Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.haxdoor.a-311.1.5, Part 2!


  • Please log in to reply
7 replies to this topic

#1 ferris_uk2

ferris_uk2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 12 July 2006 - 04:05 PM

Continued from this post
http://www.bleepingcomputer.com/forums/t/58265/backdoorhaxdoora-31115/

I cannot remember installing popcaploader & trymedia!?

Here is the combofix log as requested!

Start Time= 12/07/2006 21:58:25.81
Running from: C:\Documents and Settings\Chris\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-12 21:57:46 683 ( A.... ) "C:\Combo.bat"
2006-07-06 19:01:00 ( .D... ) "C:\Program Files\HaxFix"
2006-07-06 16:57:20 745531 ( A.... ) "C:\WINDOWS\gmer.exe"
2006-07-06 16:54:32 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-06-29 16:42:40 26125 ( A.... ) "C:\clean.bat"
2006-06-25 08:35:00 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-15 22:55:04 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-15 22:55:04 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-15 22:55:04 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-15 22:55:04 620180 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-14 22:24:24 ( .D... ) "C:\Program Files\3DMatchPlayer"
2006-06-14 21:06:18 ( .D... ) "C:\Program Files\ZAR"
2006-06-14 18:49:08 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-12 20:22:08 520192 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-05-28 23:12:20 ( .D... ) "C:\Program Files\ASF-AVI-RM-WMV Repair"
2006-05-24 23:48:04 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-05-24 23:48:04 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-05-24 23:47:12 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-05-24 23:46:52 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-05-24 23:46:44 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-05-24 23:46:44 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-05-24 23:46:44 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-05-24 23:46:44 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-05-24 23:46:44 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-05-24 23:46:44 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-05-24 23:46:44 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-05-24 23:43:44 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-05-24 23:43:44 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-05-23 17:25:52 402736 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-22 19:04:56 14416 ( A.... ) "C:\WINDOWS\system32\client_cc.dll"
2006-05-22 19:04:56 13904 ( A.... ) "C:\WINDOWS\system32\lccl.dll"
2006-05-03 17:54:10 307200 ( A.... ) "C:\WINDOWS\system32\atiiiexx.dll"
2006-05-03 17:51:00 258048 ( A.... ) "C:\WINDOWS\system32\ati2dvag.dll"
2006-05-03 17:45:36 114688 ( A.... ) "C:\WINDOWS\system32\atipdlxx.dll"
2006-05-03 17:45:22 77824 ( A.... ) "C:\WINDOWS\system32\Oemdspif.dll"
2006-05-03 17:45:14 26112 ( A.... ) "C:\WINDOWS\system32\Ati2mdxx.exe"
2006-05-03 17:45:08 41984 ( A.... ) "C:\WINDOWS\system32\ati2edxx.dll"
2006-05-03 17:44:56 61440 ( A.... ) "C:\WINDOWS\system32\ati2evxx.dll"
2006-05-03 17:43:46 413696 ( A.... ) "C:\WINDOWS\system32\ati2evxx.exe"
2006-05-03 17:43:14 53248 ( A.... ) "C:\WINDOWS\system32\ATIDDC.DLL"
2006-05-03 17:35:26 2693280 ( A.... ) "C:\WINDOWS\system32\ati3duag.dll"
2006-05-03 17:29:14 1408000 ( A.... ) "C:\WINDOWS\system32\ativvaxx.dll"
2006-05-03 17:21:20 6684672 ( A.... ) "C:\WINDOWS\system32\atioglx1.dll"
2006-05-03 17:18:04 5033984 ( A.... ) "C:\WINDOWS\system32\atioglxx.dll"
2006-05-03 17:15:58 151552 ( A.... ) "C:\WINDOWS\system32\atikvmag.dll"
2006-05-03 17:15:10 17408 ( A.... ) "C:\WINDOWS\system32\atitvo32.dll"
2006-05-03 17:12:26 286720 ( A.... ) "C:\WINDOWS\system32\ATIDEMGR.dll"
2006-05-03 17:09:20 282624 ( A.... ) "C:\WINDOWS\system32\ati2cqag.dll"
2006-05-03 11:57:00 520192 ( ..... ) "C:\WINDOWS\system32\ati2sgag.exe"
2006-04-19 01:04:54 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2002-07-26 17:02:06 153088 ( A.... ) "C:\Program Files\UNWISE.EXE"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-12 21:57 683 C:\Combo.bat
2006-07-06 19:01 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-07-06 19:01 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-06 19:01 4,096 C:\WINDOWS\system32\reboot.exe
2006-07-06 19:01 38,400 C:\WINDOWS\system32\moveex.exe
2006-07-06 19:01 26,125 C:\clean.bat
2006-07-06 16:54 745,531 C:\WINDOWS\gmer.exe
2006-07-06 16:54 528,446 C:\WINDOWS\gmer.dll
2006-06-28 20:11 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-06-28 20:11 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-06-25 08:35 520,192 C:\WINDOWS\system32\ati2sgag.exe
2006-06-15 22:55 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 22:55 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 22:55 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 22:55 620,180 C:\WINDOWS\system32\DivX.dll
2006-06-14 18:49 118,784 C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-12 20:22 520,192 C:\WINDOWS\system32\DivXsm.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Browser MOUSE\\mouse32a.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"USBToolTip"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"WINDVDPatch"="CTHELPER.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"BullGuard"="\"C:\\Program Files\\BullGuard Software\\BullGuard\\bullguard.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"inimapping"="0"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 12/07/2006 21:59:14.72
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-11.213151.txt
ComboFix.2006-07-12.215702.txt
ComboFix.2006-07-12.215825.txt

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2006 - 04:32 PM

Look in Add\Remove programs and see if there are any entries for either TryMedia or PopCapLoader?

#3 ferris_uk2

ferris_uk2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 13 July 2006 - 01:10 AM

I have'nt any record of them in my add/remove programs but there are files created for both in C:\Program files.

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 July 2006 - 02:08 AM

If you did not install these,then remove the folders that exist in program files.


Lets have a peek at a fresh HijackThis log and let me know how the machine is acting now?

#5 ferris_uk2

ferris_uk2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 13 July 2006 - 11:58 AM

Logfile of HijackThis v1.99.1
Scan saved at 17:58:01, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135415621987
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://webgames.d.tmsrv.com/c=f6fa7b33797d...loadControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 July 2006 - 06:34 PM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#7 ferris_uk2

ferris_uk2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 15 July 2006 - 12:49 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 15, 2006 6:48:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/07/2006
Kaspersky Anti-Virus database records: 207568
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 114386
Number of viruses found: 3
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:05:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012006071520060716\index.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_1dc.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_940.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_e50.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_e5c.dat Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-07-15.07-03-52.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP652\A0200411.sys Infected: Backdoor.Win32.Haxdoor.fc skipped
C:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP652\A0200413.sys Infected: Backdoor.Win32.Haxdoor.fc skipped
C:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP653\A0202493.sys Infected: Backdoor.Win32.Haxdoor.fc skipped
C:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP661\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{630F11F5-B382-459E-BD46-B0336DF87011}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\AVPX64.0YS Infected: Backdoor.Win32.Haxdoor.fc skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\InstallerV4.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o skipped
C:\WINDOWS\system32\InstallerV4.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\jjp87oft.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_110.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP661\change.log Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\_restore{F279B045-B771-48C6-A813-385F9316BB5B}\RP661\change.log Object is locked skipped

Scan process completed.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,667 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:35 AM

Posted 23 August 2006 - 10:40 AM

I am very sorry the helper who was working on this log has not responded. I have no idea why they have not done so. Do you still require help?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users