Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • Please log in to reply
26 replies to this topic

#1 HackLyfe

HackLyfe

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 22 January 2008 - 07:44 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:14 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {49569998-fe91-4995-bef3-199df3cf7fe5} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ED307BB4-DEA5-4040-9E18-95C3E99FC872} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O20 - Winlogon Notify: cbxyaax - cbxyaax.dll (file missing)
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll (file missing)
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7635 bytes






AntiVir PersonalEdition Classic
Report file date: Tuesday, January 22, 2008 17:26

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Sam
Computer name: YOUR-DFD50987C1

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:30
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:52
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:48
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:22
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:16
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 20:26:56
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 9/13/2007 20:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 9/13/2007 20:27:14
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/17/2007 23:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:28
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:18
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 14:46:02
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:08
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:34
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:20
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:44
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:14
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:22

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, January 22, 2008 17:26

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'InocIT.exe' - '1' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
14 processes with 14 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '29' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Key2.txt
[DETECTION] Is the Trojan horse TR/Dldr.Delf.R
[INFO] TR/Dldr.Delf.R:[HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil]:<FirstHitUrl>=sz:adpopper
[INFO] TR/Dldr.Delf.R:[HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil]:<UninstallUrl>=sz:adpopper
[INFO] TR/Dldr.Delf.R:[HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil]:<UniqueKeyUrl>=sz:adpopper
[INFO] The file was deleted!
C:\WINDOWS\system32\mmmdpggv.exe
[WARNING] 'Contains detection pattern of the dropper DR/180Solutions.AY.1'. This detection is probably an error. Please send us this file immediately for further analysis.
C:\WINDOWS\system32\wsaupdater.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.D.2
[INFO] The file was deleted!
C:\Program Files\Windows Media Player\wmplayer.exe.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Small.LY
[INFO] The file was deleted!
C:\Program Files\NaviSearch\Uninstall.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was deleted!
C:\Program Files\BullsEye Network\Uninstall.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was deleted!
C:\Program Files\EarthLink\TotalAccess Smart Installer\Download.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '480d7939.qua'!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP34\A0019649.DLL
[DETECTION] Is the Trojan horse TR/Spy.Agent.SV
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP36\A0021227.exe
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP36\A0021240.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP39\A0023613.exe
[DETECTION] Contains detection pattern of the dropper DR/FamilyKeyLogger.280
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP40\A0030582.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.D.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP40\A0030588.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP40\A0030589.exe
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{E258E227-4FBE-477F-8B0E-687F5858E923}\RP40\A0030590.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47c67a33.qua'!
Begin scan in 'D:\' <DISE_BACKUP>


End of the scan: Tuesday, January 22, 2008 18:20
Used time: 53:27 min

The scan has been done completely.

2815 Scanning directories
174865 Files were scanned
12 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
12 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
174853 Files not concerned
6217 Archives were scanned
2 Warnings
0 Notes

Edited by HackLyfe, 22 January 2008 - 08:24 PM.


BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 23 January 2008 - 04:18 PM

Hi,

Thanks for the logs. :blink:

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\system32\mmmdpggv.exe
Click Send.
Please post the results of this scan to this thread.

Question..:

Did you install Cain & Abel at one time?
Uninstalled now?

---------------------

Start Hijackthis
Run system scan and check:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {49569998-fe91-4995-bef3-199df3cf7fe5} - (no file)
O2 - BHO: (no name) - {ED307BB4-DEA5-4040-9E18-95C3E99FC872} - (no file)
O4 - HKLM\..\Run: [System32] System32.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O20 - Winlogon Notify: cbxyaax - cbxyaax.dll (file missing)
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll (file missing)


Close all open windows and click "fix checked"
Say OK, Exit Hijackthis and reboot.

Locate and delete if found the following folders:

C:\Program Files\NaviSearch
C:\Program Files\BullsEye Network
C:\Program Files\Web_Rebates

Locate and delete if found the following files:

