Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Antispyware Pop Up


  • Please log in to reply
23 replies to this topic

#1 bass-addict

bass-addict

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 27 May 2006 - 02:57 AM

i have a pop up of win antispyware i really want to get rid of it but cant any help would be great heres my log:
Logfile of HijackThis v1.99.1
Scan saved at 7:50:38 p.m., on 27/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jess\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1059.dll,InstantAccess
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Windows Media Player.lnk = C:\Program Files\Windows Media Player\wmplayer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B2BD8C-571A-460E-AEF6-D99D1984404E}: NameServer = 203.96.152.4 203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

i do have a few other things to but please i just need help with this first after this we can move on to the other more explicit pop ups

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 06 June 2006 - 12:30 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 09 June 2006 - 10:40 PM

I've been through the "before you post" topic and done everything it told me. I have a lot of pop ups happening which I'm pretty sure are in my computer as opposed to just online (as in from certain websites) if you know what I mean. Pop ups such as "Win AntiSpyware," "Epass-Key SEXY GIRLS," "Waypointcash, hollywood private" etc. There are casino things, pornography, antispyware, emoticons etc and I can't get rid of them. It's really frustrating having them come up every couple of minutes so help is very much appreciated. Here's my log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:37:13 p.m., on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Jess\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B2BD8C-571A-460E-AEF6-D99D1984404E}: NameServer = 203.96.152.4 203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 11 June 2006 - 08:17 PM

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


#5 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 12 June 2006 - 05:32 PM

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.5

Scan started at 10:28:02 a.m. 13/06/2006

Listing files found while scanning....


No infected files were found.

It didn't find anything.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:00 a.m., on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Semagic\LiveJournal.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jess\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B2BD8C-571A-460E-AEF6-D99D1984404E}: NameServer = 203.96.152.4 203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 12 June 2006 - 07:20 PM

Rename hijackthis.exe to ht.exe and run ht.exe and create and post a new log from it.

#7 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 June 2006 - 02:06 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:03:36 p.m., on 15/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jess\Desktop\ht.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B2BD8C-571A-460E-AEF6-D99D1984404E}: NameServer = 203.96.152.4 203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 15 June 2006 - 07:49 AM

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#9 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 June 2006 - 12:47 AM

