Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Hi-Jack


  • This topic is locked This topic is locked
12 replies to this topic

#1 Hi Its Me

Hi Its Me

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 18 June 2009 - 11:42 PM

Hello there,

The last few days whenever I search the Internet using Google or Yahoo on either IE8 or FireFox3 it takes to the list of webpages as usual, but when I click on any of them it redirects me to Toseeka or some other off the wall page, which is quite irritating. So far I have scanned my computer with Malewarebyte's Anti-Malware (which found nothing) and SuperAntiSpyware Free Edition (which found 22 Trojans: Trojan.Agent / Gen). I have also used ATF-Cleaner to clear cookies, temp files, etc. All to no avail.

If you guys could help (and thank you in advance) that would be great! Here is my Hijack this log:

------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:29 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify...tt.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [OpenDNS Update] "C:\Program Files\OpenDNS U
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221093073125
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9499 bytes

Edited by Hi Its Me, 18 June 2009 - 11:43 PM.


BC AdBot (Login to Remove)

 


#2 Hi Its Me

Hi Its Me
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 18 June 2009 - 11:59 PM

Maybe this SuperAntiSpyware Log will help as well
-----------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/18/2009 at 11:01 PM

Application Version : 4.26.1004

Core Rules Database Version : 3947
Trace Rules Database Version: 1889

Scan type : Complete Scan
Total Scan Time : 00:49:17

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5774
Registry threats detected : 22
File items scanned : 50222
File threats detected : 0

Trojan.Agent/Gen
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig15
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig4
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig5
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig10
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str6
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str8
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str9
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str13
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str1
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str5
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig7
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig8
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig6
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig17
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str15
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str128
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str129
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig3
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str0
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#str14
HKU\S-1-5-21-1123561945-1960408961-682003330-1003\SOFTWARE\XML#dig13

Hello Hi Its Me,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 19 June 2009 - 12:22 AM.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 19 June 2009 - 12:35 PM

Hi Hi Its Me,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

Edited by farbar, 19 June 2009 - 12:38 PM.


#4 Hi Its Me

Hi Its Me
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 June 2009 - 01:59 PM

Thank you for your help Farbar. Here is the log

-----------

GooredFix v1.92 by jpshortstuff
Log created at 13:56 on 19/06/2009 running Option #1 (user)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 19 June 2009 - 02:03 PM

You may remove GooredFix from your desktop.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#6 Hi Its Me

Hi Its Me
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 June 2009 - 04:42 PM

I think something is wrong. Whenever I click on the .exe it shows combo fix loading then after that it just shows a blank C:/

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 19 June 2009 - 04:51 PM

I think something is wrong. Whenever I click on the .exe it shows combo fix loading then after that it just shows a blank C:/


You mean when you double-click ComboFix.exe ?

If yes, rename ComboFix.exe to me.exe and run it.

#8 Hi Its Me

Hi Its Me
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 June 2009 - 05:16 PM

okay thank you. I got it to work now. Since running it, I no longer seem to have any more redirects. I will still post the log in case anything else may need to be done. Below is the log:

-----------------

ComboFix 09-06-18.02 - user 06/19/2009 17:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.265 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\install_flash_player.exe
C:\install.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\nfr.sys
c:\windows\system32\drivers\SKYNETfohsklla.sys
c:\windows\system32\SKYNETjnuwwkap.dat
c:\windows\system32\SKYNETmectccpf.dll
c:\windows\system32\SKYNETrssftjlq.dll
c:\windows\system32\SKYNETvituwksp.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEToeuyprum


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 06:21 . 2009-06-19 06:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Flock
2009-06-19 06:21 . 2009-06-19 06:21 -------- d-----w- c:\docume~1\user\APPLIC~1\Flock
2009-06-19 06:20 . 2009-06-19 06:21 -------- d-----w- c:\program files\Flock
2009-06-19 05:54 . 2009-06-19 05:54 -------- d-----w- c:\program files\Safari
2009-06-19 05:54 . 2009-06-19 05:54 -------- d-----w- c:\program files\Apple Software Update
2009-06-19 05:53 . 2009-06-19 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-19 02:29 . 2009-06-19 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-19 02:28 . 2009-06-19 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-19 02:28 . 2009-06-19 02:28 -------- d-----w- c:\docume~1\user\APPLIC~1\SUPERAntiSpyware.com
2009-06-19 02:28 . 2009-06-19 02:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-19 02:17 . 2009-06-19 02:17 -------- d-----w- c:\program files\Trend Micro
2009-06-11 02:37 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:37 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 20:12 . 2009-06-08 20:12 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.17.0\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 22:01 . 2008-06-09 00:30 -------- d-----w- c:\docume~1\user\APPLIC~1\WTablet
2009-06-19 21:09 . 2006-06-12 20:31 -------- d-----w- c:\program files\McAfee.com
2009-06-19 06:07 . 2008-10-06 21:55 -------- d-----w- c:\docume~1\user\APPLIC~1\Apple Computer
2009-06-11 15:48 . 1601-01-01 06:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-05-30 18:05 . 2006-06-12 20:24 77672 -c--a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 05:15 . 2004-08-04 05:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2004-08-04 05:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 04:57 . 2009-05-03 04:56 -------- d-----w- c:\program files\Total Video Converter
2009-05-03 04:46 . 2007-05-17 22:07 -------- d-----w- c:\docume~1\user\APPLIC~1\Azureus
2009-05-03 04:26 . 2009-05-03 04:24 -------- d-----w- c:\program files\Vuze
2009-05-03 04:24 . 2009-05-03 04:24 -------- d-----w- c:\program files\Common Files\i4j_jres
2009-04-23 22:08 . 2009-04-23 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\OpenDNS Updater
2009-04-23 22:08 . 2009-04-23 22:08 -------- d-----w- c:\program files\OpenDNS Updater
2009-04-17 09:58 . 2004-08-04 04:17 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 05:56 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2002-07-26 22:02 . 2006-07-02 23:15 153088 -c--a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-21 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Update"="c:\program files\OpenDNS U" [X]
"McRegWiz"="c:\progra~1\mcafee.com\agent\mcregwiz.exe" [2005-06-01 368714]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2004-04-07 61440]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"WheelMouse"="c:\program files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe" [2007-02-27 184320]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-1-15 385024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"9459:TCP"= 9459:TCP:PORT_9459
"47192:TCP"= 47192:TCP:PORT_47192
"25170:TCP"= 25170:TCP:PORT_25170
"27113:TCP"= 27113:TCP:PORT_27113
"63485:TCP"= 63485:TCP:PORT_63485
"21856:TCP"= 21856:TCP:PORT_21856
"59129:TCP"= 59129:TCP:PORT_59129
"63254:TCP"= 63254:TCP:PORT_63254
"57613:TCP"= 57613:TCP:PORT_57613
"52516:TCP"= 52516:TCP:PORT_52516
"29681:TCP"= 29681:TCP:PORT_29681
"57498:TCP"= 57498:TCP:PORT_57498
"62008:TCP"= 62008:TCP:PORT_62008
"32791:TCP"= 32791:TCP:PORT_32791
"58125:TCP"= 58125:TCP:PORT_58125
"48246:TCP"= 48246:TCP:PORT_48246
"25566:TCP"= 25566:TCP:PORT_25566
"65357:TCP"= 65357:TCP:PORT_65357
"46961:TCP"= 46961:TCP:PORT_46961
"25485:TCP"= 25485:TCP:PORT_25485
"14465:TCP"= 14465:TCP:PORT_14465
"24926:TCP"= 24926:TCP:PORT_24926
"49426:TCP"= 49426:TCP:PORT_49426
"45774:TCP"= 45774:TCP:PORT_45774
"23985:TCP"= 23985:TCP:PORT_23985
"64774:TCP"= 64774:TCP:PORT_64774
"43742:TCP"= 43742:TCP:PORT_43742
"40297:TCP"= 40297:TCP:PORT_40297
"65273:TCP"= 65273:TCP:PORT_65273
"53664:TCP"= 53664:TCP:PORT_53664
"62035:TCP"= 62035:TCP:PORT_62035
"9551:TCP"= 9551:TCP:PORT_9551
"23316:TCP"= 23316:TCP:PORT_23316
"64797:TCP"= 64797:TCP:PORT_64797
"25520:TCP"= 25520:TCP:PORT_25520
"13559:TCP"= 13559:TCP:PORT_13559
"27551:TCP"= 27551:TCP:PORT_27551
"34172:TCP"= 34172:TCP:PORT_34172
"52481:TCP"= 52481:TCP:PORT_52481
"44649:TCP"= 44649:TCP:PORT_44649

