Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-clicker.win32.delf.lk


  • Please log in to reply
5 replies to this topic

#1 shimmy

shimmy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 12 December 2007 - 09:36 PM

kaspersky found this =[

detected: Trojan program Trojan-Clicker.Win32.Delf.lk File: F:\WINDOWS\system32\dmdskmgrmq.dll



here is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:15 PM, on 12/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\System32\wdfmgr.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluegartrls.com/forum/viewforum...88378071bd679d8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.1/
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: (no name) - {98711820-50CB-4D42-A167-B6F77BF05C4B} - F:\WINDOWS\System32\dmdskmgrm.dll
O2 - BHO: (no name) - {FDDDF6FC-3FB5-4D28-9753-6910ECE350E0} - f:\windows\system32\dmdskmgrmq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [igndlm.exe] F:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EasyLinkAdvisor] "F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Anti-Banner - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: djxhvzjd - F:\WINDOWS\SYSTEM32\dmdskmgrmq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 1: (no name) - F:\Program Files\PlayOnline\FFXI Desktop Clock\FFXI Desktop Clock.html
O24 - Desktop Component 2: Vana'naVi - http://www.killingifrit.com/nav.html

--
End of file - 4434 bytes


Any help greatly appreciated.. Already tried del from safe mode cmd prompt etc etc... halp! :thumbsup:

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 AM

Posted 15 December 2007 - 07:26 PM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 shimmy

shimmy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 December 2007 - 03:21 AM

ComboFix 07-12-16.3 - a 2007-12-15 23:06:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.660 [GMT -9:00]
Running from: F:\Documents and Settings\a\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\dmdskmgrm.dll
F:\WINDOWS\system32\dmdskmgrmq.dll
F:\WINDOWS\system32\drivers\atuzlmyu.dat
F:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KBYGPUYU
-------\LEGACY_VLCUMLRL
-------\kbygpuyu
-------\vlcumlrl


((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-12 14:05 . 2007-11-13 14:36 <DIR> d-------- F:\Documents and Settings\Administrator\Application Data\Gtek
2007-12-12 13:52 . 2007-12-12 13:52 <DIR> d-------- F:\Program Files\Trend Micro
2007-12-12 12:21 . 2007-12-12 12:41 90,980 --a------ F:\WINDOWS\system32\drivers\klin.dat
2007-12-12 12:21 . 2007-12-12 12:41 85,860 --a------ F:\WINDOWS\system32\drivers\klick.dat
2007-12-12 12:20 . 2007-12-12 12:20 <DIR> d-------- F:\Program Files\Kaspersky Lab
2007-12-12 12:20 . 2007-12-15 23:13 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-12 12:20 . 2007-12-15 23:12 1,860,128 --ahs---- F:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 12:20 . 2007-12-15 23:13 27,008 --ahs---- F:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 12:20 . 2007-12-15 23:12 20,768 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-12 12:20 . 2007-12-15 23:13 2,996 --ahs---- F:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-12 12:18 . 2007-12-12 12:18 <DIR> d-------- F:\KAV
2007-12-10 16:43 . 2007-12-12 10:36 959 --a------ F:\rollback.ini
2007-12-10 16:10 . 2007-12-10 16:33 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-10 16:10 . 2004-04-27 04:40 11,264 --a------ F:\WINDOWS\system32\SpOrder.dll
2007-12-10 16:10 . 2007-12-11 16:48 4,212 ---h----- F:\WINDOWS\system32\zllictbl.dat
2007-12-09 15:41 . 2005-09-23 08:29 626,688 --a------ F:\WINDOWS\system32\msvcr80.dll
2007-12-07 17:07 . 2007-12-07 17:07 1,188,375 --a------ F:\WINDOWS\system32\libeay32.dll
2007-12-07 17:07 . 2007-12-07 17:07 741,632 --a------ F:\WINDOWS\system32\bswolwwj.dat
2007-12-07 17:07 . 2007-12-07 17:07 246,545 --a------ F:\WINDOWS\system32\libssl32.dll
2007-12-07 17:07 . 2007-12-07 17:07 42,240 --a------ F:\WINDOWS\system32\vdtxegrb.dat
2007-12-07 17:07 . 2007-12-14 18:18 36,096 --a------ F:\WINDOWS\system32\rombuwfx.dat
2007-12-07 17:07 . 2007-12-07 17:07 35,072 --a------ F:\WINDOWS\system32\dxctlxuv.dat
2007-12-06 17:03 . 2007-12-11 17:21 119,552 --a------ F:\WINDOWS\system32\aswtmvyr.dat
2007-12-06 16:55 . 2007-12-07 15:57 <DIR> d-------- F:\WINDOWS\system32\AppCert
2007-12-06 16:09 . 2007-12-06 16:09 54,156 --ah----- F:\WINDOWS\QTFont.qfn
2007-12-06 16:09 . 2007-12-06 16:09 1,409 --a------ F:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 08:03 --------- d-----w F:\Documents and Settings\a\Application Data\SolidDocuments
2007-12-14 09:27 --------- d-----w F:\Program Files\mIRC
2007-12-13 01:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2007-12-12 23:04 --------- d-----w F:\Program Files\Google
2007-12-12 23:03 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 01:26 --------- d-----w F:\Program Files\Common Files\Symantec Shared
2007-12-11 01:25 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec
2007-12-08 18:59 --------- d-----w F:\Program Files\Symantec
2007-11-14 03:45 --------- d-----w F:\Program Files\World of Warcraft
2007-11-13 23:36 --------- d--ha-w F:\Documents and Settings\All Users\Application Data\GTek
2007-11-13 23:36 --------- d--h--w F:\Documents and Settings\a\Application Data\GTek
2007-11-13 23:36 --------- d-----w F:\Program Files\Linksys EasyLink Advisor
2007-11-13 23:36 --------- d-----w F:\Documents and Settings\Default User\Application Data\Gtek
2007-11-12 05:56 --------- d-----w F:\Program Files\DivX
2007-11-12 03:05 --------- d-----w F:\Program Files\Winamp Remote
2007-11-12 03:05 --------- d-----w F:\Program Files\Winamp
2007-11-12 03:05 --------- d-----w F:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-11-07 07:31 --------- d-----w F:\Program Files\ICQ
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-04-29 10:40]
"igndlm.exe"="F:\Program Files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 12:57]
"EasyLinkAdvisor"="F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe [2005-12-26 13:06:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= F:\Program Files\PlayOnline\FFXI Desktop Clock\FFXI Desktop Clock.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Alert 4.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC Alert 4.lnk
backup=F:\WINDOWS\pss\PC Alert 4.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk
backup=F:\WINDOWS\pss\ZoneAlarm.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^a^Start Menu^Programs^Startup^Xfire.lnk]
path=F:\Documents and Settings\a\Start Menu\Programs\Startup\Xfire.lnk
backup=F:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-09-14 20:05 344064 --a------ F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
F:\PROGRA~1\Lycos\IEagent\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
F:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 15:41 163840 --a------ F:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-02-23 15:45 278528 --a------ F:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
F:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
2003-10-06 11:01 476672 --a------ F:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lqqux5v7m]
F:\WINDOWS\system32\lqqux5v7m.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
2003-01-13 04:20 49230 --a------ F:\Program Files\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
F:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
sstray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
F:\Program Files\Winamp Remote\bin\OrbTray.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
2003-04-29 10:40 524288 --a------ F:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
F:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
2005-06-19 23:29 95960 --a------ F:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-10-09 20:28 36352 --a------ F:\Program Files\Winamp\winampa.exe