ROOTKIT

HKLM\S-1-5-21-360189328-3425443330-1037833606-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Balloon_Time 16/06/2006 4:37 p.m. 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amkphqyus 11/06/2006 10:30 a.m. 88 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\icons\artest\Thumbs.db:encryptable 13/06/2006 6:30 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\icons\banners\Thumbs.db:encryptable 15/06/2006 7:18 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\icons\nineteens\Thumbs.db:encryptable 13/06/2006 6:22 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\icons\Thumbs.db:encryptable 10/06/2006 5:08 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Music\Audioslave\Audioslave - Sound of a Gun.mp3:Zone.Identifier 11/06/2006 10:39 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\abcd\Thumbs.db:encryptable 15/06/2006 7:17 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\blue\Thumbs.db:encryptable 30/05/2006 8:23 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\gender2\Thumbs.db:encryptable 18/03/2006 7:57 a.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\GENDER\01\Thumbs.db:encryptable 20/03/2006 7:32 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\GENDER\02\Thumbs.db:encryptable 20/03/2006 7:32 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\GENDER\colour blocks\Thumbs.db:encryptable 20/03/2006 7:32 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\GENDER\polaroid thingys\Thumbs.db:encryptable 20/03/2006 7:32 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\GENDER\Thumbs.db:encryptable 30/05/2006 6:39 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\large\Thumbs.db:encryptable 29/05/2006 8:28 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\light texture thingy\Thumbs.db:encryptable 8/05/2006 9:26 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\new2\Thumbs.db:encryptable 23/04/2006 7:54 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\new3\Thumbs.db:encryptable 11/06/2006 5:14 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\new\Thumbs.db:encryptable 20/03/2006 7:30 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\newnewnew\Thumbs.db:encryptable 13/06/2006 6:28 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\sdgsdfh\Thumbs.db:encryptable 20/03/2006 7:29 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\001\Thumbs.db:encryptable 13/06/2006 6:27 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\New Folder\Thumbs.db:encryptable 15/06/2006 7:20 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\pics\banners\Thumbs.db:encryptable 13/06/2006 6:36 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\pics\Thumbs.db:encryptable 13/06/2006 6:38 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\jack.jpg:Zone.Identifier 14/04/2006 11:40 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\mooreipod762_screen.jpg:Zone.Identifier 22/05/2006 9:06 p.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\random (2).jpg:Zone.Identifier 14/04/2006 11:39 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\random (3).jpg:Zone.Identifier 14/04/2006 11:39 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\random (5).jpg:Zone.Identifier 14/04/2006 11:39 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\random (6).jpg:Zone.Identifier 14/04/2006 11:39 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\silus.JPG:Zone.Identifier 14/04/2006 11:40 a.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\random\Thumbs.db:encryptable 15/06/2006 7:14 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\stuff\Thumbs.db:encryptable 15/06/2006 7:43 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\My Pictures\Thumbs.db:encryptable 15/06/2006 8:49 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\Thumbs.db:encryptable 10/06/2006 5:01 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-24.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-25.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-26.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-29.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-30.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\05\10-31.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\Jack\Last Place.rtf:Zone.Identifier 10/03/2006 8:25 p.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\Jack\Last Place.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\Jack\unfinshed piece of crap.rtf:Zone.Identifier 10/03/2006 8:25 p.m. 26 bytes Hidden from Windows API.
C:\Documents and Settings\Jess\My Documents\words\Thumbs.db:encryptable 10/03/2006 8:25 p.m. 0 bytes Hidden from Windows API.
C:\Documents and Settings\Karen\Desktop\CANY4JFP.:Zone.Identifier 14/11/2005 8:32 p.m. 26 bytes Hidden from Windows API.
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Brushes\1148502613bigmasks.abr:Zone.Identifier 29/05/2006 6:23 p.m. 26 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\AMKPHQYUS.EXE-281945B0.pf 28/05/2006 8:03 p.m. 54.50 KB Hidden from Windows API.
C:\WINDOWS\system32\amkphqyus.dat 16/06/2006 5:24 p.m. 5.76 KB Hidden from Windows API.
C:\WINDOWS\system32\amkphqyus.exe 13/05/2006 8:37 a.m. 238.55 KB Hidden from Windows API.
C:\WINDOWS\system32\amkphqyus_nav.dat 10/06/2006 5:38 p.m. 173.18 KB Hidden from Windows API.
C:\WINDOWS\system32\msclock32.dll 13/05/2006 7:56 a.m. 20.50 KB Hidden from Windows API.
C:\WINDOWS\system32\msplock32.dll 10/05/2006 3:30 p.m. 20.50 KB Hidden from Windows API.

BLACKLIGHT

06/16/06 17:38:35 [Info]: BlackLight Engine 1.0.37 initialized
06/16/06 17:38:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/16/06 17:38:35 [Note]: 7019 4
06/16/06 17:38:35 [Note]: 7005 0
06/16/06 17:38:54 [Note]: 7006 0
06/16/06 17:38:54 [Note]: 7011 3064
06/16/06 17:38:54 [Note]: 7026 0
06/16/06 17:38:55 [Note]: 7026 0
06/16/06 17:38:55 [Note]: 7024 3
06/16/06 17:38:55 [Info]: Hidden process: C:\windows\system32\amkphqyus.exe
06/16/06 17:38:55 [Note]: FSRAW library version 1.7.1015
06/16/06 17:45:12 [Info]: Hidden file: c:\WINDOWS\system32\msclock32.dll
06/16/06 17:45:12 [Note]: 10002 1
06/16/06 17:45:16 [Info]: Hidden file: c:\WINDOWS\system32\msplock32.dll
06/16/06 17:45:16 [Note]: 10002 1
06/16/06 17:45:19 [Info]: Hidden file: c:\WINDOWS\system32\amkphqyus.dat
06/16/06 17:45:19 [Note]: 10002 1
06/16/06 17:45:21 [Info]: Hidden file: C:\windows\system32\amkphqyus.exe
06/16/06 17:45:21 [Note]: 10002 1
06/16/06 17:45:23 [Info]: Hidden file: c:\WINDOWS\system32\amkphqyus_nav.dat
06/16/06 17:45:23 [Note]: 10002 1
06/16/06 17:45:52 [Info]: Hidden file: c:\WINDOWS\Prefetch\AMKPHQYUS.EXE-281945B0.pf
06/16/06 17:45:52 [Note]: 10002 1

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 16 June 2006 - 11:38 AM

Ok here we go...you have a rootkit installed on your computer.

