Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis And Dss Logs


  • This topic is locked This topic is locked
4 replies to this topic

#1 Mrkx

Mrkx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 20 June 2008 - 01:43 PM

Hey guys

Below I am posting my logs from Hijackthis and DSS because my brother screwed up his computer and I am at a loss! Basically he has what seems to me to be a fraudulent Windows Security Centre that keeps popping up, asking to download "System Defender". There was a load more stuff before that I got rid of with Smitfraudfix (such as "VIRUS ALERT" over the time in the bottom right, and other pop ups) but there is still pop ups, crashing and this area on the desktop (the top left quarter) that darkens when the cursor is over it...

Anyway, logs below, any help much appreciated. Thanks in advance guys!

Additional note: In trying to download the newer version of hijack this my browser crashed 3 times in a row! :thumbsup:

p.s. I'm running XP pro, just in case





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:32, on 20/06/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: vrmdtneg - {778DC3F7-1699-4A2F-8D32-143C0D00854C} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [1ce7b183] rundll32.exe "C:\WINDOWS\System32\eluglwws.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212614478061
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212614464623
O20 - AppInit_DLLs: iSecurity.cpl
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O21 - SSODL: PreBootCheck - {af379abe-7263-4efb-b9eb-ef5629b336a6} - C:\WINDOWS\Resources\SysDrv.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\System32\svchost.exe:ext.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4138 bytes




**************************************************************************************************************




Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-20 19:16:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
14: 2008-06-20 18:13:27 UTC - RP89 - Deckard's System Scanner Restore Point
13: 2008-06-19 20:49:58 UTC - RP88 - System Checkpoint
12: 2008-06-17 01:00:36 UTC - RP87 - Configured Broadcom 440x 10/100 Integrated Controller
11: 2008-06-16 23:38:59 UTC - RP86 - Last known good configuration
10: 2008-06-16 23:38:57 UTC - RP85 - Removed USB DVB-T TV Tuner


-- First Restore Point --
1: 2008-06-16 23:38:56 UTC - RP76 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 0.62 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 19:16:14, on 20/06/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\Administrator.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {203F901B-BF73-4F4A-9D6F-83FA158E9A85} - C:\WINDOWS\System32\awtusrQh.dll
O2 - BHO: (no name) - {45D06DD4-7B73-4CE0-BF56-B3B2142E93FA} - C:\WINDOWS\System32\nnnkHbXR.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: cj helper - {B552B8A4-76AC-4e8c-A469-C1585B111116} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: vrmdtneg - {778DC3F7-1699-4A2F-8D32-143C0D00854C} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [1ce7b183] rundll32.exe "C:\WINDOWS\System32\eluglwws.dll",b
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212614478061
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212614464623
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: nnnkHbXR - C:\WINDOWS\SYSTEM32\nnnkHbXR.dll
O20 - Winlogon Notify: routew - C:\WINDOWS\SYSTEM32\routew.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O21 - SSODL: PreBootCheck - {af379abe-7263-4efb-b9eb-ef5629b336a6} - C:\WINDOWS\Resources\SysDrv.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\System32\svchost.exe:ext.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 rotw (WIRELESS Route service) - c:\windows\system32\rotw.sys
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 EC168BDA (EC168BDA service) - c:\windows\system32\drivers\ec168bda.sys <Not Verified; e3C, Inc.; e3C DTV Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 FCI - c:\windows\system32\svchost.exe:ext.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: USB Device
Device ID: USB\VID_046D&PID_08B2&MI_00\6&33E2D93F&0&0000
Manufacturer:
Name: USB Device
PNP Device ID: USB\VID_046D&PID_08B2&MI_00\6&33E2D93F&0&0000
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_265C&SUBSYS_01991028&REV_03\3&172E68DD&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_265C&SUBSYS_01991028&REV_03\3&172E68DD&0&EF
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10416D21&0&10F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10416D21&0&10F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_266A&SUBSYS_01991028&REV_03\3&172E68DD&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_266A&SUBSYS_01991028&REV_03\3&172E68DD&0&FB
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\PNP0103\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\PNP0103\2&DABA3FF&0
Service:


-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-19 18:59:30 1270 --a------ C:\WINDOWS\System32\tmp.reg
2008-06-19 18:49:48 25600 --a------ C:\WINDOWS\System32\WS2Fix.exe
2008-06-19 18:49:48 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-19 18:49:48 86528 --a------ C:\WINDOWS\System32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-19 18:49:48 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-19 18:49:48 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 18:49:48 82944 --a------ C:\WINDOWS\System32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-19 18:49:48 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2008-06-19 18:49:48 81920 --a------ C:\WINDOWS\System32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-19 16:54:25 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-19 01:47:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\shctjpj0eeee
2008-06-19 01:47:11 0 d-------- C:\Program Files\shctjpj0eeee
2008-06-18 21:00:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-18 20:40:56 0 d-------- C:\iSecurity
2008-06-18 20:35:58 1 --a------ C:\WINDOWS\tmark2.dat
2008-06-18 20:35:55 26112 --a------ C:\WINDOWS\mstre5.exe
2008-06-18 20:35:52 0 d-------- C:\WINDOWS\System32\689371
2008-06-18 20:35:49 0 d-------- C:\Program Files\iSecurity
2008-06-18 19:40:14 93568 --a------ C:\WINDOWS\System32\gpihtglh.dll
2008-06-17 19:04:07 94080 --a------ C:\WINDOWS\System32\yahjmbgr.dll
2008-06-17 10:08:28 0 d--hs---- C:\Documents and Settings\LocalService\Application Data\wsnpoem
2008-06-17 10:04:15 0 d-------- C:\WINDOWS\System32\763444
2008-06-17 02:03:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-06-17 00:39:28 92544 --a------ C:\WINDOWS\System32\tykqtiqm.dll
2008-06-17 00:38:46 237756 --ahs---- C:\WINDOWS\System32\hQrsutwa.ini2
2008-06-17 00:38:44 322432 --a------ C:\WINDOWS\System32\awtusrQh.dll
2008-06-17 00:33:30 180224 --a------ C:\WINDOWS\xvorfwbd.dll
2008-06-17 00:33:30 155648 --a------ C:\WINDOWS\vrmdtneg.dll
2008-06-17 00:33:30 245760 --a------ C:\WINDOWS\ksendlbtdpl.dll
2008-06-17 00:33:29 229376 --a------ C:\WINDOWS\wpvmqosg.dll
2008-06-17 00:33:29 94208 --a------ C:\WINDOWS\exwd.exe
2008-06-17 00:33:28 30336 --a------ C:\WINDOWS\System32\nnnkHbXR.dll
2008-06-16 21:08:15 1769472 --a------ C:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-16 21:08:15 1703936 --a------ C:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-16 21:06:18 0 d-------- C:\Program Files\USB DVB-T TV Tuner
2008-06-12 23:59:25 0 d-------- C:\Program Files\7-Zip
2008-06-10 03:11:17 22322 --a------ C:\WINDOWS\System32\routew.dll
2008-06-10 03:11:17 8352 --a------ C:\WINDOWS\System32\rotw.sys
2008-06-10 03:11:17 6239 --a------ C:\WINDOWS\System32\rdata.bin
2008-06-09 21:09:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-06-09 21:02:01 96896 --a------ C:\WINDOWS\System32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-06-09 21:02:00 0 d-------- C:\Program Files\MagicDisc
2008-06-06 09:41:43 0 d-------- C:\Program Files\MSXML 4.0
2008-06-05 11:49:56 20261 --a------ C:\d1.exe
2008-06-05 11:49:50 2 --a------ C:\484946220
2008-06-05 11:49:29 12288 --a------ C:\sedjecny.exe
2008-06-05 11:49:06 12961 --a------ C:\syam.exe
2008-06-05 11:48:58 12800 --a------ C:\rhdhhha.exe
2008-06-05 11:46:58 23180 --a------ C:\htab.exe
2008-06-05 03:08:45 0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2008-06-05 03:00:32 25600 --a------ C:\WINDOWS\System32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-05 03:00:32 0 d--h---c- C:\WINDOWS\$xpsp1hfm$
2008-06-05 00:38:17 47105 --a------ C:\Documents and Settings\Administrator\schosst.exe
2008-06-04 22:30:00 0 d-------- C:\WINDOWS\System32\bits
2008-06-04 22:21:13 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-04 22:20:46 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-04 22:18:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-04 12:38:54 0 d-------- C:\Program Files\uTorrent
2008-06-04 12:38:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-04 09:46:22 0 d-------- C:\Program Files\BitTorrent
2008-06-04 09:23:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-06-04 09:22:52 0 d-------- C:\Program Files\DNA
2008-06-04 09:22:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-06-03 23:19:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-03 23:19:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-03 20:56:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-03 19:43:09 0 d-------- C:\Program Files\Yahoo!
2008-06-03 19:43:03 0 d-------- C:\Program Files\CCleaner
2008-06-03 19:37:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-03 19:37:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-03 19:29:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-06-03 19:28:43 0 d-------- C:\Program Files\O2
2008-06-03 19:25:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-03 19:25:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-03 19:24:10 0 d-------- C:\Program Files\SiteAdvisor
2008-06-03 19:21:15 0 d---s---- C:\WINDOWS\System32\Microsoft
2008-06-03 19:19:40 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-03 19:06:38 0 d-------- C:\Program Files\Broadcom
2008-06-03 18:50:43 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-05-30 23:16:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-05-30 23:15:24 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-30 23:14:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-30 23:14:36 0 d-------- C:\Program Files\Google
2008-05-29 21:29:21 0 d-------- C:\Program Files\BinaryBiz