C:\windows\system32\system32.exe

------------------------------

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 23 January 2008 - 07:09 PM

Virus Total results


File mmmdpggv.exe_ received on 12.28.2007 15:38:42 (CET)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - DR/180Solutions.AY.1
Authentium - - is a security risk or a backdoor program
Avast - - Win32:Adware-gen
AVG - - -
BitDefender - - Trojan.Hotbar.A
CAT-QuickHeal - - -
ClamAV - - Adware.Hotbar
DrWeb - - Adware.Hotbar
eSafe - - Spyware.ZangoSearch
eTrust-Vet - - -
Ewido - - Adware.180Solutions
FileAdvisor - - Low threat detected
Fortinet - - Adware/Hotbar
F-Prot - - W32/Malware!fb88
F-Secure - - -
Ikarus - - -
Kaspersky - - not-a-virus:AdWare.Win32.180Solutions.ay
McAfee - - -
Microsoft - - -
NOD32v2 - - Win32/Adware.HotBar
Norman - - -
Panda - - -
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - Hotbar-Installer
Sunbelt - - Hotbar (v)
Symantec - - Adware.Hotbar
TheHacker - - -
VBA32 - - AdWare.Win32.180Solutions.ay
VirusBuster - - -
Webwasher-Gateway - - Trojan.Dropper.180Solutions.AY.1
Additional information
MD5: efc17c263bbb954ca238b93ea5198f55
SHA1: 80360d888f59c987094b9c17da6556cacc357f7d
SHA256: 6c7f838debd435f766922fffce8cddb3d3d5d251bed243e915b42c8d1234ed0d
SHA512: 0fd342292a3af2a1a52ec120b955da74e853826c96b6a51024939a1be8d7e679 1e4a9f450d11509360e672e89eef8afc1be5947f91ade6a6be3128b3bfc366f7





Answer: yes i had cain and abel i have already uninstalled it







Deckard System Scanner results ^^


Deckard's System Scanner v20071014.68
Run by Sam on 2008-01-23 18:44:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-01-23 23:44:16 UTC - RP44 - Deckard's System Scanner Restore Point
4: 2008-01-23 14:23:13 UTC - RP43 - Installed 9Dragons.
3: 2008-01-23 11:26:31 UTC - RP42 - Removed 9Dragons.
2: 2008-01-23 03:01:40 UTC - RP41 - AusLogics RegDefrag before defragmentation.
1: 2008-01-22 21:35:16 UTC - RP40 - AntiVir PersonalEdition Classic - 1/22/2008 16:34


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Sam.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:08 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sam\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Shortcut to TrueTransparency.lnk = C:\Visual Theme's\TrueTransparency\TrueTransparency.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6380 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080123-183108-120 R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080123-183108-816 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
backup-20080123-183108-212 O2 - BHO: (no name) - {49569998-fe91-4995-bef3-199df3cf7fe5} - (no file)
backup-20080123-183108-848 O2 - BHO: (no name) - {ED307BB4-DEA5-4040-9E18-95C3E99FC872} - (no file)
backup-20080123-183108-116 O4 - HKLM\..\Run: [System32] System32.exe
backup-20080123-183108-314 O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
backup-20080123-183108-983 O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
backup-20080123-183109-202 O20 - Winlogon Notify: cbxyaax - cbxyaax.dll (file missing)
backup-20080123-183109-737 O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows ® 2000/XP>

S3 CSNPD51 (CSNPD51 NDIS Protocol Driver) - c:\windows\system32\drivers\csnpd51.sys (file missing)
S3 CSNPD51a64 (CSNPD51a64 NDIS Protocol Driver) - c:\windows\system32\drivers\csnpd51a64.sys (file missing)
S3 dump_wmimmc - c:\program files\9dragons\gameguard\dump_wmimmc.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrempr5.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

