Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo.EGG, Trojan Retapu.D, Generic.Zeno.E5F12F0C, Adware.Isearch.D, Trojan Downloader.Small.


  • This topic is locked This topic is locked
4 replies to this topic

#1 425Fool

425Fool

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 06 May 2008 - 01:48 AM

Mod Edit: Log split away from topic here http://www.bleepingcomputer.com/forums/t/144809/infected-by-something-wicked/

Deckard system scanner report is below.

I was not able to load Kapersky because my IE is too corrupted and I can't get enough space on my hard disk in time before whatever is on my computer partitions off the space. I have cleared about 1 Gig of new space on my computer but the computer still shows that it has less than 100 MB of space on it.



Deckard's System Scanner v20071014.68
Run by Paul Hanken on 2008-05-05 23:34:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; disk is full.


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.01 GiB (less than 15%) free.


-- HijackThis (run as Paul Hanken.exe) ----------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-05 23:38:01
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Sony\giga pocket\shwserv.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\BrmfRsmg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\DOCUME~1\PAULHA~1\LOCALS~1\Temp\SSUPDATE.EXE
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\WINDOWS\system32\wuauclt.exe
K:\dss.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BDE63BC-B7DB-4D77-AD5C-62C589F0D848} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://nwmls.com (HKCU)
O15 - Trusted Zone: https://nwmls.com (HKCU)
O15 - Trusted Zone: http://rapmls.com (HKCU)
O15 - Trusted Zone: https://rapmls.com (HKCU)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB857FA6-DF47-4C6D-9A69-64FC06522F77}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hgGaaBUn - C:\WINDOWS\system32\hgGaaBUn.dll (file missing)
O20 - Winlogon Notify: __c0083BA5 - C:\WINDOWS\system32\
O20 - Winlogon Notify: __c00ADE68 - C:\WINDOWS\system32\
O20 - Winlogon Notify: __c00E6A62 - C:\WINDOWS\system32\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\BRSVC01A.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\giga pocket\shwserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\wdsvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: My Current Home Page -

--
End of file - 12617 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - NOTEDAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.reg - regfile - shell\edit\command - NOTEDAD.EXE %1
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 tdtcpp - c:\windows\system32\drivers\tdtcpp.sys
R2 BrPar - c:\windows\system32\drivers\brpar.sys
R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys

S1 ikhfile (File Security Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhfile.sys (file missing)
S1 ikhlayer (Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhlayer.sys (file missing)
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\7.tmp (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe
R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe

S2 Retrospect Helper - "c:\program files\dantz\retrospect\rthlpsvc.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-05 23:00:00 350 --a----c- C:\WINDOWS\Tasks\At48.job
2008-05-05 23:00:00 350 --a----c- C:\WINDOWS\Tasks\At24.job
2008-05-05 22:00:00 350 --a----c- C:\WINDOWS\Tasks\At47.job
2008-05-05 22:00:00 350 --a----c- C:\WINDOWS\Tasks\At23.job
2008-05-05 21:00:00 350 --a----c- C:\WINDOWS\Tasks\At46.job
2008-05-05 21:00:00 350 --a----c- C:\WINDOWS\Tasks\At22.job
2008-05-05 20:00:00 350 --a----c- C:\WINDOWS\Tasks\At45.job
2008-05-05 20:00:00 350 --a----c- C:\WINDOWS\Tasks\At21.job
2008-05-05 19:00:00 350 --a----c- C:\WINDOWS\Tasks\At44.job
2008-05-05 19:00:00 350 --a----c- C:\WINDOWS\Tasks\At20.job
2008-05-05 18:00:00 350 --a----c- C:\WINDOWS\Tasks\At43.job
2008-05-05 18:00:00 350 --a----c- C:\WINDOWS\Tasks\At19.job
2008-05-05 17:00:00 350 --a----c- C:\WINDOWS\Tasks\At42.job
2008-05-05 17:00:00 350 --a----c- C:\WINDOWS\Tasks\At18.job
2008-05-05 16:00:00 350 --a----c- C:\WINDOWS\Tasks\At41.job
2008-05-05 16:00:00 350 --a----c- C:\WINDOWS\Tasks\At17.job
2008-05-05 15:00:00 350 --a----c- C:\WINDOWS\Tasks\At40.job
2008-05-05 15:00:00 350 --a----c- C:\WINDOWS\Tasks\At16.job
2008-05-05 14:00:00 350 --a----c- C:\WINDOWS\Tasks\At39.job
2008-05-05 14:00:00 350 --a----c- C:\WINDOWS\Tasks\At15.job
2008-05-05 13:00:00 350 --a----c- C:\WINDOWS\Tasks\At38.job
2008-05-05 13:00:00 350 --a----c- C:\WINDOWS\Tasks\At14.job
2008-05-05 09:00:00 350 --a----c- C:\WINDOWS\Tasks\At34.job
2008-05-05 09:00:00 350 --a----c- C:\WINDOWS\Tasks\At10.job
2008-05-05 08:00:00 350 --a----c- C:\WINDOWS\Tasks\At9.job
2008-05-05 08:00:00 350 --a----c- C:\WINDOWS\Tasks\At33.job
2008-05-05 07:00:00 350 --a----c- C:\WINDOWS\Tasks\At8.job
2008-05-05 07:00:00 350 --a----c- C:\WINDOWS\Tasks\At32.job
2008-05-05 06:00:00 350 --a----c- C:\WINDOWS\Tasks\At7.job
2008-05-05 06:00:00 350 --a----c- C:\WINDOWS\Tasks\At31.job
2008-05-05 05:00:00 350 --a----c- C:\WINDOWS\Tasks\At6.job
2008-05-05 05:00:00 350 --a----c- C:\WINDOWS\Tasks\At30.job
2008-05-05 04:00:00 350 --a----c- C:\WINDOWS\Tasks\At5.job
2008-05-05 04:00:00 350 --a----c- C:\WINDOWS\Tasks\At29.job
2008-05-05 03:04:00 358 --a----c- C:\WINDOWS\Tasks\EastTecEraser.job
2008-05-05 03:00:00 350 --a----c- C:\WINDOWS\Tasks\At4.job
2008-05-05 03:00:00 350 --a----c- C:\WINDOWS\Tasks\At28.job
2008-05-05 02:00:00 350 --a----c- C:\WINDOWS\Tasks\At3.job
2008-05-05 02:00:00 350 --a----c- C:\WINDOWS\Tasks\At27.job
2008-05-05 01:00:00 350 --a----c- C:\WINDOWS\Tasks\At26.job
2008-05-05 01:00:00 350 --a----c- C:\WINDOWS\Tasks\At2.job
2008-05-05 00:00:00 350 --a----c- C:\WINDOWS\Tasks\At25.job
2008-05-05 00:00:00 350 --a----c- C:\WINDOWS\Tasks\At1.job
2008-05-04 10:00:00 350 --a----c- C:\WINDOWS\Tasks\At35.job
2008-05-04 10:00:00 350 --a----c- C:\WINDOWS\Tasks\At11.job
2008-05-03 12:00:00 350 --a----c- C:\WINDOWS\Tasks\At37.job
2008-05-03 12:00:00 350 --a----c- C:\WINDOWS\Tasks\At13.job
2008-05-03 11:00:00 350 --a----c- C:\WINDOWS\Tasks\At36.job
2008-05-03 11:00:00 350 --a----c- C:\WINDOWS\Tasks\At12.job
2008-04-29 21:35:00 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 23:13:31 0 d------c- C:\Erase38E.tmp
2008-05-05 21:59:54 0 d------c- C:\EraseC61.tmp
2008-05-02 12:11:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 23:52:47 0 d------c- C:\Documents and Settings\Paul Hanken\Application Data\Malwarebytes
2008-05-01 23:52:30 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 23:52:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 17:59:12 0 d------c- C:\VundoFix Backups
2008-04-30 17:55:04 0 d------c- C:\327882R2FWJFW
2008-04-30 17:19:28 0 d------c- C:\Erase008.tmp
2008-04-29 12:01:30 0 --ahs--c- C:\Documents and Settings\Paul Hanken\Application Data\0048176ff6aba2dd96cccedcfef8a3d4abafab8ac3bf6e3f0a.dat
2008-04-29 11:42:38 0 d--hs---- C:\WINDOWS\UGF1bCAgSGFua2Vu
2008-04-29 11:42:26 86144 --a------ C:\WINDOWS\system32\drivers\tdtcpp.sys
2008-04-29 11:42:22 0 d-------- C:\WINDOWS\system32\gx4
2008-04-29 11:42:19 0 d-------- C:\Program Files\??crosoft.NET