Download Killbox.

Extract killbox.zip to your desktop and then double-click on the Killbox.exe icon.

Select the option "Delete on reboot".

Now copy the next bold part:


C:\windows\system32\amkphqyus.exe
c:\WINDOWS\system32\msclock32.dll
c:\WINDOWS\system32\msplock32.dll
c:\WINDOWS\system32\amkphqyus.dat
c:\WINDOWS\system32\amkphqyus_nav.dat
c:\WINDOWS\Prefetch\AMKPHQYUS.EXE-281945B0.pf


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

When it opens tell me if you see these files in the C:\!submit folder

If so can you zip that folder by right clicking on it and selecting send to->compressed folder. Then submit that zip file to http://www.bleepingcomputer.com/submit-malware.php

#11 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 June 2006 - 03:07 PM

there's no folder named !submit, but there's one named !killbox.
the above files aren't in there, there are 10 files and a log though.
how do i know if the rootkit is gone?
i'm still getting the pop ups, which probably means something?

also; i found something.
in my program files theres a folder named 'instant access.' there are two folders inside it. one called 'center' and one 'dialer.' inside 'center' there are 7 UPD files which are named accordingly to some of the pop ups i've been getting. inside 'dialer' there are 40 folders, all with random numbers as their names. inside these folders are yet more folders with names according to the pop ups. some have another folder and an html file or just a file. some have images according to the pop ups i've been getting.

i figure that just deleting the original folder may not fix it, so i went to my control panel and then to add or remove programes. instant access is in there. when i click un-install it brings up a webpage which doesn't actually load and quickly disappears and then this, but i'm not sure whether or not to trust it.

Posted Image

Edited by bass-addict, 16 June 2006 - 03:19 PM.


#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 16 June 2006 - 03:34 PM

Dont do anything as of yet.

Can you zip up the !killbox folder and send it to that url.

#13 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 June 2006 - 07:45 PM

Done. :thumbsup:

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:59 PM

Posted 17 June 2006 - 04:30 PM

Give me a new hijackthis log and new blacklight log

#15 bass-addict

bass-addict
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 17 June 2006 - 06:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:08:32 a.m., on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Semagic\LiveJournal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jess\Desktop\ht.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ap/ap/en/gen/default.htm
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39B2BD8C-571A-460E-AEF6-D99D1984404E}: NameServer = 203.96.152.4 203.96.152.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe


06/18/06 11:09:02 [Info]: BlackLight Engine 1.0.37 initialized
06/18/06 11:09:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/18/06 11:09:02 [Note]: 7019 4
06/18/06 11:09:02 [Note]: 7005 0
06/18/06 11:09:05 [Note]: 7006 0
06/18/06 11:09:05 [Note]: 7011 1752
06/18/06 11:09:05 [Note]: 7026 0
06/18/06 11:09:05 [Note]: 7026 0
06/18/06 11:09:05 [Note]: 7024 3
06/18/06 11:09:05 [Info]: Hidden process: C:\windows\system32\amkphqyus.exe
06/18/06 11:09:05 [Note]: FSRAW library version 1.7.1015
06/18/06 11:15:24 [Info]: Hidden file: c:\WINDOWS\system32\msclock32.dll
06/18/06 11:15:24 [Note]: 10002 1
06/18/06 11:15:26 [Info]: Hidden file: c:\WINDOWS\system32\msplock32.dll
06/18/06 11:15:26 [Note]: 10002 1
06/18/06 11:15:28 [Info]: Hidden file: c:\WINDOWS\system32\amkphqyus.dat
06/18/06 11:15:28 [Note]: 10002 1
06/18/06 11:15:29 [Info]: Hidden file: C:\windows\system32\amkphqyus.exe
06/18/06 11:15:29 [Note]: 10002 1
06/18/06 11:15:29 [Info]: Hidden file: c:\WINDOWS\system32\amkphqyus_nav.dat
06/18/06 11:15:29 [Note]: 10002 1
06/18/06 11:15:44 [Info]: Hidden file: c:\WINDOWS\Prefetch\AMKPHQYUS.EXE-281945B0.pf
06/18/06 11:15:44 [Note]: 10002 1




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users