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/26/2008 9:37 PM 24652]
S2 aerlx;aerlx;c:\windows\system32\drivers\qafe.sys --> c:\windows\system32\drivers\qafe.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1960408961-682003330-1003.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 03:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-USBToolTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe


.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify...tt.my.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 17:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1960408961-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\3.0]
"FRT"="9soXvH+/UmfAqBJxeBZwVmXNNaaAlOlfvcl75XQ3aoyxtkYxMll9aA=="
"PLCK"="EWkE4YrLMgIczIgf4h+2WKlPLKldNUna"
"Percents"="0 0.095 0.2986 0.5745 0.8106 0.9177 0.9248 "
"Increment"=".003003"
"PHSH"=""

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,20,a9,50,63,0c,
d4,33,c7,e2,63,26,f1,3f,c8,ff,68,83,fa,aa,e2,7c,3d,98,35,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,58,7d,ed,c6,a3,
5c,a7,21,6a,9c,d6,61,af,45,84,18,09,07,82,1d,87,74,e6,a2,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f2,41,56,74,ef,
e4,06,a3,ff,7c,85,e0,43,d4,0e,fe,26,54,34,90,fc,eb,3c,62,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,8a,cc,b3,d4,ad,
a8,74,d7,86,8c,21,01,be,91,eb,e7,29,75,45,7c,c7,e7,bc,e0,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,3f,a8,3b,6a,66,
44,7f,d5,f5,1d,4d,73,a8,13,5c,05,ce,74,c2,ae,f7,91,e7,00,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,08,68,63,05,6c,
9d,62,ac,df,20,58,62,78,6b,cf,c8,19,40,2d,f9,07,59,95,9d,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,2b,6d,bc,52,12,
4a,67,c8,fb,a7,78,e6,12,2f,9a,ea,da,27,35,48,b1,cd,93,d9,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,57,1e,5c,e8,d6,
fc,ed,70,01,3a,48,fc,e8,04,4a,f1,99,26,5b,05,d3,f5,24,18,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,5c,b8,b5,a3,eb,
0f,c7,24,f6,0f,4e,58,98,5b,89,c9,3e,c0,d1,82,00,dc,ab,f2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,f8,08,7f,2c,90,
e4,81,13,3d,ce,ea,26,2d,45,aa,78,1a,10,54,60,0e,18,5b,ce,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,10,7b,3c,f6,8d,
76,af,37,2a,b7,cc,b5,b9,7f,41,e7,38,54,de,2e,d8,08,01,f2,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,20,a9,f8,f1,f8,
16,d2,55,6c,43,2d,1e,aa,22,2f,9c,a3,21,0f,11,e4,7f,9c,6c,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\MPR.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-06-19 17:14
ComboFix-quarantined-files.txt 2009-06-19 22:14

Pre-Run: 24,927,563,776 bytes free
Post-Run: 24,916,185,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

272 --- E O F --- 2009-06-11 07:33

Edited by Hi Its Me, 19 June 2009 - 05:39 PM.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 19 June 2009 - 06:23 PM

Well done. :thumbup2:

You have a long list of open (unknown ports) ports. Are you aware of them and do want to keep those ports open or should I close them?

