Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Backdoor.agent!sd6 Or Something Else?


  • This topic is locked This topic is locked
42 replies to this topic

#1 batracio

batracio

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 28 August 2008 - 07:03 AM

batracioAug 25 2008, 07:47 PM
Hi
Desperately requesting help.

I am running XP Pro on an old IBM NetVista with IE7 SP2.
It all started after an unattended/unwanted windows update to SP3 and after an update of Office 2003. After rebooting, the Browser looked different (more like MSN), my two User's Account (Administrator and Myself) were no longer separate, but merged into one; the Favorites folder and the My Documents folder desappeared; there is no control of the Set Programs Access & Defaults and the System.Ini and WIN.Ini windows at MsConfig are blank.
Access to My Computer/ Manage folder is denied.
At Log out and Log On, I always get the blue screen, forcing me to unplug the whole thing, all the time.

Simultaneously, IE7 crash every 5-10' with an "iexpore.exe' error in Module 0000, particularly when accessing Google mail.

The version of IE7 stated in the Registry is different than the IE7 version stated in the HJT log, so, I suspect I may have different versions of iexplore.exe too.

I have deleted the SP3 pak and reverted to SP2.
I have Restored the system twice and same thing.
AVG, Spybot and Ad-awre found nothing.

Attached is the HijackThis log as well as info from the Current Version folder in the Registry, which looks odd, to say the least.

This is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:20 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exeC:\WINDOWS\explorer.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (filesize 455960 bytes, MD5 7CF5C46FE2A65151950A3FB8084419EB)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll (filesize 2055960 bytes, MD5 8741B6028EFBDA19150E4BDFDCF5E12F)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll (filesize 2055960 bytes, MD5 8741B6028EFBDA19150E4BDFDCF5E12F)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (filesize 39792 bytes, MD5 8B9145D229D4E89D15ACB820D4A3A90F)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 385024 bytes, MD5 F89DA660C511652EE511FE3AB2F04BFC)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeC:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (filesize 79128 bytes, MD5 5E0B47F3AE5D516F3A185ED62FF437D9)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exeC:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeC:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5192 bytes


And this is the info at HKCU/Software/Microsoft/Windows/CurrentVersion with suspicious data:

Red Tag (Default) REG_SZ (Value not set)
Blue Tag xrt_control_crc REG_DWORD 0x22d86bbF (544608703)
Red Tag xrt_id REG_SZ 0119610032
Blue Tag xrt_newversion REG_DWORD 0x00000000 (0)
Red Tag xrt_opt_certs REG_SZ /cgi-bin/cert.cgi
Red Tag xrt_opt_command REG_SZ /cgi-bin/cmd.cgi
Red Tag xrt_opt_deleteco... REG_SZ yes
Red Tag xrt_opt_deletesol... REG_SZ no
Red Tag xrt_opt_file REG_SZ /cgi-bin/file.cgi
Red Tag xrt_opt_forms REG_SZ /cgi-bin/forms.cgi
Red Tag xrt_opt_idproject REG_SZ 0004
Red Tag xrt_opt_options REG_SZ /cgi-bin/options.cgi
Red Tag xrt_opt_pausecert REG_SZ 200
Red Tag xrt_opt_pauseopt REG_SZ 700
Red Tag xrt_opt_pstorage REG_SZ /cgi-bin/pstore.cgi
Red Tag xrt_opt_reserv REG_SZ pull.assisback.com
Red Tag xrt_opt_server 1 REG_SZ 202.71.106.206
Red Tag xrt_opt_ss REG_SZ /cgi-bin/ss.cgi
Blue Tag xrt_options REG_BINARY 4e 45 57 4f 50 54 53 00 31 01 72 65 70 5f 73 69 7a db

Any help is more than welcome. Thank you for your time and attention.

Ruben

BC AdBot (Login to Remove)

 


m

#2 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:07:31 PM

Posted 12 September 2008 - 07:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the OTViewIT icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
If you have not downloaded HiJackThis yet:
Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
In your reply:
  • Fresh HJT log
  • OTViewIt results
Thanks


Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#3 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 16 September 2008 - 10:05 AM

Hi Harry/ Thank you for the timely response.