S2 Abel - c:\program files\cain\abel.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-23 09:23:16 0 d-------- C:\Program Files\9Dragons
2008-01-23 09:03:10 712835072 --a------ C:\9Dragons_11-20-2007.exe <Not Verified; Macrovision Corporation; InstallShield>
2008-01-23 08:02:11 0 dr-h----- C:\Documents and Settings\Sam\Recent
2008-01-23 06:20:07 0 d-------- C:\Program Files\DVDVideoSoft
2008-01-22 21:54:16 0 d-------- C:\Program Files\AusLogics Disk Defrag
2008-01-22 21:51:35 0 d-------- C:\Program Files\Auslogics
2008-01-22 21:48:36 1589868 --a------ C:\registry-defrag-setup.exe <Not Verified; Auslogics Pty Ltd.; >
2008-01-22 19:29:56 0 d-------- C:\Program Files\Trend Micro
2008-01-22 16:36:04 0 d-------- C:\Program Files\Avira
2008-01-22 16:36:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-22 13:38:53 0 d-------- C:\Program Files\Common Files\Scanner
2008-01-22 13:38:53 0 d-------- C:\Program Files\ComcastToolbar
2008-01-22 13:38:53 0 d-------- C:\Documents and Settings\Sam\Application Data\ComcastToolbar
2008-01-22 13:38:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-01-22 13:37:56 0 d-------- C:\Program Files\Comcast
2008-01-22 12:58:30 0 d-------- C:\Program Files\support.com
2008-01-22 12:57:56 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-01-22 09:00:44 0 d-------- C:\Program Files\Nexon
2008-01-22 07:46:55 5377726 --a------ C:\win2k_xp141950.exe <Not Verified; Intel Corporation; Intel® Chipset Graphics Driver Software>
2008-01-22 06:11:17 0 d-------- C:\Program Files\Universal
2008-01-22 06:02:10 0 d-------- C:\Program Files\SystemRequirementsLab
2008-01-22 05:56:38 0 d-------- C:\Documents and Settings\Sam\Application Data\SystemRequirementsLab
2008-01-20 02:47:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SiComponents
2008-01-19 23:50:59 0 d-------- C:\Documents and Settings\Sam\Application Data\Yahoo!
2008-01-19 23:18:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-19 12:13:40 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-01-14 11:47:01 0 d-------- C:\Documents and Settings\All Users\Application Data\File Monster
2008-01-14 05:40:18 0 d-------- C:\Program Files\LIVEUPDATE
2008-01-14 03:34:20 0 d-------- C:\WINDOWS\Packs
2008-01-13 04:30:15 422 --a------ C:\WINDOWS\iks.dat
2008-01-12 23:28:40 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-12 14:09:34 0 d-------- C:\Program Files\ZZEE
2008-01-11 11:51:56 0 d-------- C:\Documents and Settings\Sam\Application Data\Eltima Software
2008-01-11 11:04:42 0 d-------- C:\Documents and Settings\Sam\Application Data\Wireshark
2008-01-11 08:35:05 0 d-------- C:\Documents and Settings\Sam\Application Data\Colasoft Packet Builder
2008-01-11 08:33:56 0 d-------- C:\Program Files\Colasoft Packet Builder 1.0
2008-01-10 19:46:35 0 d-------- C:\Documents and Settings\Sam\Application Data\SMRKsoft
2008-01-10 19:06:02 0 d--h----- C:\WINDOWS\PIF
2008-01-10 18:40:21 0 --a------ C:\Documents and Settings\Sam\'
2008-01-10 18:12:30 0 d-------- C:\Documents and Settings\Sam\Application Data\Obsidium
2008-01-09 07:06:04 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-09 07:06:04 383238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-01-09 06:33:15 0 d-------- C:\Program Files\Soft Gems
2008-01-08 23:24:03 0 d-------- C:\Documents and Settings\Sam\Application Data\Orbit
2008-01-08 23:23:59 0 d-------- C:\Program Files\Orbitdownloader
2008-01-07 00:39:45 0 d--h----- C:\WINDOWS\system32\CTF
2008-01-06 20:44:46 0 dr------- C:\Visual Theme's
2008-01-06 05:18:44 0 d-------- C:\Program Files\CCleaner
2008-01-05 01:55:01 0 d-------- C:\Documents and Settings\Sam\Application Data\Modem Spy
2008-01-05 01:33:43 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-01-05 01:33:40 0 d-------- C:\Program Files\NCH Swift Sound
2008-01-05 01:33:40 0 d-------- C:\Documents and Settings\Sam\Application Data\NCH Swift Sound
2008-01-04 11:34:02 0 d-------- C:\Documents and Settings\Sam\Application Data\Auslogics
2008-01-04 11:26:56 1607356 --a------ C:\Program Files\disk-defrag-setup.exe <Not Verified; AusLogics, Inc.; >
2008-01-04 05:47:36 128 --a------ C:\WINDOWS\system32\pppoe32.dll
2008-01-04 05:47:32 0 d-------- C:\Documents and Settings\Sam\Application Data\System32
2008-01-04 05:46:55 1845 --a------ C:\WINDOWS\system32\unins000.dat
2008-01-04 05:37:19 0 d-------- C:\Documents and Settings\All Users\Application Data\winsyscfg
2008-01-04 05:36:11 0 d-------- C:\Program Files\ExploreAnywhere
2008-01-04 03:47:23 0 d-------- C:\Documents and Settings\Sam\Application Data\MySpace
2008-01-03 19:32:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-01-03 07:13:57 0 d-------- C:\Program Files\PcPrivacySoftware.com
2008-01-03 06:20:39 2180352 --a------ C:\WINDOWS\system32\kernel1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-03 05:46:56 0 d-------- C:\Program Files\TGTSoft
2008-01-03 03:45:14 0 d-------- C:\Documents and Settings\Sam\Application Data\XP Visual Tools
2008-01-03 01:29:38 0 d-------- C:\WINDOWS\system32\cache632
2008-01-03 01:29:38 0 d-------- C:\WINDOWS\system32\AdCache
2008-01-03 01:03:08 0 --a------ C:\Documents and Settings\Sam\cd
2008-01-02 19:53:19 0 --a------ C:\Documents and Settings\Sam\nbtstat
2008-01-02 18:21:13 0 d-------- C:\Program Files\Video Add-on
2008-01-02 17:08:51 1158 --a------ C:\WINDOWS\mozver.dat
2008-01-02 16:51:06 0 d-------- C:\Documents and Settings\Sam\Application Data\Talkback
2008-01-02 16:50:37 0 d-------- C:\Documents and Settings\Sam\Application Data\Mozilla
2007-12-27 19:35:12 0 d-------- C:\Program Files\SigmaTel
2007-12-27 19:20:49 0 d-------- C:\Documents and Settings\Sam\Application Data\SoftwareDetectionScripts
2007-12-27 16:40:59 0 d-------- C:\WINDOWS\system32\NtmsData
2007-12-27 00:43:18 765 --a------ C:\Documents and Settings\Sam\1569
2007-12-27 00:05:53 0 d-------- C:\Documents and Settings\Sam\Application Data\AOL
2007-12-27 00:05:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2007-12-27 00:04:15 0 d-------- C:\Program Files\Common Files\Nullsoft
2007-12-26 23:51:21 0 d--h----- C:\TEMP
2007-12-26 16:23:49 119 --a------ C:\Documents and Settings\Sam\all
2007-12-26 01:14:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-25 00:07:44 0 d--hs---- C:\FOUND.028
2007-12-24 23:34:26 0 d-------- C:\Documents and Settings\Sam\Incomplete


