Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't Know If I'm Infected........


  • This topic is locked This topic is locked
26 replies to this topic

#1 michael mellner

michael mellner

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 September 2006 - 05:19 AM

Hello there from Italy. I'm trying to find a way out of this and since I think I lost all the resources I have, I don't know where else to go. Here my problem. I use skype and one day ago I checked task manager to see the proceeses running. I saw that skype uses 1 gb of my 1.3 gb memory while it is supposed to use only 20-30 mb.
I run Bitdefender av with no results. So I did with spybot and adaware. Something is obviously wrong. Can please check if my hijackthis log is good enough? There are a lot of entries there and don't wanna mess my pc more than it already is.

my log:

Logfile of HijackThis v1.99.1
Scan saved at 12.11.58, on 25/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\SkypeMate\SkypeMate.exe
E:\storage\utili sicurezza\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4619244C-6DE4-FC98-A0B6-9EF7F826C376} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Programmi\SkypeMate\SkypeMate.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158186161497
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://D:\components\wmvhdrating.ocx
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Bests

Michael

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 26 September 2006 - 02:30 PM

Hi Micheal and welcome to BC. :thumbsup:

I am sorry to be the bearer of bad news but unfortunately, you are infected with a dangerous malware, ]W32.Tilebot-BR, with backdoor capabilities giving intruders complete control of your computer. I would counsel you to disconnect this PC from the Internet and the network (if you're networked) immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to alert them to your situation.

Though the Trojans have been identified and can be killed, because of their backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.
Please read these for more information:

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so but it is not fully guaranteed that your computer will be completely rid of malware regardless of what anyone can really do.

Should you have any questions, please feel free to ask.

=======================================

Download SDFix and save it to your Desktop.

Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop.

=======================================

Please set your system to show
all files; please see here if you're unsure how to do this.
  • Go to start > run and copy and paste next commands in the field:
  • sc delete WinNet
  • Hit enter
=====================================

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {4619244C-6DE4-FC98-A0B6-9EF7F826C376} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://D:\components\wmvhdrating.ocx
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.

======================================

Reboot into Safe Mode: please see here if you are not sure how to do this.

======================================

Using Windows Explorer(Windows key + E), locate the following files/folders, and delete them:

C:\WINDOWS\system32\wincntrl.exe

Exit Explorer.

=======================================
Still in Safe Mode,
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


#3 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 September 2006 - 03:53 PM

Amateur,
I stunned to say the least!!
While I thank you for your help, I have to say that I solved the problem with skype eating too much memory simply turning off its webcam feature because I never installed a webcamera in this pc. Nevertheless, I did what you told me, i.e. following the procedure you described. Here's the report lor followed by hijackthis log.

SDFix: Version 1.26
-------------------

Scan run on:
26/09/2006

Time:
22.22


Microsoft Windows XP [Versione 5.1.2600]

Running from: C:\Documents and Settings\sara\Desktop

Stage One...

Checking Services...

Name:
-----


Path:
----





Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
--------------------------

C:\WINDOWS\system32\atiphexx.exe

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------

Remaining Files:
--------------



*Any removed Files are saved in the SDFix\backups Folder*

*FINISHED*


Logfile of HijackThis v1.99.1
Scan saved at 22.44.40, on 26/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\SkypeMate\SkypeMate.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\devldr32.exe
E:\storage\utili sicurezza\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Programmi\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: www.bugdoctor.com
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158186161497
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


I might as well reformat the pc, if necessary.

I really hope you could give me some good news.........I'm kinda still shaking!!

Michael

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 26 September 2006 - 05:15 PM

Hi Micheal,

Good news. :thumbsup: The trojan is not showing in your log anymore. I have no way of knowing how long it has been there and to what degree your computer may have been compromised. If you are not using this computer for sensitive transactions, you may be alright. I am glad you solved the Skype issue. If it weren't for that, you would never have known about the trojan though. We'll do a couple more scans to make sure nothing else is lurking around. Before doing that, let's fix the following with the HijackThis like you did before. I noticed that you have a new entry in your log, i.e. bugdoctor in your trusted zone. I am very much against having anything in your trusted zone, unless it's your workplace, or similar and you need to do that to log in. It's like giving your housekey to someone you don't know.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O15 - Trusted Zone: www.bugdoctor.com


Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.