This is the requested report:

OTViewIt logfile created on: 9/16/2008 10:55:19 AM - Run 1
OTViewIt by OldTimer - Version 1.0.4.0 Folder = C:\DOCUME~1\Papo\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\GN3FYO59
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: | Country: | Language: | Date Format:

509.98 Mb Total Physical Memory | 245.47 Mb Available Physical Memory | 48.13% Memory free
1.22 Gb Paging File | 1.04 Gb Available in Paging File | 85.68% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 36.27 Gb Total Space | 22.90 Gb Free Space | 63.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: XXX
Current User Name: Papo
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

========== Processes - Non-Microsoft Only ==========

[09/16/2008 10:55:05 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Papo\Local Settings\Temp\Temporary Internet Files\Content.IE5\GN3FYO59\OTViewIt[1].exe

========== (O23) Win32 Services - Non-Microsoft Only ==========

[11/15/2007 10:09:42 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])

========== Driver Services - Non-Microsoft Only ==========

File not found -- C:\DOCUME~1\Papo\LOCALS~1\Temp\_D504.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH [On_Demand | Stopped])
File not found -- C:\WINDOWS\System32\DRIVERS\IPFilter.sys -- (IPFilter [Disabled | Stopped])
[09/21/2007 07:10:20 | 00,020,240 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running])
[09/21/2007 07:10:40 | 00,035,088 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LHidFilt.Sys -- (LHidFilt [On_Demand | Running])
[09/21/2007 07:10:46 | 00,036,240 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LMouFilt.Sys -- (LMouFilt [On_Demand | Running])
[01/31/2005 06:12:46 | 00,022,016 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Running])
[08/17/2001 17:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Boot | Running])
File not found -- C:\WINDOWS\System32\drivers\Partizan.sys -- (Partizan [Disabled | Stopped])
File not found -- C:\WINDOWS\System32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio [On_Demand | Stopped])
File not found -- C:\WINDOWS\System32\drivers\PcdrNt.sys -- (PcdrNt [Disabled | Stopped])
[01/31/2005 06:20:03 | 00,211,712 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LV561AV.SYS -- (PID_0928 [On_Demand | Running])
[08/23/2008 13:53:33 | 00,025,773 | ---- | M] (Greatis Software) -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard [On_Demand | Stopped])
[06/01/2006 22:37:58 | 00,236,800 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\System32\drivers\RT2500.sys -- (RT2500 [On_Demand | Running])
[08/17/2001 18:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Boot | Running])
[09/09/2008 20:34:34 | 00,002,368 | ---- | M] (AntiCracking) -- C:\WINDOWS\system32\SVKP.sys -- (SVKP [Auto | Running])
[09/13/2008 10:20:18 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])


========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
"Default_Search_URL" = http://home.microsoft.com/search/search.asp
"Default_Secondary_Page_URL" =
"Extensions Off Page" = about:NoAdd-ons
"Local Page" = C:\WINDOWS\system32\blank.htm
"Search Page" = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
"Security Risk Page" = about:SecurityRisk
"Start Page" = http://www.msn.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = http://www.google.com
"Default_Search_URL" = http://www.google.com/ie
"SearchAssistant" = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Page_Transitions" =
"Search Page" = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
"Start Page" = http://www.google.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider" =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page" = C:\WINDOWS\system32\blank.htm
"Page_Transitions" =
"Search Page" = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
"Start Page" = http://www.google.com/

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\Software\Microsoft\Internet Explorer\SearchURL]
"provider" =

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
AutorunsDisabled (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds" = C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)

========== (O4) RunOnceEx Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
"Flags" = File not found

========== (O4) Startup Folders ==========


========== (O6 & O7) Internet Explorer Policies ==========
[HKEY_LOCAL_MACHINE\Software\policies\microsoft\internet explorer\Infodelivery] - present

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"LinkResolveIgnoreLinkInfo" = 0
"NoResolveSearch" = 1
"DisableLocalMachineRunOnce" = 1
"DisableCurrentUserRunOnce" = 1
"DisableCurrentUserRun" = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"LinkResolveIgnoreLinkInfo" = 0



[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"LinkResolveIgnoreLinkInfo" = 0