-- Find3M Report ---------------------------------------------------------------

2008-01-22 07:09:24 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-21 15:57:00 1819 ---h----- C:\WINDOWS\sbconfig.dat
2008-01-15 13:25:44 471 --a------ C:\Documents and Settings\Sam\Application Data\UpdateStore.xml
2008-01-15 13:25:44 376 --a------ C:\Documents and Settings\Sam\Application Data\SoftwarePackageStore.xml
2008-01-15 13:25:44 518 --a------ C:\Documents and Settings\Sam\Application Data\EventStore.xml
2008-01-15 13:25:44 376 --a------ C:\Documents and Settings\Sam\Application Data\ConfigurationStore.xml
2008-01-15 13:25:44 475 --a------ C:\Documents and Settings\Sam\Application Data\CampaignStore.xml
2008-01-15 00:10:12 202 --a------ C:\Documents and Settings\Sam\Application Data\.googlewebacchosts
2008-01-14 02:33:42 253722 --a------ C:\Program Files\truetransparency-crystalxp.net-en-5139.zip
2008-01-10 19:29:16 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-05 17:31:44 849599901 --a------ C:\Program Files\9Dragons_11-20-2007.exe
2007-11-24 22:19:02 126215 ---hs---- C:\WINDOWS\system32\dcbeg.bak2
2007-11-24 17:35:46 0 --a------ C:\WINDOWS\system32\iAlmcoin.dll
2007-11-24 17:29:46 0 d-------- C:\Program Files\MalwareAlarm
2007-11-22 01:39:34 67 --a------ C:\WINDOWS\GPlrLanc.dat
2007-11-21 13:23:54 81920 --a------ C:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"AGRSMMSG"="AGRSMMSG.exe" [12/20/2002 10:07 AM C:\WINDOWS\AGRSMMSG.exe]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" [12/13/2003 12:17 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [02/07/2006 08:39 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [02/07/2006 08:36 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [02/07/2006 08:40 AM]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [04/19/2007 02:21 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [01/22/2008 06:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
Shortcut to TrueTransparency.lnk - C:\Visual Theme's\TrueTransparency\TrueTransparency.exe [10/20/2007 3:10:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [1/8/2008 11:23:59 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"





-- End of Deckard's System Scanner: finished at 2008-01-23 18:47:59 ------------




no thank you very much

Attached Files



#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 06:42 AM

Hi,

Were you also checking out some keylogger stuff?

I see references to this program:

HB Multi Remote Spy

You install that then uninstall?

