Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Or Hacker ?


  • This topic is locked This topic is locked
10 replies to this topic

#1 GoldDragon

GoldDragon

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Romania
  • Local time:07:14 AM

Posted 10 February 2006 - 05:13 AM

Hello guys, thank you for helping me...

Since a few week I have a very unusuall problem with my comp, which is that I can't access a specific forum's adress for @8-10 hours/day,then suddenly it opens....
Well, I'm a MOD on that forum, and I have a hunch, that somebody is trying to keep me out, coz I've descovered that he is trouble, and we want to get rid of him....
I am on that forum since last year and never happened before this things...
When I'm accessing the forum address, it gives me :
http://smiley.cirtexhosting.com/suspended.page/
saying that :" this account has been suspended ".......but almost every time saiz another thing, so I don't know what to believe....
I have a static IP, and a Yahoo email address, and this guy has a program for ' Hacking Yahoo'....it could be a connection...???
Sorry for beeing so stupid, I don't know what is wrong , I just susspect him coz he is the only one who has the motivation for doing this ....

Now, I've followed the instructions, and this is the notepad info :


Logfile of HijackThis v1.99.1
Scan saved at 11:32:01 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RunDll32.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\progra~1\softwin\bitdef~1\bdmcon.exe
D:\Program Files\Softwin\BitDefender8\bdoesrv.exe
D:\Program Files\Softwin\BitDefender8\bdswitch.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\win5\Winamp\winampa.exe
E:\boo\monitor.exe
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\Program Files\Softwin\BitDefender8\vsserv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTB00429 - {3FDE0CB5-619F-4227-8961-F2D7ED15B88E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [cfeepe] D:\WINDOWS\system32\tlbqpe.exe r
O4 - HKLM\..\Run: [BDMCon] d:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] D:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDSwitchAgent] D:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinampAgent] E:\win5\Winamp\winampa.exe
O4 - HKLM\..\Run: [BDNewsAgent] d:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "D:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "E:\boo\monitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office_2000\Office\OSA9.EXE
O8 - Extra context menu item: RapidShare-Download - res://D:\DOCUME~1\Grigore\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD2002\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD2002\AcPreview.ocx
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


If it is not Hijack, at least you could tell me what to do or what program to install to not let anyone to get in to my comp...???

And more important, how to enter my forum ...????

Thank you so much for your time.......

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 10 February 2006 - 08:54 AM

Click here to download the Hoster. Extract it from the zip file into a folder and doubleclick on hoster.exe. Press "Restore Original Hosts" and press "OK". Exit the program.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: XBTB00429 - {3FDE0CB5-619F-4227-8961-F2D7ED15B88E} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [cfeepe] D:\WINDOWS\system32\tlbqpe.exe r
O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

D:\WINDOWS\system32\tlbqpe.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 GoldDragon

GoldDragon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Romania
  • Local time:07:14 AM

Posted 10 February 2006 - 09:40 AM

Hello Daemon

Thank you very much to helping me out

I've done everything you've said , but when I restarted in Safe mode, for that file in Windows it said that " file not found', so I've restarted in normal mode.....

Now, before I post the blog, please, tell me : if this is really possible when I'm entering a certain forum, to somebody enter in my computer ??? ( from that forum , I mean... )

Logfile of HijackThis v1.99.1
Scan saved at 4:30:21 PM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RunDll32.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\progra~1\softwin\bitdef~1\bdmcon.exe
D:\Program Files\Softwin\BitDefender8\bdoesrv.exe
D:\Program Files\Softwin\BitDefender8\bdswitch.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\win5\Winamp\winampa.exe
D:\Program Files\Time Sync\time.exe
E:\boo\monitor.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\Program Files\Softwin\BitDefender8\vsserv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BDMCon] d:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] D:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDSwitchAgent] D:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinampAgent] E:\win5\Winamp\winampa.exe
O4 - HKLM\..\Run: [BDNewsAgent] d:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKLM\..\Run: [Time Sync] D:\Program Files\Time Sync\time.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "D:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "E:\boo\monitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office_2000\Office\OSA9.EXE
O8 - Extra context menu item: RapidShare-Download - res://D:\DOCUME~1\Grigore\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD2002\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD2002\AcPreview.ocx
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Thank you again

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 10 February 2006 - 10:02 AM

Highly unlikely. You still have malware appearing though. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [Time Sync] D:\Program Files\Time Sync\time.exe

Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

D:\Program Files\Time Sync <-- folder

Exit Explorer and reboot into Normal Mode.

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.

