Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Js/uragon


  • Please log in to reply
1 reply to this topic

#1 michiko

michiko

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 July 2008 - 08:50 AM

Here is the logfile:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:39:39 PM, on 7/8/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\System32\WScript.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\System32\WScript.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html"]http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com/"]http://www.yahoo.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html"]http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com[/url]R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllF2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exeO4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [updater23] c:\windows\service.exe.jsO4 - HKCU\..\Policies\Explorer\Run: [1] c:\windows\system32\winx86.dll.jsO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{D9B7F3F7-28EF-4F3F-9B66-D022EEAE1831}: NameServer = 203.177.255.10 202.95.226.66O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe--End of file - 5864 bytes

The virus/worm is located in my uncle's N95. He connected it to our pc (USB). This was detected by Autorun Eater.

Spybot scans the ff:

Microsoft.Windows.Explorer: [SBI $A0C5C610] User settings (Registry change, nothing done)  HKEY_USERS\S-1-5-21-1004336348-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRunMicrosoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, nothing done)  HKEY_USERS\S-1-5-21-1004336348-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptionsMicrosoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)  HKEY_USERS\S-1-5-21-1004336348-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgrMicrosoft.Windows.System: [SBI $CA5FA75C] Settings (Registry change, nothing done)  HKEY_USERS\S-1-5-21-1004336348-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButtonRight Media: Tracking cookie (Internet Explorer: User) (Cookie, nothing done)  --- Spybot - Search & Destroy version: 1.5.2  (build: 20080128) ---2008-01-28 blindman.exe (1.0.0.7)2008-01-28 SDDelFile.exe (1.0.2.4)2008-01-28 SDMain.exe (1.0.0.5)2007-10-07 SDShred.exe (1.0.1.2)2008-01-28 SDUpdate.exe (1.0.8.8)2008-01-28 SDWinSec.exe (1.0.0.11)2008-01-28 SpybotSD.exe (1.5.2.20)2008-01-28 TeaTimer.exe (1.5.2.16)2008-06-05 unins000.exe (51.49.0.0)2008-01-28 Update.exe (1.4.0.6)2008-01-28 advcheck.dll (1.5.4.5)2007-04-02 aports.dll (2.1.0.0)2007-11-17 DelZip179.dll (1.79.7.4)2008-01-28 SDFiles.dll (1.5.1.19)2008-01-28 SDHelper.dll (1.5.0.11)2008-01-28 Tools.dll (2.1.3.3)2008-06-17 Includes\Adware.sbi (*)2008-06-18 Includes\AdwareC.sbi (*)2008-06-03 Includes\Cookies.sbi (*)2008-06-03 Includes\Dialer.sbi (*)2008-06-24 Includes\DialerC.sbi (*)2008-06-03 Includes\HeavyDuty.sbi (*)2008-06-16 Includes\Hijackers.sbi (*)2008-06-17 Includes\HijackersC.sbi (*)2008-06-25 Includes\Keyloggers.sbi (*)2008-07-02 Includes\KeyloggersC.sbi (*)2004-11-29 Includes\LSP.sbi (*)2008-07-02 Includes\Malware.sbi (*)2008-07-01 Includes\MalwareC.sbi (*)2008-06-17 Includes\PUPS.sbi (*)2008-07-01 Includes\PUPSC.sbi (*)2007-11-07 Includes\Revision.sbi (*)2008-06-10 Includes\Security.sbi (*)2008-07-01 Includes\SecurityC.sbi (*)2008-06-03 Includes\Spybots.sbi (*)2008-06-03 Includes\SpybotsC.sbi (*)2008-06-17 Includes\Spyware.sbi (*)2008-06-17 Includes\SpywareC.sbi (*)2008-06-03 Includes\Tracks.uti2008-06-24 Includes\Trojans.sbi (*)2008-07-01 Includes\TrojansC.sbi (*)2008-03-04 Plugins\Chai.dll2008-03-05 Plugins\Fennel.dll2008-02-26 Plugins\Mate.dll2007-12-24 Plugins\TCPIPAddress.dll

Im using Firefox 3 now, Nod32 as AV, and Spybot. Also got TuneUp Utilities.
Task Manager, Run and Folder Options - disabled, but I got Folder Options back using Autorun Eater.

Hope to get responses soon.

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 PM

Posted 02 August 2008 - 06:02 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users