========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Sun Java Console -- C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
"" = http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
8 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-914516190-2451361995-186535729-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
8 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{01113300-3E00-11D2-8470-0060089874ED}: http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab -- Support.com Configuration Class
{17492023-C23A-453E-A040-C7C580BBF700}: http://download.microsoft.com/download/8/b...heckControl.cab -- Windows Genuine Advantage Validation Tool
{2DAD3559-2923-4935-AD49-B673D2539944}: http://www-307.ibm.com/pc/support/acpir.cab -- IASRunner Class
{6F15128C-E66A-490C-B848-5000B5ABEEAC}: https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab -- HP Download Manager
{74FFE28D-2378-11D5-990C-006094235084}: http://www-307.ibm.com/pc/support/IbmEgath.cab -- IBM Access Support
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100 -- Java Plug-in 1.6.0_07
{BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6}: https://www-307.ibm.com/pc/support/access/a.../AcpControl.cab -- acpRunner Class
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
DirectAnimation Java Classes: file://C:\WINDOWS\Java\classes\dajava.cab -- Reg Error: Key does not exist or could not be opened.
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{749425E4-5787-49CB-ADFF-53C2995F25EC} (Servers: | Description: Intel® PRO/100 VE Network Connection)
{C24E39D9-4159-4A23-8F24-774593F375F2} (Servers: | Description: Hawking HWP54GR Hi-Speed Wireless-G PCI Card)
{C8EF1124-BB2D-4024-9DB3-3A5BCB77D929} (Servers: | Description: )

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
dimsntfy: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
LBTWlgn: "DllName" = c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll -- c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[01/28/2008 21:19:31 | 00,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

Autoruns.zip [PK | ]
[08/21/2008 22:19:55 | 00,576,232 | ---- | M] () -- C:\Autoruns.zip -- [ NTFS ]



========== Files/Folders - Created Within 30 days ==========

[1 C:\WINDOWS\*.tmp files]
[08/18/2008 09:37:12 | 00,336,896 | ---- | C] () -- C:\UPHClean-Setup.msi
[08/18/2008 10:47:47 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[08/18/2008 16:37:07 | 00,000,176 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[08/18/2008 19:56:59 | 00,248,191 | ---- | C] () -- C:\sa53sue.zip
[08/19/2008 20:50:52 | 00,017,096 | ---- | C] () -- C:\Documents and Settings\Papo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[08/20/2008 00:39:28 | 00,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[08/20/2008 00:39:28 | 00,006,179 | ---- | C] () -- C:\WINDOWS\System32\ftp.mib
[08/20/2008 00:39:28 | 00,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[08/20/2008 00:39:28 | 00,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[08/20/2008 00:39:28 | 00,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[08/20/2008 00:39:29 | 00,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[08/20/2008 00:39:29 | 00,000,698 | ---- | C] () -- C:\WINDOWS\System32\inetsrv.mib
[08/20/2008 00:39:29 | 00,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[08/20/2008 00:39:29 | 00,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[08/20/2008 00:39:29 | 00,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[08/20/2008 00:39:29 | 00,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[08/20/2008 00:39:29 | 00,020,079 | ---- | C] () -- C:\WINDOWS\System32\http.mib
[08/20/2008 00:39:29 | 00,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[08/20/2008 00:39:29 | 00,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[08/20/2008 00:39:29 | 00,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[08/20/2008 00:39:29 | 00,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[08/20/2008 00:39:29 | 00,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[08/20/2008 00:39:29 | 00,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[08/20/2008 00:39:29 | 00,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[08/20/2008 00:39:29 | 00,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[08/21/2008 08:18:39 | 01,230,288 | ---- | C] (Undelete & Unerase, Inc. ) -- C:\recover_files_setup.exe
[08/21/2008 22:19:49 | 00,576,232 | ---- | C] () -- C:\Autoruns.zip
[08/21/2008 22:34:09 | 03,842,240 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\AutoRuns.arn
[08/21/2008 22:35:13 | 03,825,885 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\Auto Run 2.arn
[08/23/2008 11:17:24 | 00,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[08/23/2008 11:45:20 | 00,025,773 | ---- | C] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[08/23/2008 16:47:37 | 00,030,109 | ---- | C] () -- C:\list of Spyware.zip
[08/24/2008 16:16:06 | 48,367,896 | ---- | C] (AVG Technologies) -- C:\avg_free_stf_en_8_138a1332.exe
[08/27/2008 15:32:46 | 00,081,920 | ---- | C] (Soeperman Enterprises Ltd.) -- C:\BFU.exe
[08/29/2008 00:38:12 | 00,487,940 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080828_406_api_nocard.zip
[08/30/2008 20:24:07 | 00,000,230 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[09/05/2008 09:16:41 | 01,817,409 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\CPDE400[1].pdf
[09/09/2008 10:16:15 | 00,487,842 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080908_407_api_nocard.zip
[09/09/2008 10:20:09 | 00,917,504 | ---- | C] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080908_407_api_nocard.bin
[09/09/2008 20:34:23 | 00,001,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Tweak-XP Pro v3.lnk
[09/09/2008 20:34:23 | 00,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Restart Windows XP.lnk
[09/09/2008 20:34:23 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shutdown Windows XP.lnk
[09/09/2008 20:34:23 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Logoff Current User.lnk
[09/09/2008 20:34:34 | 00,002,368 | ---- | C] (AntiCracking) -- C:\WINDOWS\System32\SVKP.sys
[09/09/2008 20:56:45 | 51,066,804 | ---- | C] () -- C:\registry-backup.reg
[09/10/2008 16:07:53 | 40,905,192 | ---- | C] (PC-Doctor, Inc.) -- C:\pcd5setup_4329.exe
[09/11/2008 11:12:14 | 00,823,024 | ---- | C] () -- C:\TS-H493B_D300.zip
[09/11/2008 11:47:54 | 00,696,320 | ---- | C] (Foxconn Technology Group) -- C:\200_1011.EXE
[09/12/2008 09:13:06 | 02,189,864 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[09/12/2008 17:08:31 | 00,028,672 | ---- | C] () -- C:\ammended contract for Wallace Ave[1]. prop..doc
[09/12/2008 17:42:41 | 00,259,776 | RHS- | C] () -- C:\cmldr
[09/12/2008 17:42:45 | 00,000,211 | RHS- | C] () -- C:\BOOT.BAK
[09/13/2008 10:21:40 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[09/16/2008 08:31:05 | 00,487,875 | ---- | C] () -- C:\X-05BL_080915_408_api_nocard.zip
[09/16/2008 09:24:07 | 00,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\cwshredder.exe
[09/16/2008 09:26:32 | 01,515,890 | ---- | C] () -- C:\SmitfraudFix.zip
[09/16/2008 09:29:57 | 00,981,274 | ---- | C] () -- C:\RootkitBuster2.2.1014.zip
[09/16/2008 10:14:09 | 01,602,877 | ---- | C] () -- C:\ProcessExplorer.zip