Download and save blacklight to your desktop. Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones. Copy and paste the log it generated in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 GoldDragon

GoldDragon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Romania
  • Local time:07:14 AM

Posted 10 February 2006 - 12:03 PM

Done !

this is the ewido ( I think... )

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:37:38 PM, 2/10/2006
+ Report-Checksum: 284ED056

+ Scan result:

HKU\S-1-5-21-682003330-1417001333-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FDE0CB5-619F-4227-8961-F2D7ED15B88E} -> Adware.CramToolbar : Cleaned with backup
[1720] D:\WINDOWS\libHide.dll -> Trojan.Agent.je : Cleaned with backup
[1832] D:\WINDOWS\libHide.dll -> Trojan.Agent.je : Error during cleaning
[1860] D:\WINDOWS\libHide.dll -> Trojan.Agent.je : Error during cleaning
[2000] D:\WINDOWS\libHide.dll -> Trojan.Agent.je : Error during cleaning
C:\Program Files\HijackThis\backups\backup-20060210-161920-960.dll -> Dialer.Creazione.x : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@ad.adocean[2].txt -> TrackingCookie.Adocean : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@com[2].txt -> TrackingCookie.Com : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@cz4.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
D:\Documents and Settings\Grigore\Cookies\grigore@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
D:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
D:\Program Files\Internet Optimizer\update -> Adware.InternetOptimizer : Cleaned with backup
D:\WINDOWS\gojcxnhdkum.exe -> Adware.BetterInternet : Cleaned with backup
D:\WINDOWS\libHide.dll -> Trojan.Agent.je : Cleaned with backup
D:\WINDOWS\system.exe -> Backdoor.Agent.oo : Cleaned with backup
D:\WINDOWS\system32\cd_load.exe -> Adware.Cydoor : Cleaned with backup
D:\WINDOWS\vbstub.exe -> Hijacker.Delf.dp : Cleaned with backup


::Report End


the HJT report

Logfile of HijackThis v1.99.1
Scan saved at 6:52:23 PM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\progra~1\softwin\bitdef~1\bdmcon.exe
D:\Program Files\Softwin\BitDefender8\bdoesrv.exe
D:\Program Files\Softwin\BitDefender8\bdswitch.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\win5\Winamp\winampa.exe
D:\WINDOWS\system.exe
E:\boo\monitor.exe
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\Program Files\Softwin\BitDefender8\vsserv.exe
E:\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\totalcmd\TOTALCMD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [BDMCon] d:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] D:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDSwitchAgent] D:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinampAgent] E:\win5\Winamp\winampa.exe
O4 - HKLM\..\Run: [BDNewsAgent] d:\progra~1\softwin\bitdef~1\bdnagent.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "D:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "E:\boo\monitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office_2000\Office\OSA9.EXE
O8 - Extra context menu item: RapidShare-Download - res://D:\DOCUME~1\Grigore\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD2002\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD2002\AcPreview.ocx
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - D:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - E:\ewido anti-malware\ewidoctrl.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - D:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


---that " fsbl " thing...

02/10/06 18:45:04 [Info]: BlackLight Engine 1.0.30 initialized
02/10/06 18:45:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/10/06 18:45:05 [Note]: 7019 4
02/10/06 18:45:05 [Note]: 7005 0
02/10/06 18:45:16 [Note]: 7006 0
02/10/06 18:45:16 [Note]: 7011 1720
02/10/06 18:45:16 [Note]: 7018 1992
02/10/06 18:45:16 [Info]: Hidden process: D:\WINDOWS\system.exe
02/10/06 18:45:16 [Note]: FSRAW library version 1.7.1014
02/10/06 18:45:42 [Note]: 7002 0
02/10/06 18:45:42 [Note]: 7003 1
02/10/06 18:46:49 [Note]: 7007 0

OMG, you gave me a lot of 'homework' today, and I am very grateful for this, I have no words to thank you enough....

:thumbsup:

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 10 February 2006 - 12:30 PM

Do this for me. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

D:\WINDOWS\system.exe

Click on the submit button. Please post the results in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 GoldDragon

GoldDragon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Romania
  • Local time:07:14 AM

Posted 10 February 2006 - 07:54 PM

...after that I've tried for hours to access that scan, it gaves me this :

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file "

I have only Zone alarm firewall on Medium, I've disabled, but still not uploading.....

thanks

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 25 February 2006 - 10:57 AM

Apologies - missed this reply. Do you still require assistance?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 GoldDragon

GoldDragon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Romania
  • Local time:07:14 AM

Posted 25 February 2006 - 11:18 AM

No, thank you, doing everything you've said above helped me to learn a LOT about comp. cleaning.....
Thank you so much for that..... :thumbsup:

My only question is if I could request something from you on PM, ......please.....
Thanks....

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 25 February 2006 - 06:21 PM

OK - send it.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:14 AM

Posted 26 February 2006 - 12:51 PM

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users