Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very First Post Ever! Hijack This Log-please Help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 tracym

tracym

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 September 2006 - 11:53 AM

Hi everyone! This is my very first post ever to any forum. :thumbsup: It's taken me a while to figure it all out. I've been trolling this site for a while so that I make sure to post in the right place. I learned that a Highjack This log is important so I figured out from this site how to do that and will post it at the end of this email. Maybe someone can look at it and help me. Here's what's happening: My AVG caught some viruses yesterday (backdoor trojan generic 3) and a few others. Now I can't connect to the internet at all (I'm using another computer right now, obviously) and my firewall options are locked out by "group policy" which I don't have. I'm running Windows XP Pro and under control panel, the java icon and the internet options icon are missing. Wierd! :flowers: Anyway, here is the HijackThis log. Any help would be appreciated.


Thanks,

Tracy


Logfile of HijackThis v1.99.1
Scan saved at 11:38:16 AM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspcs.dll' missing
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128559652903
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\msapi.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Print Spooler Service (SpoolSvc223) - Unknown owner - C:\WINDOWS\TEMP\dior4f4186231.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 AM

Posted 09 September 2006 - 01:15 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\TEMP\dior4f4186231.exe

Then click the Send File button below.
Please let me know when you have submitted the file.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\msapi.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open notepad and copy and paste next in it:

sc delete NETAPI

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 tracym

tracym
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 September 2006 - 06:53 PM

File sent.

#4 tracym

tracym
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 September 2006 - 06:57 PM

Please disregard previous file.
I will send the correct one momentarily.

#5 tracym

tracym
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 September 2006 - 07:03 PM

Correct file sent.

#6 tracym

tracym
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 September 2006 - 08:13 PM

Hi David-

Thanks for helping me! Since the internet connection on my laptop won't work, I'm having to do all of this from one computer, transferring and loading what I need on my Kingston Data Traveler USB thingy and moving it and installing the stuff on the infected laptop. Anyway, I hope I'm doing all of this correctly.

I followed all your additional directions after posting that file. Here are the logs I just ran for Combofix and Hijackthis. Thanks again!



Administrator - 06-09-09 19:56:15.76
ComboFix 06.09.07 - Running from: E:\

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-09 to 2006-09-09 ))))))))))))))))))))))))))))))))))