R2 elagopro;GoProto Protocol Driver for LELA;F:\WINDOWS\System32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;F:\WINDOWS\System32\DRIVERS\elaunidr.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;F:\WINDOWS\System32\DRIVERS\klim5.sys
S3 cportclm;cportclm;\??\F:\DOCUME~1\a\LOCALS~1\Temp\cportclm.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 08:11:02 F:\WINDOWS\Tasks\Symantec NetDetect.job"
- F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 23:13:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> F:\Program Files\Logitech\SetPoint\GameHook.dll
.
Completion time: 2007-12-15 23:14:39 - machine was rebooted





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:39 PM, on 12/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluegartrls.com/forum/viewforum...88378071bd679d8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.1/
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [igndlm.exe] F:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EasyLinkAdvisor] "F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Anti-Banner - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 1: (no name) - F:\Program Files\PlayOnline\FFXI Desktop Clock\FFXI Desktop Clock.html
O24 - Desktop Component 2: Vana'naVi - http://www.killingifrit.com/nav.html

--
End of file - 4033 bytes

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 AM

Posted 16 December 2007 - 05:31 PM

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems


#5 shimmy

shimmy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 17 December 2007 - 11:27 AM

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2727 (20071217)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a88d1364decd7e479094875ea21421c9
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-17 01:27:26
# local_time=2007-12-17 04:27:26 (-0900, Alaskan Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 1
# scanned=554711
# found=0
# scan_time=11470



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:54 AM, on 12/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluegartrls.com/forum/viewforum...88378071bd679d8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.1/
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [igndlm.exe] F:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EasyLinkAdvisor] "F:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to Anti-Banner - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 1: (no name) - F:\Program Files\PlayOnline\FFXI Desktop Clock\FFXI Desktop Clock.html
O24 - Desktop Component 2: Vana'naVi - http://www.killingifrit.com/nav.html

--
End of file - 4206 bytes








Everything seems good now no emails going out or AV popups. :thumbsup:

Thanks so much! <3

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 AM

Posted 17 December 2007 - 03:14 PM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - SOFTWARE - (no file)

Then close all windows except HijackThis and click Fix Checked

You now appear to be clean. Congratulations!

You can delete combofix.exe and the C:\qoobox\ folder

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users