-- Find3M Report ---------------------------------------------------------------

2008-05-02 12:14:23 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-02 12:14:18 0 d------c- C:\Documents and Settings\Paul Hanken\Application Data\SUPERAntiSpyware.com
2008-05-02 12:11:29 0 d-------- C:\Program Files\Common Files
2008-04-30 23:52:26 0 d-------- C:\Program Files\Java
2008-04-30 11:52:33 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-04-29 16:56:40 0 d-------- C:\Program Files\??crosoft.NET
2008-04-29 14:02:05 33 --a----c- C:\Documents and Settings\Paul Hanken\Application Data\install.ini
2008-03-12 13:31:13 0 d-------- C:\Documents and Settings\Paul Hanken\Application Data\PureEdge
2008-03-12 13:30:52 0 d-------- C:\Program Files\PureEdge
2008-03-12 13:30:51 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BDE63BC-B7DB-4D77-AD5C-62C589F0D848}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2007-08-22 17:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-28 00:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 10:06]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 12:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 16:51]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 12:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IESet"=IExplorer.dll .dbt

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGaaBUn]
hgGaaBUn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0083BA5]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00ADE68]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00E6A62]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ezShieldProtector for Px"=C:\WINDOWS\System32\ezSP_Px.exe
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" /server
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /installquiet
"ATIModeChange"=Ati2mdxx.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
"IndexSearch"=C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
"SetDefPrt"=C:\Program Files\Brother\Brmflp03\BrStDvPt.exe
"HPHUPD05"=D:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k
"WD Button Manager"=WDBtnMgr.exe
"PaperPort PTD"=C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
"HPHmon05"=C:\WINDOWS\system32\hphmon05.exe
"HP Software Update"="D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"SM1BG"=C:\WINDOWS\SM1BG.EXE
"AGRSMMSG"=AGRSMMSG.exe
"SDFix"=C:\SDFix\RunThis.bat /second
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"NapsterShell"=C:\Program Files\Napster\napster.exe /systray
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"IESet"=IExplorer.dll .dbt

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-05-05 23:39:57 ------------

Edited by KoanYorel, 06 May 2008 - 07:09 AM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 18 May 2008 - 08:14 PM

Hello 425Fool,

Welcome to Bleeping Computer :)

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 425Fool

425Fool
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 18 May 2008 - 11:44 PM

Thanks,

Actually that computer has been off since I had the last message. It is practically unusable at this point.

I don't have any activity on it so can you just use the last hijack log?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 19 May 2008 - 12:51 AM

Hello,

Before we go any further, you should know you have a password stealing trojan on your system : http://vil.nai.com/vil/content/v_132935.htm

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP. The Trojan downloads and executes additional files from a remote site. Configuration files may also be downloaded which define further behaviors.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, Your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 29 May 2008 - 12:27 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users