You also have an older therefore vulnerable version of Java.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says " Java Runtime Environment (JRE) 5.0 Update 8
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Please scan with HijackThis again and post the new log along with the Ewido and Kaspersky reports. Thanks.

#5 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 September 2006 - 06:50 PM

Ok. Here we go for ewido report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1.32.23 27/09/2006

+ Scan result:



C:\WINDOWS\system32\awvvs.dll -> Downloader.ConHook.l : Cleaned with backup (quarantined).
E:\storage\fatti\programmi\Pcshowbuzz(The Best)-By Jackbg (Chifuta)(Working!!!No Virus)-Tv-(Le Leonard Iesh Butonim Mehoarim).rar/pcshowbuzz.dll.zip/setup.exe -> Downloader.IstBar.nj : Cleaned with backup (quarantined).
E:\storage\fatti\simulazione\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar/PMDG744_Validation_Bypasser.zip/PMDG744_Validation_Bypasser.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
E:\storage\temp\PMDG Boeing B747-400 + crack + update + 15 liveries.rar/PMDG Boeing B747-400 + crack + update + 15 liveries\crack\Crack.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).


::Report end

will come for the next reports.

Michael

#6 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 September 2006 - 08:19 PM

Here in sequence: Ewido, kaspersky and hijackthis.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1.32.23 27/09/2006

+ Scan result:



C:\WINDOWS\system32\awvvs.dll -> Downloader.ConHook.l : Cleaned with backup (quarantined).
E:\storage\fatti\programmi\Pcshowbuzz(The Best)-By Jackbg (Chifuta)(Working!!!No Virus)-Tv-(Le Leonard Iesh Butonim Mehoarim).rar/pcshowbuzz.dll.zip/setup.exe -> Downloader.IstBar.nj : Cleaned with backup (quarantined).
E:\storage\fatti\simulazione\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar/PMDG744_Validation_Bypasser.zip/PMDG744_Validation_Bypasser.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
E:\storage\temp\PMDG Boeing B747-400 + crack + update + 15 liveries.rar/PMDG Boeing B747-400 + crack + update + 15 liveries\crack\Crack.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).