2006-09-06 15:26 88,064 --a------ C:\WINDOWS\system32\dior4f4tdnxhrb.exe
2006-09-06 13:19 88,064 --a------ C:\WINDOWS\system32\mlsdf8heozj.exe
2006-09-06 13:09 88,064 --a------ C:\WINDOWS\system32\mlsdf8hrbmw.exe
2006-09-06 12:55 88,064 --a------ C:\WINDOWS\system32\sklrr7yqaku.exe
2006-09-06 12:55 78,580 --a------ C:\ntp.exe
2006-09-06 12:24 88,064 --a------ C:\WINDOWS\system32\cjnr4r4xhrbmwgr.exe
2006-09-06 12:24 78,172 --a------ C:\tap.exe
2006-09-06 12:19 88,064 --a------ C:\WINDOWS\system32\sklrr7yfpzjtdny.exe
2006-09-06 12:18 88,064 --a------ C:\WINDOWS\system32\sklrr7ykueo.exe
2006-09-06 12:17 78,172 --a------ C:\tab1.exe
2006-09-05 21:56 88,064 --a------ C:\WINDOWS\system32\cjnr4r4cmwgqaku.exe
2006-09-05 21:56 144,516 --a------ C:\tab.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-07 21:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-06 17:43 -------- d-------- C:\Program Files\Napster
2006-08-21 07:57 9636 --a------ C:\WINDOWS\system32\gnfil.dll
2006-08-21 07:57 8652 --a------ C:\WINDOWS\system32\jbfil.dll
2006-08-21 07:57 76794 --a------ C:\WINDOWS\system32\adwfil.dll
2006-08-21 07:57 7582 --a------ C:\WINDOWS\system32\movfil.dll
2006-08-21 07:57 7504 --a------ C:\WINDOWS\system32\auctfil.dll
2006-08-21 07:57 724 --a------ C:\WINDOWS\system32\spmfil.dll
2006-08-21 07:57 7036 --a------ C:\WINDOWS\system32\pkmon.dll
2006-08-21 07:57 6830 --a------ C:\WINDOWS\system32\swfil.dll
2006-08-21 07:57 670 --a------ C:\WINDOWS\system32\mp3fil.dll
2006-08-21 07:57 5782 --a------ C:\WINDOWS\system32\vgamfil.dll
2006-08-21 07:57 540 --a------ C:\WINDOWS\system32\srchfrgn.dll
2006-08-21 07:57 540 --a------ C:\WINDOWS\system32\snetfil.dll
2006-08-21 07:57 5394 --a------ C:\WINDOWS\system32\wrestfil.dll
2006-08-21 07:57 5142 --a------ C:\WINDOWS\system32\iawfil.dll
2006-08-21 07:57 4442 --a------ C:\WINDOWS\system32\hatfil.dll
2006-08-21 07:57 4084 --a------ C:\WINDOWS\system32\viofil.dll
2006-08-21 07:57 400 --a------ C:\WINDOWS\system32\bsnlst.dll
2006-08-21 07:57 3444 --a------ C:\WINDOWS\system32\srchin.dll
2006-08-21 07:57 34 --a------ C:\WINDOWS\system32\macfil.dll
2006-08-21 07:57 306 --a------ C:\WINDOWS\system32\picsfil.dll
2006-08-21 07:57 2902 --a------ C:\WINDOWS\system32\lgwfil.dll
2006-08-21 07:57 258 --a------ C:\WINDOWS\system32\srchout.dll
2006-08-21 07:57 22384 --a------ C:\WINDOWS\system32\perfil.dll
2006-08-21 07:57 2164 --a------ C:\WINDOWS\system32\wzfil.dll
2006-08-21 07:57 194 --a------ C:\WINDOWS\system32\igefil.dll
2006-08-21 07:57 1830 --a------ C:\WINDOWS\system32\cultfil.dll
2006-08-21 07:57 1816 --a------ C:\WINDOWS\system32\fshrfil.dll
2006-08-21 07:57 18 --a------ C:\WINDOWS\system32\lastupdate.dll
2006-08-21 07:57 1790 --a------ C:\WINDOWS\system32\csnews.dll
2006-08-21 07:57 17488 --a------ C:\WINDOWS\system32\nvgamfil.dll
2006-08-21 07:57 16732 --a------ C:\WINDOWS\system32\popfil.dll
2006-08-21 07:57 1482 --a------ C:\WINDOWS\system32\gdwfil.dll
2006-08-21 07:57 1462 --a------ C:\WINDOWS\system32\tapfil.dll
2006-08-21 07:57 14264 --a------ C:\WINDOWS\system32\tafil.dll
2006-08-21 07:57 13112 --a------ C:\WINDOWS\system32\finfil.dll
2006-08-21 07:57 13036 --a------ C:\WINDOWS\system32\gblfil.dll
2006-08-21 07:57 12502 --a------ C:\WINDOWS\system32\psyfil.dll
2006-08-21 07:57 12350 --a------ C:\WINDOWS\system32\entfil.dll
2006-08-21 07:57 12114 --a------ C:\WINDOWS\system32\sporfil.dll
2006-08-21 07:57 116 --a------ C:\WINDOWS\system32\nfil.dll
2006-08-21 07:57 11164 --a------ C:\WINDOWS\system32\fmfil.dll
2006-08-21 07:57 10834 --a------ C:\WINDOWS\system32\chtfil.dll
2006-08-21 07:57 1018 --a------ C:\WINDOWS\system32\imgfil.dll
2006-08-21 07:57 100 --a------ C:\WINDOWS\system32\bnrfil.dll
2006-08-17 22:37 -------- d-------- C:\Program Files\QuickTime
2006-08-17 22:37 -------- d-------- C:\Program Files\palmOne
2006-08-17 22:37 -------- d-------- C:\Program Files\Internet Explorer
2006-08-17 22:37 -------- d-------- C:\Program Files\Google
2006-08-07 08:15 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-07 08:15 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-12 18:25 -------- d-------- C:\Program Files\Common Files\Napster Shared
2006-07-12 18:25 -------- d-------- C:\Program Files\Common Files
2006-06-17 09:59 86 --a------ C:\WINDOWS\system32\usrgfil.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"D-Link Air Utility"="C:\\Program Files\\D-Link\\Air Utility\\AirCFG.exe"
"ANIWZCSService"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"C2K"="C:\\WINDOWS\\Cyb2k.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoControlPanel"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Completion time: Sat 09/09/2006 19:59:08.21
ComboFix.txt