========== Files - Modified Within 30 days ==========

[1 C:\WINDOWS\*.tmp files]
[08/18/2008 09:55:28 | 00,336,896 | ---- | M] () -- C:\UPHClean-Setup.msi
[08/18/2008 10:47:47 | 00,262,144 | ---- | M] () -- C:\WINDOWS\System32\default_user_class.dat
[08/18/2008 16:37:07 | 00,000,176 | ---- | M] () -- C:\WINDOWS\_delis32.ini
[08/18/2008 19:57:05 | 00,248,191 | ---- | M] () -- C:\sa53sue.zip
[08/20/2008 00:13:01 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[08/20/2008 00:13:01 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[08/20/2008 00:13:07 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[08/21/2008 08:23:35 | 01,230,288 | ---- | M] (Undelete & Unerase, Inc. ) -- C:\recover_files_setup.exe
[08/21/2008 22:19:55 | 00,576,232 | ---- | M] () -- C:\Autoruns.zip
[08/21/2008 22:34:11 | 03,842,240 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\AutoRuns.arn
[08/21/2008 22:35:14 | 03,825,885 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\Auto Run 2.arn
[08/23/2008 12:10:29 | 00,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[08/23/2008 12:10:29 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[08/23/2008 12:10:29 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[08/23/2008 13:53:33 | 00,025,773 | ---- | M] (Greatis Software) -- C:\WINDOWS\System32\drivers\regguard.sys
[08/23/2008 16:47:42 | 00,030,109 | ---- | M] () -- C:\list of Spyware.zip
[08/24/2008 16:16:29 | 48,367,896 | ---- | M] (AVG Technologies) -- C:\avg_free_stf_en_8_138a1332.exe
[08/26/2008 02:00:22 | 00,006,144 | ---- | M] () -- C:\Documents and Settings\Papo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08/29/2008 00:39:07 | 00,487,940 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080828_406_api_nocard.zip
[08/29/2008 18:17:12 | 00,000,799 | ---- | M] () -- C:\WINDOWS\orun32.ini
[08/30/2008 20:24:07 | 00,000,230 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[09/03/2008 16:38:32 | 00,017,096 | ---- | M] () -- C:\Documents and Settings\Papo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[09/03/2008 16:39:00 | 00,000,075 | -HS- | M] () -- C:\Documents and Settings\Papo\My Documents\desktop.ini
[09/05/2008 09:16:41 | 01,817,409 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\CPDE400[1].pdf
[09/08/2008 11:49:54 | 00,042,950 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[09/08/2008 11:49:54 | 00,318,624 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[09/08/2008 11:49:54 | 00,365,808 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[09/09/2008 10:16:39 | 00,487,842 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080908_407_api_nocard.zip
[09/09/2008 10:45:51 | 00,000,869 | ---- | M] () -- C:\WINDOWS\win.ini
[09/09/2008 10:46:28 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[09/09/2008 17:03:42 | 00,917,504 | ---- | M] () -- C:\Documents and Settings\Papo\My Documents\X-05BL_080908_407_api_nocard.bin
[09/09/2008 19:47:19 | 00,205,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[09/09/2008 20:34:23 | 00,001,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Tweak-XP Pro v3.lnk
[09/09/2008 20:34:23 | 00,001,730 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Restart Windows XP.lnk
[09/09/2008 20:34:23 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shutdown Windows XP.lnk
[09/09/2008 20:34:23 | 00,001,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Logoff Current User.lnk
[09/09/2008 20:34:34 | 00,002,368 | ---- | M] (AntiCracking) -- C:\WINDOWS\System32\SVKP.sys
[09/09/2008 20:56:51 | 51,066,804 | ---- | M] () -- C:\registry-backup.reg
[09/10/2008 16:08:03 | 40,905,192 | ---- | M] (PC-Doctor, Inc.) -- C:\pcd5setup_4329.exe
[09/11/2008 11:16:49 | 00,823,024 | ---- | M] () -- C:\TS-H493B_D300.zip
[09/11/2008 11:53:02 | 00,696,320 | ---- | M] (Foxconn Technology Group) -- C:\200_1011.EXE
[09/12/2008 09:13:14 | 02,189,864 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[09/12/2008 17:08:34 | 00,028,672 | ---- | M] () -- C:\ammended contract for Wallace Ave[1]. prop..doc
