Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse


  • This topic is locked This topic is locked
2 replies to this topic

#1 wam00

wam00

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 May 2008 - 01:06 PM

ComboFix 08-05-01.3 - Owner 2008-05-06 11:09:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.425 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.YOUR-A5DE43F869\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Owner.YOUR-A5DE43F869\Local Settings\Temporary Internet Files\sph264.dll
C:\Documents and Settings\Owner.YOUR-A5DE43F869\Local Settings\Temporary Internet Files\spmpeg4.dll
C:\Documents and Settings\Owner.YOUR-A5DE43F869\Local Settings\Temporary Internet Files\sptheo.dll
C:\Documents and Settings\Owner.YOUR-A5DE43F869\Local Settings\Temporary Internet Files\StreamPlug.dll
C:\Program Files\NetProject
C:\Program Files\NetProject\ot.ico
C:\Program Files\NetProject\sbmdl.dll
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\ts.ico
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-04-27 04:09 . 2008-04-27 04:09 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\Sibelius Software
2008-04-27 04:08 . 2008-04-27 04:08 <DIR> d-------- C:\Program Files\Musicnotes
2008-04-25 13:47 . 2008-04-25 13:47 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 15:11 --------- d-----w C:\Program Files\Symantec Antivirus
2008-05-06 15:02 --------- d-----w C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\AVG7
2008-05-06 15:02 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-06 15:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-02 19:19 --------- d-----w C:\Program Files\Google
2008-05-02 19:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-02 19:11 --------- d-----w C:\Program Files\DivX
2008-04-25 17:47 --------- d-----w C:\Program Files\Common Files\Real
2008-04-16 01:24 --------- d-----w C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\LimeWire
2008-04-05 19:00 --------- d-----w C:\Program Files\Pure Networks
2008-04-05 02:26 --------- d-----w C:\Program Files\VISTAS2e
2008-04-04 07:16 --------- d-----w C:\Program Files\Yahoo!
2008-04-01 03:30 --------- d-----w C:\Program Files\Cedelia
2008-03-30 06:38 --------- d-----w C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\Talkback
2008-03-28 14:47 --------- d-----w C:\Program Files\Java
2008-03-24 05:32 --------- d-----w C:\Program Files\LimeWire
2008-03-18 22:06 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-03-18 22:06 --------- d-----w C:\Program Files\LynxMessenger
2008-03-11 22:01 --------- d-----w C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\Elluminate
2007-09-18 00:32 5,316 ----a-w C:\Documents and Settings\Owner.YOUR-A5DE43F869\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= C:\Program Files\NetProject\wamdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 00:24 32768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 11:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 11:47 688218]
"HostManager"="C:\Program Files\Common Files\AOL\1134806378\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 01:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-17 04:00 98304]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"bncsaui.exe"="C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe" [2007-08-23 16:32 1916296]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49 125632]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"LynxMessenger"="C:\Program Files\LynxMessenger\LynxMessenger.exe" [2007-12-17 12:09 327680]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 13:46 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 15:00 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"= C:\WINDOWS\system32\uyhjw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134806378\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Common Files\\AOL\\1134806378\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe"= C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\LynxMessenger\\LynxMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

R2 BNPagent;Client Security Agent Service;"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe" [2007-08-23 16:32]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-25 18:26]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 15:10]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8b1c4ea-8fbd-11da-9033-00038a000015}]
\Shell\AutoRun\command - 8386nac.com
\Shell\explore\Command - 8386nac.com
\Shell\open\Command - 8386nac.com

.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 14:18:12 C:\WINDOWS\Tasks\At1.job"
- c:\program files\symantec antivirus\vpdn_lu.exe
"2008-05-06 15:16:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 11:14:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Symantec Antivirus\DefWatch.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\AOL\1134806378\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec Antivirus\Rtvscan.exe
C:\Program Files\Symantec Antivirus\DoScan.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-06 11:21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 15:21:21

Pre-Run: 68,205,289,472 bytes free
Post-Run: 68,727,861,248 bytes free

190 --- E O F --- 2008-05-02 09:34:41

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 09 May 2008 - 06:38 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

If you still want help, please do this:

1) Read the instructions posted above and pinned to the top of the forum.

2) Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 May 2008 - 04:12 PM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users