And here's the Highjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:20 PM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspcs.dll' missing
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128559652903
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\msapi.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Print Spooler Service (SpoolSvc223) - Unknown owner - C:\WINDOWS\TEMP\dior4f4186231.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 AM

Posted 10 September 2006 - 03:19 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Firstly I want to get a few samples of the files we are about to delete.
Not many antivirus programs are picking them up, and we want to increase detection.

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Copy and paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\system32\dior4f4tdnxhrb.exe
C:\WINDOWS\system32\mlsdf8heozj.exe
C:\WINDOWS\system32\mlsdf8hrbmw.exe
C:\WINDOWS\system32\sklrr7yqaku.exe
C:\WINDOWS\system32\cjnr4r4xhrbmwgr.exe
C:\WINDOWS\system32\sklrr7yfpzjtdny.exe
C:\WINDOWS\system32\sklrr7ykueo.exe
C:\WINDOWS\system32\cjnr4r4cmwgqaku.exe
C:\tap.exe
C:\tab1.exe
C:\ntp.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

1) Next, let's try and repair the internet connection:
Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
Hit enter and reboot, see if you can now connect.
If you still can't please continue, and tranfer files via laptop.

To be honest perhaps it will be a good thing if the internet does not return for the time being,
You have a nasty collection of backdoor trojans which are capable of stealing certain infomation.

2) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\msapi.exe (file missing)
O23 - Service: Print Spooler Service (SpoolSvc223) - Unknown owner - C:\WINDOWS\TEMP\dior4f4186231.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

3) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\Cyb2k.exe
C:\WINDOWS\system32\msapi.exe
C:\WINDOWS\TEMP\dior4f4186231.exe
C:\WINDOWS\system32\dior4f4tdnxhrb.exe
C:\WINDOWS\system32\mlsdf8heozj.exe
C:\WINDOWS\system32\mlsdf8hrbmw.exe
C:\WINDOWS\system32\sklrr7yqaku.exe
C:\WINDOWS\system32\cjnr4r4xhrbmwgr.exe
C:\WINDOWS\system32\sklrr7yfpzjtdny.exe
C:\WINDOWS\system32\sklrr7ykueo.exe
C:\WINDOWS\system32\usrgfil.dll
C:\WINDOWS\system32\cjnr4r4cmwgqaku.exe
C:\tab1.exe
C:\tap.exe
C:\ntp.exe
C:\WINDOWS\system32\usrgfil.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

4) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C2K"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

5) Click on start and click on run and type cmd.exe. Hit enter.
Type the following commands exactly and hit enter after each:

sc delete SpoolSvc223

sc delete NETAPI

Reboot and post a new Hijackthis log.
David

Edited by D-Trojanator, 10 September 2006 - 03:20 AM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:25 AM

Posted 19 November 2006 - 05:50 AM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users