---------------------------

Click start> run> type cmd and hit enter.
Type this line then hit enter:

sc delete abel

Should get success message. That deleted leftover Abel service (cain & abel)
Close the cmd window.

Locate and delete: (If AntiVir nuked it alread -- thats OK)

C:\WINDOWS\system32\mmmdpggv.exe

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\system32\kernel1.exe
Click Send.
Please post the results of this scan to this thread.

Repeat with:

C:\WINDOWS\system32\pppoe32.dll

I think that file is/was part of "HB Multi Remote Spy"

--------------------------------------

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how system is working.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 08:08 AM

yes i had it but then uninstall
i was into the whole grey hat hacker thing
but now i see its best to be a White hat
help out ppl ^^

my HD is only 14.8G
i just want the computer to run my 9dragons
online game right now i have a big lag playing the game


File kernel1.exe_ received on 01.24.2008 13:44:41 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.24.11 2008.01.24 -
AntiVir 7.6.0.48 2008.01.24 -
Authentium 4.93.8 2008.01.24 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.23 -
BitDefender 7.2 2008.01.24 -
CAT-QuickHeal 9.00 2008.01.23 -
ClamAV 0.91.2 2008.01.24 -
DrWeb 4.44.0.09170 2008.01.24 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5482 2008.01.24 -
Ewido 4.0 2008.01.23 -
FileAdvisor 1 2008.01.24 -
Fortinet 3.14.0.0 2008.01.24 -
F-Prot 4.4.2.54 2008.01.24 -
F-Secure 6.70.13260.0 2008.01.24 -
Ikarus T3.1.1.20 2008.01.24 -
Kaspersky 7.0.0.125 2008.01.24 -
McAfee 5214 2008.01.23 -
Microsoft 1.3109 2008.01.24 -
NOD32v2 2819 2008.01.24 -
Norman 5.80.02 2008.01.23 -
Panda 9.0.0.4 2008.01.23 -
Prevx1 V2 2008.01.24 -
Rising 20.28.31.00 2008.01.24 -
Sophos 4.24.0 2008.01.24 -
Sunbelt 2.2.907.0 2008.01.23 -
Symantec 10 2008.01.24 -
TheHacker 6.2.9.196 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.23 -
Additional information
File size: 2180352 bytes
MD5: 3567c1b835572a0cc445cc8f97db3836
SHA1: c912c8652f023e0fcfd2cc6b1fb184f21c17af6c
PEiD: -












File pppoe32.dll received on 01.24.2008 13:56:29 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.1.24.11 2008.01.24 -
AntiVir 7.6.0.48 2008.01.24 -
Authentium 4.93.8 2008.01.24 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.24 -
BitDefender 7.2 2008.01.24 -
CAT-QuickHeal 9.00 2008.01.23 -
ClamAV 0.91.2 2008.01.24 -
DrWeb 4.44.0.09170 2008.01.24 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5482 2008.01.24 -
Ewido 4.0 2008.01.23 -
FileAdvisor 1 2008.01.24 -
Fortinet 3.14.0.0 2008.01.24 -
F-Prot 4.4.2.54 2008.01.24 -
F-Secure 6.70.13260.0 2008.01.24 -
Ikarus T3.1.1.20 2008.01.24 -
Kaspersky 7.0.0.125 2008.01.24 -
McAfee 5214 2008.01.23 -
Microsoft 1.3109 2008.01.24 -
NOD32v2 2819 2008.01.24 -
Norman 5.80.02 2008.01.23 -
Panda 9.0.0.4 2008.01.23 -
Prevx1 V2 2008.01.24 -
Rising 20.28.31.00 2008.01.24 -
Sophos 4.24.0 2008.01.24 -
Sunbelt 2.2.907.0 2008.01.23 -
Symantec 10 2008.01.24 -
TheHacker 6.2.9.196 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.23 -
Additional information
File size: 128 bytes
MD5: 20b4ea0aadc5885a1bc91ea6f7b92123
SHA1: 6b5449cf4a27cdebf1aa1e7390d0268c62a53b3c
PEiD: -






SDFix: Version 1.131

Run by Sam on Thu 01/24/2008 at 08:16 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Sam\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted



Folder C:\Program Files\Video Add-on - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 08:31:19
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\WINDOWS\\System32\\mmc.exe"="C:\\WINDOWS\\System32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\AOL\\RC\\regclient.exe"="C:\\Program Files\\AOL\\RC\\regclient.exe:*:Disabled:AOL"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL Connectivity Service"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL System Information"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Disabled:AOL TopSpeed"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Modem Spy\\modemspy.exe"="C:\\Program Files\\Modem Spy\\modemspy.exe:*:Enabled:modemspy"
"C:\\Program Files\\PC-Telephone\\PCTel.exe"="C:\\Program Files\\PC-Telephone\\PCTel.exe:*:Enabled:PC-Telephone Executable"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\HB Multi Remote Spy\\Client\\ScreenClient.exe"="C:\\Program Files\\HB Multi Remote Spy\\Client\\ScreenClient.exe:*:Enabled:MSRD"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Sam\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 29 Sep 2007 24,023 ..SH. --- "C:\WINDOWS\system32\dcbeg.tmp"
Thu 22 Nov 2007 719,401 ..SH. --- "C:\WINDOWS\system32\ibimddnw.tmp"
Fri 12 Oct 2007 55,848 ..SH. --- "C:\WINDOWS\system32\dcbeg.bak1"
Sat 22 Dec 2007 24,093 ..SH. --- "C:\WINDOWS\system32\dcbeg.tmp2"
Sat 24 Nov 2007 126,215 ..SH. --- "C:\WINDOWS\system32\dcbeg.bak2"
Mon 29 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Edited by HackLyfe, 24 January 2008 - 08:38 AM.


#6 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 08:47 AM

its working good now i can put a
desktop picture. I couldn't do that
before.

i had stopzilla before
and it told me i had
307 detections
spyware, malware and i few trojans

thanks for all the help

Edited by HackLyfe, 24 January 2008 - 08:47 AM.


#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 12:07 PM

OK...

copy the following text to a new notepad file.
Save as file name peek.bat
As file types: all files
Save it to your desktop.

cd "c:\documents and settings\sam\'"
dir /s > c:\sam-files.txt
dir /a:h /s >> c:\sam-files.txt
notepad c:\sam-files.txt


Once saved, double click it and let it run.

Log will pop up.
Please post its contents.

If too big to post --- zip it and attach it to your post.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 12:12 PM

there she blows cap'n


Volume in drive C has no label.
Volume Serial Number is 9CFB-BEE6

Directory of C:\Documents and Settings\Sam\Desktop

12/30/2003 09:43 PM <DIR> .
12/30/2003 09:43 PM <DIR> ..
10/18/2006 09:46 PM 274,432 wmplayer.exe
01/23/2008 06:42 PM 686,630 dss.exe
01/24/2008 12:10 PM 122 peek.bat
01/24/2008 08:08 AM 1,213,206 SDFix.exe
01/24/2008 09:02 AM <DIR> SDFix
01/02/2008 04:50 PM 1,518 Mozilla Firefox.lnk
01/21/2008 02:25 PM 104 My Computer.lnk
6 File(s) 2,176,012 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix

01/24/2008 08:09 AM <DIR> .
01/24/2008 08:09 AM <DIR> ..
01/24/2008 09:01 AM 405,756 RunThis.bat
01/24/2008 09:01 AM 142,336 catchme.exe
01/24/2008 09:01 AM 119 SDFIX_ReadMe_Online.url
01/24/2008 08:15 AM <DIR> backups
01/24/2008 08:32 AM 5,229 Report.txt
4 File(s) 553,440 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix\apps