::Report end




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 27, 2006 2:51:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/09/2006
Kaspersky Anti-Virus database records: 213464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 41199
Number of viruses found: 3
Number of infected objects: 8 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:57:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Prism\e4b5b1af Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Cronologia\History.IE5\MSHist012006092720060928\index.dat Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Temp\~DFF663.tmp Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Temp\~DFF720.tmp Object is locked skipped
C:\Documents and Settings\sara\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sara\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Windows NT\anN.exe Object is locked skipped
C:\Programmi\Windows NT\Apw.exe Object is locked skipped
C:\Programmi\Windows NT\baE.exe Object is locked skipped
C:\Programmi\Windows NT\BfoD.exe Object is locked skipped
C:\Programmi\Windows NT\BjiNZw.exe Object is locked skipped
C:\Programmi\Windows NT\CpLPl.exe Object is locked skipped
C:\Programmi\Windows NT\DgTwU.exe Object is locked skipped
C:\Programmi\Windows NT\dLFBoJ.exe Object is locked skipped
C:\Programmi\Windows NT\drNKu.exe Object is locked skipped
C:\Programmi\Windows NT\dzy.exe Object is locked skipped
C:\Programmi\Windows NT\EVekug.exe Object is locked skipped
C:\Programmi\Windows NT\FPw.exe Object is locked skipped
C:\Programmi\Windows NT\FtWxMj.exe Object is locked skipped
C:\Programmi\Windows NT\fxB.exe Object is locked skipped
C:\Programmi\Windows NT\gtv.exe Object is locked skipped
C:\Programmi\Windows NT\HcMS.exe Object is locked skipped
C:\Programmi\Windows NT\hhB.exe Object is locked skipped
C:\Programmi\Windows NT\htujF.exe Object is locked skipped
C:\Programmi\Windows NT\IdtSL.exe Object is locked skipped
C:\Programmi\Windows NT\IiJ.exe Object is locked skipped
C:\Programmi\Windows NT\izI.exe Object is locked skipped
C:\Programmi\Windows NT\Izr.exe Object is locked skipped
C:\Programmi\Windows NT\jJl.exe Object is locked skipped
C:\Programmi\Windows NT\KMq.exe Object is locked skipped
C:\Programmi\Windows NT\Mxn.exe Object is locked skipped
C:\Programmi\Windows NT\Nkx.exe Object is locked skipped
C:\Programmi\Windows NT\NWqWmT.exe Object is locked skipped
C:\Programmi\Windows NT\OiS.exe Object is locked skipped
C:\Programmi\Windows NT\oKZj.exe Object is locked skipped
C:\Programmi\Windows NT\OTi.exe Object is locked skipped
C:\Programmi\Windows NT\PRs.exe Object is locked skipped
C:\Programmi\Windows NT\pues.exe Object is locked skipped
C:\Programmi\Windows NT\SdTrVg.exe Object is locked skipped
C:\Programmi\Windows NT\sTB.exe Object is locked skipped
C:\Programmi\Windows NT\SWxX.exe Object is locked skipped
C:\Programmi\Windows NT\uEJ.exe Object is locked skipped
C:\Programmi\Windows NT\VeR.exe Object is locked skipped
C:\Programmi\Windows NT\VpZ.exe Object is locked skipped
C:\Programmi\Windows NT\Xae.exe Object is locked skipped
C:\Programmi\Windows NT\Xoz.exe Object is locked skipped
C:\Programmi\Windows NT\yDt.exe Object is locked skipped
C:\Programmi\Windows NT\zPKTx.exe Object is locked skipped
C:\Programmi\Windows NT\Zqa.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awtsr.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mljjh.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped
C:\WINDOWS\system32\pmnnl.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\tmp00003ffa\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\storage\temp\Dinarsoft Memmaid 1.6 Keygen updated-fixed 05-2006.rar/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped
E:\storage\temp\Dinarsoft Memmaid 1.6 Keygen updated-fixed 05-2006.rar RAR: infected - 1 skipped
E:\storage\temp\ipaq 6340 due\SBSH[1].iLauncher.v2.00.9b.ARM.PPC2002.Incl.Keygen-aSxPDA.ZIP.rar/patch_.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped
E:\storage\temp\ipaq 6340 due\SBSH[1].iLauncher.v2.00.9b.ARM.PPC2002.Incl.Keygen-aSxPDA.ZIP.rar/patch_.exe Infected: Trojan-Clicker.MSIL.Xone.a skipped
E:\storage\temp\ipaq 6340 due\SBSH[1].iLauncher.v2.00.9b.ARM.PPC2002.Incl.Keygen-aSxPDA.ZIP.rar ZIP: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 3.15.46, on 27/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\Programmi\Internet Explorer\iexplore.exe
E:\storage\utili sicurezza\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Programmi\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158186161497
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Awaiting your good news........

Michael

#7 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 September 2006 - 08:36 PM

Ok, cannot make it anymore. Here it is 3.30 am and I have to go to bed for a couple of hours.
Will catch you tomorrow.......

Thanks a 1000 for now

Michael

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 26 September 2006 - 10:22 PM

Hi Michael,

I think we now know the original source of the infection. Both Ewido and Kaspersky report some crack software you or somebody must have downloaded to the E drive. One of them is a P2P worm which indicates the use of P2P file sharing. I think the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware.

Using Windows Explorer, please navigate to the following files and folders and delete them:

E:\storage\fatti\programmi\Pcshowbuzz(The Best)-By Jackbg (Chifuta)(Working!!!No Virus)-Tv-(Le Leonard Iesh Butonim Mehoarim).rar
E:\storage\fatti\simulazione\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar
E:\storage\temp\PMDG Boeing B747-400 + crack + update + 15 liveries.rar

E:\storage\temp\Dinarsoft Memmaid 1.6 Keygen updated-fixed 05-2006.rar
E:\storage\temp\Dinarsoft Memmaid 1.6 Keygen updated-fixed 05-2006.rar RAR
E:\storage\temp\ipaq 6340 due

Actually, if you don't have anything else in the E:\storage\temp folder, you can delete the whole folder instead.