[09/12/2008 17:42:46 | 00,000,282 | RHS- | M] () -- C:\boot.ini
[09/13/2008 10:20:18 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[09/14/2008 18:03:56 | 10,114,368 | -H-- | M] () -- C:\Documents and Settings\Papo\Local Settings\Application Data\IconCache.db
[09/15/2008 08:58:05 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[09/15/2008 08:58:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[09/15/2008 11:32:41 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[09/16/2008 08:31:16 | 00,487,875 | ---- | M] () -- C:\X-05BL_080915_408_api_nocard.zip
[09/16/2008 09:24:12 | 00,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\cwshredder.exe
[09/16/2008 09:30:03 | 00,981,274 | ---- | M] () -- C:\RootkitBuster2.2.1014.zip
[09/16/2008 10:06:48 | 01,515,890 | ---- | M] () -- C:\SmitfraudFix.zip
[09/16/2008 10:14:20 | 01,602,877 | ---- | M] () -- C:\ProcessExplorer.zip

< End of report >

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 17 September 2008 - 08:51 AM

Hello batracio :thumbsup: Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


I need a little time to study your log. In the meantime I need you to perform the following:



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.









When completed please post bot a new HJT log as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 17 September 2008 - 03:05 PM

Attached is the Kaspersky Lof:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 17, 2008 18:26:17
Records in database: 1246060
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 60074
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:43:12


File name / Threat name / Threats count
C:\Documents and Settings\Papo\Local Settings\Temp\Temporary Internet Files\Content.IE5\GN3FYO59\SmitfraudFix[1].zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.


And this is the HT fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:06 PM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com
F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (User '?')
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/a.../AcpControl.cab
O18 - Protocol hijack: mk - -{79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: tv - -{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5072 bytes


Thank you "thewall"; await your further instructions/ Ruben

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 17 September 2008 - 03:55 PM

Based on what you said when you first posted your topic concerning the Backdoor.agent!sd6 I believe you might be infected with one of the rogue antivirus programs which are very prevalent lately. Let's run MBAM and see what it shows. First we'll do some cleaning up wit ATF.

Make sure your system is rebooted when MBAM finishes it scan and post it log for it and a new HJT log also:





Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".








Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 17 September 2008 - 06:21 PM

ATF Cleaner= Performed

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 2

9/17/2008 7:14:24 PM
mbam-log-2008-09-17 (19-14-24).txt

Scan type: Quick Scan
Objects scanned: 51689
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:08 PM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com
F2 - REG:system.ini: Shell=C:\WINDOWS\explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (User '?')
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/a.../AcpControl.cab
O18 - Protocol hijack: mk - -{79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: tv - -{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5072 bytes

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 17 September 2008 - 08:03 PM

Two quick questions for you. Where did you get the info concerning a possible infection of Backdoor.agent!sd6 and did you revert back to using IE6 between your initial HJT log and the last two you have posted?