01/24/2008 08:09 AM <DIR> .
01/24/2008 08:09 AM <DIR> ..
01/24/2008 09:01 AM 202 leg2.txt
01/24/2008 09:01 AM 6,245 legacy.txt
01/24/2008 09:01 AM 6,245 legacybk.txt
01/24/2008 09:01 AM 267 Rem.txt
01/24/2008 09:01 AM 315 Rem2.txt
01/24/2008 09:01 AM 414 srv2.txt
01/24/2008 09:01 AM 414 srv2bk.txt
01/24/2008 09:01 AM 10,074 svc.txt
01/24/2008 09:01 AM 10,074 svcbk.txt
01/24/2008 09:01 AM 11,254 locate.com
01/24/2008 09:01 AM 10,240 cliptext.exe
01/24/2008 09:01 AM 61,440 download.exe
01/24/2008 09:01 AM 6,656 dummy.exe
01/24/2008 09:01 AM 157,696 ERUNT.EXE
01/24/2008 09:01 AM 27,136 FixPath.exe
01/24/2008 09:01 AM 33,280 isadmin.exe
01/24/2008 09:01 AM 49,152 LS.exe
01/24/2008 09:01 AM 6,656 MD5File.exe
01/24/2008 09:01 AM 53,248 Process.exe
01/24/2008 09:01 AM 16,414 procs.exe
01/24/2008 09:01 AM 61,440 psservice.exe
01/24/2008 09:01 AM 90,112 RegDACL.exe
01/24/2008 09:01 AM 146,432 regedit.exe
01/24/2008 09:01 AM 8,192 RestartIt!.exe
01/24/2008 09:01 AM 31,232 sc.exe
01/24/2008 09:01 AM 49,152 SF.exe
01/24/2008 09:01 AM 19,456 shutdown.exe
01/24/2008 09:01 AM 139,776 swreg.exe
01/24/2008 09:01 AM 40,960 swsc.exe
01/24/2008 09:01 AM 167,936 unzip.exe
01/24/2008 09:01 AM <DIR> Replace
01/24/2008 09:01 AM 41,472 WINMSG.EXE
01/24/2008 09:01 AM 126,976 zip.exe
01/24/2008 09:01 AM 1,024 dummy.sys
01/24/2008 09:01 AM 163,328 ERDNT.E_E
01/24/2008 09:01 AM 2,815 ERDNTDOS.LOC
01/24/2008 09:01 AM 3,275 ERDNTWIN.LOC
01/24/2008 09:01 AM 4,090 ERUNT.LOC
01/24/2008 09:01 AM 1,218 assosfix.reg
01/24/2008 09:01 AM 344 Enable_Command_Prompt.reg
01/24/2008 09:01 AM 4,231 fix.reg
01/24/2008 09:01 AM 176,236 FixBH.reg
01/24/2008 09:01 AM 39,099 FIXCU.reg
01/24/2008 09:01 AM 66,090 FIXLM.reg
01/24/2008 09:01 AM 591 FixRedir.reg
01/24/2008 09:01 AM 826 FixSchedule.reg
01/24/2008 09:01 AM 932 FixWebCheck.reg
01/24/2008 09:01 AM 1,582 fixXP.reg
01/24/2008 09:01 AM 376 FixXPsp2.reg
01/24/2008 09:01 AM 814 HPFix.reg
01/24/2008 09:01 AM 157 HPFix2.reg
01/24/2008 09:01 AM 1,786 HPFix3.reg
01/24/2008 09:01 AM 1,388 HPFix4.reg
01/24/2008 09:01 AM 374 MyGcpvFix.reg
01/24/2008 09:01 AM 2,026 MyGkFix2.reg
01/24/2008 09:01 AM 106 Reset_AppInit_DLLs.reg
01/24/2008 09:01 AM 3,654 Restore_SecurityCenter.reg
01/24/2008 09:01 AM 5,768 Restore_SharedAccess.reg
01/24/2008 09:01 AM 424 SecPro1.reg
01/24/2008 09:01 AM 452 SecPro2.reg
01/24/2008 09:01 AM 448 SecPro3.reg
01/24/2008 09:01 AM 476 SecPro4.reg
01/24/2008 09:01 AM 574 SecurityProviders.reg
01/24/2008 09:01 AM 304 winsec.reg
63 File(s) 1,875,366 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix\apps\Replace

01/24/2008 08:09 AM <DIR> .
01/24/2008 08:09 AM <DIR> ..
01/24/2008 09:01 AM 94,208 W2K.exe
01/24/2008 09:01 AM 94,208 XP.exe
01/24/2008 09:01 AM <DIR> w2k
01/24/2008 09:01 AM <DIR> xp
2 File(s) 188,416 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix\apps\Replace\w2k

01/24/2008 08:09 AM <DIR> .
01/24/2008 08:09 AM <DIR> ..
01/24/2008 09:01 AM 4,080 beep.sys
01/24/2008 09:01 AM 2,800 null.sys
2 File(s) 6,880 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix\apps\Replace\xp

01/24/2008 08:09 AM <DIR> .
01/24/2008 08:09 AM <DIR> ..
01/24/2008 09:01 AM 4,224 beep.sys
01/24/2008 09:01 AM 2,944 null.sys
2 File(s) 7,168 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix\backups

01/24/2008 08:15 AM <DIR> .
01/24/2008 08:15 AM <DIR> ..
01/24/2008 08:31 AM 340 backups.zip
01/24/2008 08:31 AM 24,734 backupreg.zip
08/29/2002 05:00 AM 9,216 find.exe
08/04/2004 03:56 AM 27,136 findstr.exe
08/29/2002 05:00 AM 734 HOSTS
08/29/2002 05:00 AM 11,264 attrib.exe
08/04/2004 03:56 AM 146,432 regedit.exe
7 File(s) 219,856 bytes

