 1309

Scan type : Complete Scan
Total Scan Time : 00:58:33

Memory items scanned : 435
Memory threats detected : 0
Registry items scanned : 5311
Registry threats detected : 0
File items scanned : 55932
File threats detected : 2

Adware.Tracking Cookie
D:\Documents and Settings\hemant.COMPAQ-SYHYCBB9\Cookies\hemant@ads.soft32[1].txt
D:\Documents and Settings\hemant.COMPAQ-SYHYCBB9\Cookies\hemant@rotator.adjuggler[1].txt

Edited by petri dish, 11 September 2007 - 12:44 AM.


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 September 2007 - 04:39 AM

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Restart your pc.
Post a new Hijackthis log.
Posted Image
Posted Image

#10 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 11 September 2007 - 07:00 AM

hey did the ccleaner routine and the temp files are now gone,replaced with the std Perflib_Perfdata_668.dat file, :thumbsup:

heres me hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:29 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908907968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908881640
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C55EC6-2BA1-4C13-AEF8-CAA7A7D4A642}: NameServer = 203.94.227.70,203.94.243.70
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 7008 bytes

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 September 2007 - 07:21 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
SDFix.exe
Combofix.exe
Killbox.exe

D:\SDFix
D:\Qoobox
D:\!KillBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [D:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#12 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 11 September 2007 - 01:11 PM

hey exactly da words i was waiting for ........a whole bunch of thanks to u Richie.cudnt have done it in a life time without ya .... definately owe u one big time. lemme kno if u ever happen to visit bombay .
n sorry 4 da delay caught a bad flu , so decided 2 take a rest for a while......guess now i need to see a doc .u wudnt happen 2 kno ne thing abt these viruses huh?? :thumbsup: tc will cya around n thanks again

#13 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 11 September 2007 - 03:30 PM

hey richie bad news ,carried out the last steps as u asked .then thought wud run a scan jus to be sure .so ran super anti spy n then uniblue found three viruses .when tryin to delet them uniblue hung .apprantely the memmory was full .thought of runnin hjt,but even hjt wudnt work , ran a memory clean up n temp clean up .wid speed up my pc, and immediately took this hjt during the time of attack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:11 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908907968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908881640
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C55EC6-2BA1-4C13-AEF8-CAA7A7D4A642}: NameServer = 203.94.227.70,203.94.243.70
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 6763 bytes
_____________________________________________________________________________________________________

also heres the uniblue log:

--------------------------------------------------------------------------------

Start Date:September 12, 2007 at 01:07:30AM

End Date:September 12, 2007 at 01:19:25AM

Total Time:11 Mins 55 Secs
Detected Infections

Adware.Chiem.b
Details: Adware programs secretly embed themselves on the victimís computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:Removed
Adware-Adware



Infected registry keys/values detected
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\qksrv.net\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\linksynergy.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\fastclick.net\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\commission-junction.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\bfast.com\\
hkey_current_user\software\microsoft\windows\curre
ntversion\internet settings\p3p\history\fastclick.com\\

Trojan-spy.BZub.hv
Details: A Trojan Spy is a program that sits on the userís PC in silence and logs keystrokes and other confidential information. This program traces down all the activities of the user, saves information on the hard disk and forwards it to the author. It is also capable of capturing system screen shots and is commonly used to embezzle banking and other financial information in order to encourage online fraud. As program permits the unauthorized collection, distortion, or obliteration of data, it can leave the system more vulnerable and cause damage to userís data. It can also pose security and privacy threats to oneís system, needless to mention the damage it can cause to the important data and installed programs.
Status:Removed
Trojan-spy-Trojan-spy



Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\curr
entversion\control panel\load\\

Adware.BHO.t
Details: Adware programs secretly embed themselves on the victimís computer, hijack the browsing habits and search keywords and then display advertisements accordingly. The ads can include pop-ups, pop-unders, banners, or links etc. It may launch at system startup and modify the browser settings such as the home page, search page and the error page. It results in the browser as well as the system slow down and hence the user is recommended to remove this program.
Status:Removed
Adware-Adware



Infected registry keys/values detected
hkey_users\.default\software\microsoft\internet ex
plorer\main\check_associations\

_____________________________________________________________________________________________________
and heres an hjt after the removal:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:18 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\uTorrent\utorrent.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [type32] "D:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] "D:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orbit.lnk = D:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908907968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187908881640
O17 - HKLM\System\CCS\Services\Tcpip\..\{96C55EC6-2BA1-4C13-AEF8-CAA7A7D4A642}: NameServer = 203.94.227.70,203.94.243.70
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 7105 bytes
:thumbsup:
hey also was wondering ud asked me to install sdfix as C:\SDFix, n during uninstallation u happen 2 mention D:\SDFix,if u want i cud try repeating it frm da D drive ....lemme kno

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 September 2007 - 04:19 PM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.


Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.

Now run AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

1). Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

2). Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done,then restart your pc.

Also let me know how your pc is running now.
Posted Image
Posted Image

#15 petri dish

petri dish
  • Topic Starter

  • Banned
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 12 September 2007 - 03:18 AM

hi am working in admin mode ,turned off sys restore but cant seem to turn it on again, it keeps asking me to reeboot . also downloaded avg antispy and defination .so will be continuing wid the rest of the procedure ....lemme kno ne time u want me to stop.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users