Also while you are at it would you check to see if there are two different versions of Windows under C:\.

Edited by thewall, 17 September 2008 - 09:14 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 18 September 2008 - 06:07 PM

Hi again Sr. thewall,

The information about the Backdoor.Agent SD6 came from PC Tools and from ThreatExpert.com, both making reference to
the presence of "pull.assisback.com" with DNS 202.71.106.206.
Similarly referenced name: Infostealer by Symantec, Backdoor.DPJ by McAfee and/or BKDR_Agent by Trend Micro.

It all started one day with "iexplore.exe" errors every five minutes and then my computer crashed totally and completly while attempting to log on into my domestic bank account (which I have not been able to do ever since), plus constant redirect to all sorts of porn sites with Singapore flavor.
Exploring the registry, I found the presence of "pull.assisback.com" at HKCU/software/microsoft/windows/currentversion/run as well as in currentversion 001 and currentversion 002., with all complete references as expressed at the bottom of my original post to Bleeping Computer.

After tracing the DNS to a site in Singapore, registered to the name of one Alexei Bagrov with email PRAVO31@mail.ru, paranoid impulses took over and I started to delete every thing I've found with those references, but failing to find the hives files or the cgi-bin/file.cgi.

The very same day, after cleaning every thing, the Windows Update automatically downloaded the IE7 SP3 package as well as the security updates for Office 2003; at restart, the broser was different, my two user accounts merged into one, the Favorites folder and the My Documents folder disappered and access to Run, WMI and Command Control window was denied. I also have about 5-6 g of extra memory available.

Even after clearing all the above instances at /current version in both, Windows and WindowsNT, all the descibed symptoms remain.

I am, of course, fed up with IE, but since I'm now literally "facing thewall", hope is somehow restored.

I'm all yours.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 18 September 2008 - 06:59 PM

Did you check what I asked about the two Windows versions?

In other words open Windows Explorer and look to see if there is two different Windows showing up under C:/
One may be Windows1 and the other may be Windows 2. They may not be there but I would like to eliminate that possibility first. There is no doubt that we are looking at what appears to be HJT logs from two similar but at the same time different machines.

Thanks!
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 18 September 2008 - 07:36 PM

Sorry.
I see only one version.
Thank you.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 18 September 2008 - 08:10 PM

OK, before we go any further I need to make you aware of the following. From everything I can ascertain about the pull.assisback.com it is an infostealer and of course a backdoor as evidenced by the following:

Here


One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

For the time being I will proceed on the assumption you wish to clean up your computer. If you do not and would rather reformat or reinstall let me know in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 18 September 2008 - 08:46 PM

Thank you for your feedback.

After spending more than 100 hs with this issue, I'm not in the mood to lower the flag.

If your good disposition it is still intact, let's proceed with the cleaning.

And again, thank you very much.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 18 September 2008 - 09:00 PM

Alright :thumbsup: , then we shall sally forward as they used to say in the old days.


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Along with the report.txt from SDFix also include a new HJT log in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 batracio

batracio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 20 September 2008 - 08:27 AM

Good Morning Sr. thewall,

Herewith is the SDFix tx Log:




SDFix: Version 1.227
Run by Administrator on Sat 09/20/2008 at 08:52 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 09:02:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk not found (null)\system32\config\system
scanning hidden registry entries ...

disk not found (null)\system32\config\software
source file error: C:\Documents and Settings\Administrator\ntuser.dat
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\FTA-MirC\\Mirc.exe"="C:\\Program Files\\FTA-MirC\\Mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"="C:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe:*:Enabled:XrxFTPLt"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Tweak-XP Pro 3\\AdBlocker.exe"="C:\\Program Files\\Tweak-XP Pro 3\\AdBlocker.exe:*:Enabled:Ad Blocker of Tweak-XP"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 1 Jan 2001 211 A.SHR --- "C:\BOOT.BAK"

Finished!

------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:02 AM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (User '?')
O4 - HKUS\S-1-5-21-914516190-2451361995-186535729-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} (acpRunner Class) - https://www-307.ibm.com/pc/support/access/a.../AcpControl.cab
O18 - Protocol hijack: tv - -{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4951 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users