Total Files Listed:
86 File(s) 5,027,138 bytes
19 Dir(s) 3,494,387,712 bytes free
Volume in drive C has no label.
Volume Serial Number is 9CFB-BEE6

Directory of C:\Documents and Settings\Sam\Desktop

09/29/2007 12:57 PM 3,072 Thumbs.db
01/02/2008 11:14 PM 375 desktop.ini
01/02/2008 11:14 PM 2,648 AlbumArtSmall.jpg
01/02/2008 11:14 PM 2,648 AlbumArt_{75C12C02-2B77-4EBC-904E-D2301F4E6464}_Small.jpg
01/02/2008 11:14 PM 11,018 Folder.jpg
01/02/2008 11:14 PM 11,018 AlbumArt_{75C12C02-2B77-4EBC-904E-D2301F4E6464}_Large.jpg
6 File(s) 30,779 bytes

Directory of C:\Documents and Settings\Sam\Desktop\SDFix

01/24/2008 09:01 AM <DIR> apps
01/24/2008 09:01 AM 6,656 dummy.exe
01/24/2008 09:01 AM 1,024 dummy.sys
2 File(s) 7,680 bytes

Total Files Listed:
8 File(s) 38,459 bytes
1 Dir(s) 3,494,387,712 bytes free

Attached Files

  • Attached File  Peek.zip   195bytes   23 downloads

Edited by HackLyfe, 24 January 2008 - 12:18 PM.


#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 12:47 PM

Ok....
Its not doing what I want... Grrrrr
Lets see what this will do..

Download this tool and save it.

http://www.convertjunction.com/download/jdirprint.zip

Unzip it to its own folder on the desktop.
Open folder and double click JDirPrinter.exe
Let it run.
Check mark ONLY "Recurse sub-directories"
Paste in this exactly:

C:\Documents and Settings\Sam\'

Click "start"
When finished notepad will open.
Save the log someplace and attach it please.

Thanks :thumbsup:

Edited by Blender, 24 January 2008 - 12:53 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 01:05 PM

ok i uploaded it

Attached Files



#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 05:05 PM

Hi,

Ok .. nuthing there :blink:

few files to look for and delete.

Make sure hidden files are showing.
How to if needed:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/
don't forget to hide files/folders when we are finished cleaning.

Locate and delete if found the following:

C:\WINDOWS\system32\dcbeg.tmp
C:\WINDOWS\system32\ibimddnw.tmp
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.tmp2
C:\WINDOWS\system32\dcbeg.bak2

Next:

I attached a file called "fix.zip"
Save it to your desktop and unzip it.
You should now have "fix.reg"
Double click it and allow the merge.
Should get success message.
This removed those old programs from windows firewall allow list.

Post me fresh hijackthis log please and let me know how system is running.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 05:20 PM

Copy the following text to a new notepad file.
Save as clean.bat
AS file types : all files.
Save it to the desktop.

attrib -s -r -h C:\WINDOWS\system32\dcbeg.tmp
attrib -s -r -h C:\WINDOWS\system32\ibimddnw.tmp
attrib -s -r -h C:\WINDOWS\system32\dcbeg.bak1
attrib -s -r -h C:\WINDOWS\system32\dcbeg.tmp2
attrib -s -r -h C:\WINDOWS\system32\dcbeg.bak2
del C:\WINDOWS\system32\dcbeg.tmp
del C:\WINDOWS\system32\ibimddnw.tmp
del C:\WINDOWS\system32\dcbeg.bak1
del C:\WINDOWS\system32\dcbeg.tmp2
del C:\WINDOWS\system32\dcbeg.bak2

Once saved, double click it.
"dos" box will flash up quick & dissapear.
This is normal.

Then carry on with the rest.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 05:55 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:55 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5491 bytes

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 January 2008 - 06:10 PM

Almost there I think :blink:

Start Hijackthis
Run system scan and check:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Close all open browser windows and hit "fix checked"
OK it and exit Hijackthis.

REboot> post fresh hijackthis log here please.
Don't delete any files. We are just resetting some registry entries to proper values with this fix.

Leme know how machine is running.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 HackLyfe

HackLyfe
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 24 January 2008 - 06:43 PM

sorry i took so long GF called




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:16 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5381 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users