Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Downloader.agent.uj


  • This topic is locked This topic is locked
8 replies to this topic

#1 lauraneedshelp

lauraneedshelp

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 05 September 2006 - 09:30 PM

I'm stuck. My computer's got a nasty infection, and it hangs up when I try to follow the advice to clean it. I'm infected with BraveSentry, and when I run an Ewido scan in Safe Mode, it says I'm infected with downloader.agent.uj but it can't quarantine or clean.

All suggestions greatly appreciated!! Here's the HiJackThis log from a scan in Safe Mode.

Logfile of HijackThis v1.99.1
Scan saved at 9:13:45 PM, on 8/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\ls\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1F77AC6D-9358-BA21-DA64-98262BD0523A} - C:\WINNT\mkqlg1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: SECRETMAKER - {7435856C-6CA1-45CF-A00D-82178387F223} - C:\Program Files\Secretmaker\secretmakerie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Protected Storage NT] pstoreNT.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [viqwr.exe] C:\WINNT\system32\viqwr.exe
O4 - HKLM\..\RunServices: [Protected Storage NT] pstoreNT.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CMDEL.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.continental.att.net
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud11.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/04d49739d0034895bf16/...ip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DE1CA25-3682-48EC-AFD0-CE1723A0288B}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D74D4E9-CED9-4C86-ADBF-7F6CB718A0BA}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{72211CDF-4C12-419F-A274-E918D101E8F1}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DA8C6C5-3EDD-4953-B8D0-9D8984D3C1A6}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D5F4AEA-DC56-4AF4-8F5C-CA515DD17DCC}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DE1CA25-3682-48EC-AFD0-CE1723A0288B}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.206
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DE1CA25-3682-48EC-AFD0-CE1723A0288B}: NameServer = 85.255.116.131,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.206
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINNT\SYSTEM32\ssisvr32.exe

BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:09 PM

Posted 09 September 2006 - 11:31 AM

hi



download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe


First, make sure you are connected to the internet. Fixwareout requires the connection in order to download a program it uses (Brute Force Uninstaller).
Double click the program icon on your desktop. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads save the text file that will open (report.txt) to your desktop.

post the contents of that file, along with a fresh hijackthis log here
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 lauraneedshelp

lauraneedshelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 10 September 2006 - 10:13 PM

Thanks so much for replying! I found another thread a few days ago that recommended fixwareout, and I ran it. Here is the report:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3659389F2075-999A-D3A4-9E0C-EE39511D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5757D25BFC2F-089B-D564-EB9E-CCF6E39F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4972D4574A49-E88A-2CC4-4DDA-312A6D02{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C32231043188-84A9-34B4-14E7-48A87853{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}158A043BC841-D8FB-E464-394D-6A492639{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8559772E409-668B-91A4-A7DF-75AE6605{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8422FEE0B020-0349-E9A4-FB28-4E3E69CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5FE31EEA3BDD-7FB9-5D74-E719-191D15B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9047966596F0-28D9-DC64-8B00-C1E3C2DB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7D5EC5C5D24-9528-7D44-238F-BAE3D4A7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}180B99B904AF-DD7B-9674-3E30-822F541E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66EA98EC9DFB-507B-67D4-8A15-5600CD7B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A36568F20EA3-A15B-1504-54AF-9ADD4585{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5AD06EFCD8D3-B57B-2ED4-E234-509DE5E1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC57430815F4-1C28-6294-0DF4-92BE82AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}81F4BACE62AB-66CA-65A4-5FB3-81731F48{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C284CB9D3C52-267B-E404-9BE9-34A74514{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD5F87F8F366-468B-D0F4-FE00-861EE53B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7570014F9912-B8C8-2514-E86F-D6A1E3A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}024FFD2658B0-C45A-C494-59CC-CF4E3F7A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}56D7D9556651-E4AA-6214-1FA0-CCBB14CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8CF959F088F-47E9-B514-44DC-C2035669{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37B786AE389A-E259-BF04-9C5E-56417E25{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\swzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A150CE16BD0E-FCBA-B0E4-1D9E-F82A0330{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A0D2D43DFB83-2018-32B4-8F1D-D4B7F054{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AFB9D2FC5F02-9159-8B34-A966-5A389BBD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0095D86CAE5E-0B4B-9784-4D40-F70856A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzws.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...
C:\WINNT\SYSTEM32\CSDMI.EXE
* csr.exe C:\WINNT\System32\CSDMI.EXE
* csr.exe C:\WINNT\System32\{D1159~1.EXE


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSDMI.EXE 51,201 2006-08-23

Other suspects.
Directory of C:\WINNT\system32
{5066EA57-FD7A-4A19-B866-904E2779558A}.exe
{D11593EE-C0E9-4A3D-A999-5702F9839563}.exe

Misc files.