-- Find3M Report ---------------------------------------------------------------

2008-06-16 21:22:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 22:47:01 0 d-------- C:\Program Files\Common Files
2008-06-04 22:21:56 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-04 22:18:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-03 19:06:30 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-19 16:27:55 0 d-------- C:\Program Files\Fujitsu
2008-04-20 23:16:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Samsung
2008-04-20 23:13:46 0 d-------- C:\Program Files\Samsung
2008-04-15 09:41:33 0 -rahs---- C:\MSDOS.SYS
2008-04-15 09:41:33 0 -rahs---- C:\IO.SYS
2008-04-15 09:41:33 0 --a------ C:\CONFIG.SYS
2008-04-15 09:41:33 0 --a------ C:\AUTOEXEC.BAT
2008-04-15 09:39:03 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-04-15 08:30:36 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{203F901B-BF73-4F4A-9D6F-83FA158E9A85}]
17/06/2008 00:38 322432 --a------ C:\WINDOWS\System32\awtusrQh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45D06DD4-7B73-4CE0-BF56-B3B2142E93FA}]
17/06/2008 00:33 30336 --a------ C:\WINDOWS\System32\nnnkHbXR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8311E8F-E459-4D22-89B4-CB9DCF10A425}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iSecurity applet"="iSecurity.cpl" [18/06/2008 20:35 C:\WINDOWS\system32\iSecurity.cpl]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"1ce7b183"="C:\WINDOWS\System32\eluglwws.dll" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WintelUpdate"=c:\rhdhhha.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{45D06DD4-7B73-4CE0-BF56-B3B2142E93FA}"= C:\WINDOWS\System32\nnnkHbXR.dll [17/06/2008 00:33 30336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"iSecurity"= {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl [ ]
"PreBootCheck"= {af379abe-7263-4efb-b9eb-ef5629b336a6} - C:\WINDOWS\Resources\SysDrv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkHbXR]
nnnkHbXR.dll 17/06/2008 00:33 30336 C:\WINDOWS\system32\nnnkHbXR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\routew]
routew.dll 10/06/2008 03:11 22322 C:\WINDOWS\system32\routew.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awtusrQh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe




-- End of Deckard's System Scanner: finished at 2008-06-20 19:17:01 ------------

BC AdBot (Login to Remove)

 


#2 Sp0nge

Sp0nge

  • Members
  • 643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:10 PM

Posted 20 June 2008 - 05:19 PM

Hi Mrkx,

My name is Pat, and i'll be taking your log today.

Please allow me some time to review your log and i'll get back to you with some instructions as soon as possible.

Thanks for your patience! :thumbsup:

~Pat

#3 Sp0nge

Sp0nge

  • Members
  • 643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:10 PM

Posted 21 June 2008 - 05:16 AM

Hi Mrkx,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
Apply the update, reboot, and post a fresh Deckard's System Scanner log.

Also, one or more of the items you need to remove is a backdoor application can allow attackers to access your computer,
stealing passwords, credit card info, and personal data. From a clean computer, change ALL your on-line passwords for
email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
If you do any on-line banking, or store any financial information on this system, you should immediately call
your financial institution and advise them of the situation so you can secure your accounts. Do NOT change passwords
or do any transactions while using the infected computer because the attacker will get the new passwords and
transaction information.

The best course of action to take is to reformat your PC as there are a lot of nasty infections on it that we may not even
be able to fully get rid of for sure. The backdoor application has probably changed many settings and infected a lot of files.

Please read these topics before you make your decision

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

However if you want to go ahead and try clean up your PC, let me know and we will get started!

~Pat.

#4 Mrkx

Mrkx
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 24 June 2008 - 03:19 PM

Hi Pat,

Thanks for the reply! Apologies for the late response since this isnt my PC but my brother's. Given what you've told me I think I'm going to recommend he reformat, which isnt going to go down well! He has a slave drive and I want to pass his files there and then move them back, but how do I know that 1) The slave drive isnt infected and 2) that the files I'm moving aren't infected or include a virus???

Once I've reformatted, what would you recommend in the way of stopping this from happening again? I can tell him til I'm blue in the face not to go to dodgy sites, but that would pretty much mean he wouldnt use the PC!

Thanks again mate, much appreciated (ps You've scared me so much that I'm gonna post a log from my own PC just in case!)

Edited by Mrkx, 24 June 2008 - 03:20 PM.


#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:05:10 PM

Posted 01 July 2008 - 08:47 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users