Both Ewido and Panda are also reporting some vundo files. The infection doesn't seem to be active at the moment, but let's run the tool just in case.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please scan with Kaspersky one more time and post the results along with the vundofix.txt.

P.S. Are there any other users on this computer?

#9 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 27 September 2006 - 04:41 AM

Amateur,
I used vundofix but it didn't find anything so it didn't reboot nor did a report. I scanned again with kaspersky. Here's the log:

Wednesday, September 27, 2006 11:30:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/09/2006
Kaspersky Anti-Virus database records: 213497


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics
Total number of scanned objects 43340
Number of viruses found 3
Number of infected objects 8 / 0
Number of suspicious objects 0
Duration of the scan process 01:08:40

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Prism\e4b5b1af Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\sara\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\call256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\callmember256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\chat512.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\chatmsg256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\chatmsg512.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\index2.dat Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\profile256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\transfer256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\user1024.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\user16384.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\user256.dbb Object is locked skipped

C:\Documents and Settings\sara\Dati applicazioni\Skype\sarachiaravalli\voicemail256.dbb Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Cronologia\History.IE5\MSHist012006092720060928\index.dat Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Temp\~DFE972.tmp Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Temp\~DFEAD0.tmp Object is locked skipped

C:\Documents and Settings\sara\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\sara\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\sara\ntuser.dat.LOG Object is locked skipped

C:\Programmi\Windows NT\anN.exe Object is locked skipped

C:\Programmi\Windows NT\Apw.exe Object is locked skipped

C:\Programmi\Windows NT\baE.exe Object is locked skipped

C:\Programmi\Windows NT\BfoD.exe Object is locked skipped

C:\Programmi\Windows NT\BjiNZw.exe Object is locked skipped

C:\Programmi\Windows NT\CpLPl.exe Object is locked skipped

C:\Programmi\Windows NT\DgTwU.exe Object is locked skipped

C:\Programmi\Windows NT\dLFBoJ.exe Object is locked skipped

C:\Programmi\Windows NT\drNKu.exe Object is locked skipped

C:\Programmi\Windows NT\dzy.exe Object is locked skipped

C:\Programmi\Windows NT\EVekug.exe Object is locked skipped

C:\Programmi\Windows NT\FPw.exe Object is locked skipped

C:\Programmi\Windows NT\FtWxMj.exe Object is locked skipped

C:\Programmi\Windows NT\fxB.exe Object is locked skipped

C:\Programmi\Windows NT\gtv.exe Object is locked skipped

C:\Programmi\Windows NT\HcMS.exe Object is locked skipped

C:\Programmi\Windows NT\hhB.exe Object is locked skipped

C:\Programmi\Windows NT\HlK.exe Object is locked skipped

C:\Programmi\Windows NT\htujF.exe Object is locked skipped

C:\Programmi\Windows NT\IdtSL.exe Object is locked skipped

C:\Programmi\Windows NT\IiJ.exe Object is locked skipped

C:\Programmi\Windows NT\izI.exe Object is locked skipped

C:\Programmi\Windows NT\Izr.exe Object is locked skipped

C:\Programmi\Windows NT\jJl.exe Object is locked skipped

C:\Programmi\Windows NT\KMq.exe Object is locked skipped

C:\Programmi\Windows NT\Mxn.exe Object is locked skipped

C:\Programmi\Windows NT\Nkx.exe Object is locked skipped

C:\Programmi\Windows NT\NWqWmT.exe Object is locked skipped

C:\Programmi\Windows NT\OiS.exe Object is locked skipped

C:\Programmi\Windows NT\oKZj.exe Object is locked skipped

C:\Programmi\Windows NT\OTi.exe Object is locked skipped

C:\Programmi\Windows NT\PRs.exe Object is locked skipped

C:\Programmi\Windows NT\pues.exe Object is locked skipped

C:\Programmi\Windows NT\SdTrVg.exe Object is locked skipped

C:\Programmi\Windows NT\sTB.exe Object is locked skipped

C:\Programmi\Windows NT\SWxX.exe Object is locked skipped

C:\Programmi\Windows NT\uEJ.exe Object is locked skipped

C:\Programmi\Windows NT\VeR.exe Object is locked skipped

C:\Programmi\Windows NT\VpZ.exe Object is locked skipped

C:\Programmi\Windows NT\Xae.exe Object is locked skipped

C:\Programmi\Windows NT\Xoz.exe Object is locked skipped

C:\Programmi\Windows NT\yDt.exe Object is locked skipped

C:\Programmi\Windows NT\zPKTx.exe Object is locked skipped

C:\Programmi\Windows NT\Zqa.exe Object is locked skipped

C:\Programmi\Windows NT\Zte.exe Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\awtsr.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\mljjh.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped

C:\WINDOWS\system32\pmnnl.dll Infected: Trojan-Downloader.Win32.ConHook.l skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\tmp00004730\tmp00000000 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\RECYCLER\S-1-5-21-776561741-1078081533-839522115-1003\De1.rar/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped

E:\RECYCLER\S-1-5-21-776561741-1078081533-839522115-1003\De1.rar RAR: infected - 1 skipped

E:\RECYCLER\S-1-5-21-776561741-1078081533-839522115-1003\De2.rar/patch_.exe/data0002 Infected: Trojan-Clicker.MSIL.Xone.a skipped

E:\RECYCLER\S-1-5-21-776561741-1078081533-839522115-1003\De2.rar/patch_.exe Infected: Trojan-Clicker.MSIL.Xone.a skipped

E:\RECYCLER\S-1-5-21-776561741-1078081533-839522115-1003\De2.rar ZIP: infected - 2 skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


As for user, no I'm the only one usnig this pc. I use emule, though, from which the infection came.

Now, let's make a status point here. It it obvious that what I used so far didn't stop anything. I have ad aware, spybot and bitdefender personal. I would like now to have a serious protection. Can you mention what should I buy?

One last thing: entry # 2 of hijackthis
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
keeps on coming back even if you told me to fix it.

Ok, now. I'll be waiting for your knowledge on my mess.....

Michael

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 27 September 2006 - 09:59 AM

Hi Micheal,

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) is a left over registry entry for Spybot, not malware and it's only a clutter. It's coming back because you have the tea timer running. Tea timer puts them back. Kaspersky is still reporting the vundo infection. We'll try a different method.

We'll need to disable Ewido guard and Tea timer so that they will not interfere with the changes we are going to make:

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by SpyBot's TeaTimer.
Once it's ran, delete it; it will not be needed again.

To disable Ewido:
From the system tray:
  • Right-click the system tray icon and uncheck real time protection.
    or From within Ewido -
  • Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
Once your log is clean you can re-enable them.

==========================================

Scan with HijackThis and have it fix the 02 line now:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

Make sure that all browsers/windows/applications/email, etc. are closed when you click fix checked. Exit HijackThis.

==========================================

Please download VundoFix.exe to your C:\.

" Double-click VundoFix.exe to run it.
" Click the Scan for Vundo button.
" Once it's done scanning, click the Remove Vundo button.
" In case it says that nothing has been found, Right click the list box (white box) in the main VundoFix window.
" Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window.
Posted Image
" In the Window: copy and paste the following line in the first field:
C:\WINDOWS\system32\pmnnl.dll
" Copy and paste next in the second field:
C:\WINDOWS\system32\mljjh.dll
" Copy and paste next in the third field:
C:\WINDOWS\system32\awtsr.dll
Example:
Posted Image
" Click the "Add Files" button.
" Click the "Close Window" button.
" Click the Remove Vundo button.
" You will receive a prompt asking if you want to remove the files, click YES
" Once you click yes, your desktop will go blank as it starts removing Vundo.
" When completed, it will prompt that it will shutdown your computer, click OK.
" Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

==========================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

============================================

Please right click on HijackThis.exe and choose the option "rename" and rename the file as "Unhide.exe". If it asks you to reboot, please do so. Otherwise, click on Unhide.exe (old HijackThis) to scan and save the log. Please post back that log along with the contents of C:\vundofix.txt . I would also like you to run Kaspersky again to check if it's still flagging any bad files. Thank you.

#11 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 27 September 2006 - 10:39 AM

Thanks amateur again for your help.
I'm in my office now and will be back in about 2 hours. I will make everything as said by you and will post everything.

We will still have to discuss on what product to rely to not let this happen again.....