Checking for older varients covered by the Rem3 tool.




After I did that, I was able to run an Ewido Scan in Safe Mode. Here is that report:



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:47:35 PM 9/6/2006

+ Scan result:



C:\WINNT\SYSTEM32\rmtcfg\files\copy\hidden32.exe -> Backdoor.Hupigon.hk : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\files\hidden32.exe -> Backdoor.Hupigon.hk : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\hidden32.exe -> Backdoor.Hupigon.hk : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\files\copy\setup.exe -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\files\setup.exe -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\setup.exe -> Backdoor.Iroffer.1213.a : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\csdmi.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\{D11593EE-C0E9-4A3D-A999-5702F9839563}.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\WINNT\bl4ck.com -> Downloader.Small.bsq : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\pcMsg.dll -> Logger.PcGhost.412 : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\rmtcfg\files\xscan.exe -> Not-A-Virus.NetTool.Win32.XScan.13 : Cleaned with backup (quarantined).


::Report end


And finally, here my current Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:51 PM, on 9/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ssisvr32.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CMDEL.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
C:\program files\anonymizer\anonymizer software\common\AnonProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\LS\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1F77AC6D-9358-BA21-DA64-98262BD0523A} - C:\WINNT\mkqlg1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: SECRETMAKER - {7435856C-6CA1-45CF-A00D-82178387F223} - C:\Program Files\Secretmaker\secretmakerie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Protected Storage NT] pstoreNT.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [viqwr.exe] C:\WINNT\system32\viqwr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Protected Storage NT] pstoreNT.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CMDEL.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.continental.att.net
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://63.102.226.240:8000/Java/cfs40320.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud11.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/04d49739d0034895bf16/...ip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.mpix.com/Customer/ImageUploader3.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINNT\SYSTEM32\ssisvr32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe



My computer is running much better, but still maybe a little slow. I've installed a number of criticial updates since running Ewido, but one of them -- the cumulative update for IE service pack 1, KB91899 -- keeps failing. Do the sytem look clean? Thanks so much!

#4 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:09 PM

Posted 11 September 2006 - 03:46 AM

hi

bad news!!
the ewido scan revealed some stealth trojans, one of which is a keystroke logger, C:\WINNT\SYSTEM32\pcMsg.dll=Logger.PcGhost.412

you may want to contact you bank and credit card company for possible unauthorised transactions!!

IMPORTANT- You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.

you need to take steps to protect your information that may have been compromised. I recommend these steps for action:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?





this is something i dont like to recommend normally, but with a computer this badly infected it would be the best solution for your safety to just format the drive and reinstall windows
some further reading:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

also see these links
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx


please let me know how you decide. we may attempt to clean this, but this PC cannot be 100% trusted afterwards, even the best internet security professionals agree that a format/reinstall is the only 100% reliable solution
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#5 lauraneedshelp

lauraneedshelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 11 September 2006 - 07:05 AM

Ok...I was afraid of that. Is there any safe way to back up data before I reformat and reinstall?

#6 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:09 PM

Posted 11 September 2006 - 10:59 AM

you can burn important stuff to cd's dvd's, just dont burn executables or programs.. but ok for pics, documents and stuff like that

good luck
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#7 lauraneedshelp

lauraneedshelp
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 12 September 2006 - 08:47 AM

Is it any safer to burn documents on CD's than to copy onto a jump drive or a removable hard drive?

One last question: Is it any safer to burn documents on CD's than to copy onto a jump drive or a removable hard drive?

Thanks!!

#8 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:09 PM

Posted 12 September 2006 - 09:26 AM

no, use whatever backup method that you have
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#9 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:03:09 PM

Posted 29 October 2006 - 03:17 PM

as the problem here seems to be resolved this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users