"9459:TCP"= 9459:TCP:PORT_9459
"47192:TCP"= 47192:TCP:PORT_47192
"25170:TCP"= 25170:TCP:PORT_25170
"27113:TCP"= 27113:TCP:PORT_27113
"63485:TCP"= 63485:TCP:PORT_63485
"21856:TCP"= 21856:TCP:PORT_21856
"59129:TCP"= 59129:TCP:PORT_59129
"63254:TCP"= 63254:TCP:PORT_63254
"57613:TCP"= 57613:TCP:PORT_57613
"52516:TCP"= 52516:TCP:PORT_52516
"29681:TCP"= 29681:TCP:PORT_29681
"57498:TCP"= 57498:TCP:PORT_57498
"62008:TCP"= 62008:TCP:PORT_62008
"32791:TCP"= 32791:TCP:PORT_32791
"58125:TCP"= 58125:TCP:PORT_58125
"48246:TCP"= 48246:TCP:PORT_48246
"25566:TCP"= 25566:TCP:PORT_25566
"65357:TCP"= 65357:TCP:PORT_65357
"46961:TCP"= 46961:TCP:PORT_46961
"25485:TCP"= 25485:TCP:PORT_25485
"14465:TCP"= 14465:TCP:PORT_14465
"24926:TCP"= 24926:TCP:PORT_24926
"49426:TCP"= 49426:TCP:PORT_49426
"45774:TCP"= 45774:TCP:PORT_45774
"23985:TCP"= 23985:TCP:PORT_23985
"64774:TCP"= 64774:TCP:PORT_64774
"43742:TCP"= 43742:TCP:PORT_43742
"40297:TCP"= 40297:TCP:PORT_40297
"65273:TCP"= 65273:TCP:PORT_65273
"53664:TCP"= 53664:TCP:PORT_53664
"62035:TCP"= 62035:TCP:PORT_62035
"9551:TCP"= 9551:TCP:PORT_9551
"23316:TCP"= 23316:TCP:PORT_23316
"64797:TCP"= 64797:TCP:PORT_64797
"25520:TCP"= 25520:TCP:PORT_25520
"13559:TCP"= 13559:TCP:PORT_13559
"27551:TCP"= 27551:TCP:PORT_27551
"34172:TCP"= 34172:TCP:PORT_34172
"52481:TCP"= 52481:TCP:PORT_52481
"44649:TCP"= 44649:TCP:PORT_44649



#10 Hi Its Me

Hi Its Me
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 19 June 2009 - 07:29 PM

Thank you so much for your help :thumbup2:

What do you think it is best that I do? Close them? If so, then please give me instructions on what to do.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 19 June 2009 - 08:28 PM

I'll close them.
  • It is possible that a file gets uploaded for analysis if it is still there. Don't be alarm and let ComboFix do its job.

    Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/235073/trojan-hi-jack/
    
    Collect::
    c:\windows\system32\drivers\qafe.sys
    Driver::
    aerlx
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OpenDNS Update"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9459:TCP"=-
    "47192:TCP"=-
    "25170:TCP"=-
    "27113:TCP"=-
    "63485:TCP"=-
    "21856:TCP"=-
    "59129:TCP"=-
    "63254:TCP"=-
    "57613:TCP"=-
    "52516:TCP"=-
    "29681:TCP"=-
    "57498:TCP"=-
    "62008:TCP"=-
    "32791:TCP"=-
    "58125:TCP"=-
    "48246:TCP"=-
    "25566:TCP"=-
    "65357:TCP"=-
    "46961:TCP"=-
    "25485:TCP"=-
    "14465:TCP"=-
    "24926:TCP"=-
    "49426:TCP"=-
    "45774:TCP"=-
    "23985:TCP"=-
    "64774:TCP"=-
    "43742:TCP"=-
    "40297:TCP"=-
    "65273:TCP"=-
    "53664:TCP"=-
    "62035:TCP"=-
    "9551:TCP"=-
    "23316:TCP"=-
    "64797:TCP"=-
    "25520:TCP"=-
    "13559:TCP"=-
    "27551:TCP"=-
    "34172:TCP"=-
    "52481:TCP"=-
    "44649:TCP"=-

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.

  • Tell me if you still get redirected.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 24 June 2009 - 02:40 PM

Are you still there? We have to uninstall ComboFix and round off.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:15 AM

Posted 27 June 2009 - 07:39 PM

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users