Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.ramin.ag " I Think "


  • This topic is locked This topic is locked
1 reply to this topic

#1 ashleydupredidthis

ashleydupredidthis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tempe AZ
  • Local time:01:22 PM

Posted 12 April 2008 - 11:26 PM

:thumbsup:


Deckard's System Scanner v20071014.68
Run by STEVE KNOWLES on 2008-04-12 21:14:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as STEVE KNOWLES.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:43 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\STEVE KNOWLES\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\STEVEK~1.EXE

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7039 bytes

-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 20:32:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-12 20:32:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 20:32:21 0 d-------- C:\WINDOWS\LastGood
2008-04-12 17:44:58 0 dr-h----- C:\Documents and Settings\STEVE KNOWLES\Recent
2008-03-22 19:14:07 4818 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 19:13:28 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-22 19:13:28 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-22 19:13:27 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 19:13:27 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-22 19:13:27 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-22 19:13:27 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-22 19:13:27 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 15:24:26 51 --a------ C:\xmp.bat
2008-03-17 22:39:20 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Google
2008-03-15 21:38:29 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Real
2008-03-15 18:22:20 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Sonic
2008-03-15 18:21:32 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Leadertech
2008-03-14 20:54:54 0 d-------- C:\a636172c5203580eb3bff5c55716f4
2008-03-14 20:54:52 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-14 20:54:51 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-13 23:09:33 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\LimeWire
2008-03-12 18:16:38 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-12 18:14:21 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-12 18:11:49 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Apple Computer
2008-03-12 18:09:55 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-12 18:07:58 0 d--hs---- C:\Documents and Settings\STEVE KNOWLES\UserData
2008-03-12 17:56:03 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Adobe
2008-03-12 17:53:58 0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2008-04-12 21:15:41 5120 --ahs---- C:\Program Files\Thumbs.db
2008-04-12 19:52:42 0 d-------- C:\Program Files\LimeWire
2008-04-12 15:31:10 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\AVG7
2008-03-22 15:50:03 0 d-------- C:\Program Files\Trend Micro
2008-03-17 22:37:38 0 d-------- C:\Program Files\Google
2008-03-15 17:16:09 0 d-------- C:\Program Files\OneStepSearch
2008-03-14 20:56:19 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-12 18:27:14 0 d-------- C:\Program Files\Messenger
2008-03-12 18:11:42 0 d-------- C:\Program Files\iTunes
2008-03-12 18:10:55 0 d-------- C:\Program Files\QuickTime
2008-03-12 18:00:58 0 d-------- C:\Program Files\Java
2008-03-12 10:03:50 0 d-------- C:\Program Files\Microsoft Works
2008-03-12 10:03:43 0 d-------- C:\Program Files\Common Files
2008-03-12 08:48:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-11 16:56:20 0 d-------- C:\Program Files\NetWaiting
2008-03-11 16:56:07 0 d-------- C:\Program Files\CONEXANT
2008-03-11 16:53:49 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-03-11 16:52:39 0 d-------- C:\Program Files\HP
2008-03-11 16:52:14 0 d-------- C:\Documents and Settings\STEVE KNOWLES\Application Data\Sun
2008-03-11 16:49:48 0 d-------- C:\Program Files\Vongo
2008-03-11 16:49:27 0 d-------- C:\Program Files\Yahoo!
2008-03-11 16:47:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-11 16:47:51 0 d-------- C:\Program Files\Symantec
2008-03-11 16:29:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-11 16:28:59 0 d-------- C:\Program Files\HPQ
2008-03-11 16:19:53 0 d-------- C:\Program Files\DivX
2008-03-11 15:26:00 0 d-------- C:\Program Files\Windows NT
2008-03-11 15:20:08 0 d-------- C:\Program Files\RGB
2008-03-11 15:20:08 0 d-------- C:\Program Files\Quickensetup
2008-03-11 15:19:55 0 d-------- C:\Program Files\Quicken
2008-03-11 15:19:36 0 d-------- C:\Program Files\Online Services
2008-03-11 15:17:41 0 d-------- C:\Program Files\music_now
2008-03-11 15:17:38 0 d-------- C:\Program Files\Movie Maker
2008-03-11 15:16:55 0 d-------- C:\Program Files\Microsoft Office Trial Wizard
2008-03-11 15:16:24 0 d-------- C:\Program Files\Microsoft Money 2006
2008-03-11 15:15:35 0 d-------- C:\Program Files\HP Rhapsody
2008-03-11 15:13:55 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-11 15:13:31 0 d-------- C:\Program Files\GemMaster
2008-03-11 15:13:28 0 d-------- C:\Program Files\EnglishOtto
2008-03-11 15:13:22 0 d-------- C:\Program Files\Encarta Online
2008-03-11 15:12:45 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-11 15:12:39 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2008-03-11 15:11:46 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-11 15:11:37 0 d-------- C:\Program Files\Common Files\Intuit


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 09:56 PM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [05/03/2006 10:58 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/18/2006 01:00 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/18/2006 01:00 AM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [06/01/2006 05:02 PM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [07/11/2006 09:55 PM]
"@"="" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 04:30 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/19/2006 11:33 AM]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [05/30/2006 04:02 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 10:23 AM]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [02/09/2006 09:52 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/12/2008 11:08 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/15/2006 09:00 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/25/2007 03:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-04-12 21:16:07 ------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:22 PM

Posted 13 April 2008 - 02:16 AM

Duplicate thread:
http://www.bleepingcomputer.com/forums/t/141543/backdoorraminag-i-think/

So this thread is closed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users