Michael

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 27 September 2006 - 10:42 AM

Thanks amateur again for your help.
I'm in my office now and will be back in about 2 hours. I will make everything as said by you and will post everything.


No problem. :thumbsup:

We will still have to discuss on what product to rely to not let this happen again.....


Yes, we will once we get the computer as clean as we can. :flowers:

#13 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 27 September 2006 - 02:27 PM

Amateur,
while I wait for Kaspersky scan, I click on an avi file downloaded in emule and it appeared this error message:

OS: Windows XP Professional, SP2
CPU: AuthenticAMD, AMD AMD Athlon™ XP 2000+, MMX @ 1680 MHz

Application data:
VmVyc2lvbjogVVVKZFExQlRWbHRFVFVOSFF5c29PU2M1QndBNkpUOCt
MVzk3WjJOck1DRWpQeU1rTTBGeGVIQjBaWE01DQpJbWFnZUJhc2U6ID
A3OUQwMDAwDQpFaXA6IEM5OUZFNTE4DQpFYXg6IDdDRDAwMDANCkVje
DogN0Q1MDAwMA0KRWR4OiBGMUFFNw0KRWJ4OiBGMUFFNw0KRXNpOiBG
MUFFNw0KRWRpOiBGRkZGRkZGRg0KRWJwOiAzRDJFMjhDDQpFc3A6IDN
EMkUyNEMNCi0xDQpDb2RlID0gWzIwM10NCi0gMA0KLSAyMDINCi0gMA
0KLSAwDQotIFtdDQo+IEM6XFdJTkRPV1NcRXhwbG9yZXIuRVhFDQo+I
EM6XFdJTkRPV1Ncc3lzdGVtMzJcbnRkbGwuZGxsDQo+IEM6XFdJTkRP
V1Ncc3lzdGVtMzJca2VybmVsMzIuZGxsDQo+IEM6XFdJTkRPV1Ncc3l
zdGVtMzJcbXN2Y3J0LmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXE
FEVkFQSTMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXFJQQ1JUN
C5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxHREkzMi5kbGwNCj4g
QzpcV0lORE9XU1xzeXN0ZW0zMlxVU0VSMzIuZGxsDQo+IEM6XFdJTkR
PV1Ncc3lzdGVtMzJcU0hMV0FQSS5kbGwNCj4gQzpcV0lORE9XU1xzeX
N0ZW0zMlxTSEVMTDMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyX
G9sZTMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXE9MRUFVVDMy
LmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXEJST1dTRVVJLmRsbA0
KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXFNIRE9DVlcuZGxsDQo+IEM6XF
dJTkRPV1Ncc3lzdGVtMzJcQ1JZUFQzMi5kbGwNCj4gQzpcV0lORE9XU
1xzeXN0ZW0zMlxNU0FTTjEuZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVt
MzJcQ1JZUFRVSS5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxXSU5
UUlVTVC5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxJTUFHRUhMUC
5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxORVRBUEkzMi5kbGwNC
j4gQzpcV0lORE9XU1xzeXN0ZW0zMlxXSU5JTkVULmRsbA0KPiBDOlxX
SU5ET1dTXHN5c3RlbTMyXFdMREFQMzIuZGxsDQo+IEM6XFdJTkRPV1N
cc3lzdGVtMzJcVkVSU0lPTi5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW
0zMlxVeFRoZW1lLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXFNoa
W1FbmcuZGxsDQo+IEM6XFdJTkRPV1NcQXBwUGF0Y2hcQWNHZW5yYWwu
RExMDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcV0lOTU0uZGxsDQo+IEM
6XFdJTkRPV1Ncc3lzdGVtMzJcTVNBQ00zMi5kbGwNCj4gQzpcV0lORE
9XU1xzeXN0ZW0zMlxVU0VSRU5WLmRsbA0KPiBDOlxXSU5ET1dTXFdpb
lN4U1x4ODZfTWljcm9zb2Z0LldpbmRvd3MuQ29tbW9uLUNvbnRyb2xz
XzY1OTViNjQxNDRjY2YxZGZfNi4wLjI2MDAuMjE4MF94LXd3X2E4NGY
xZmY5XGNvbWN0bDMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXG
NvbWN0bDMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXGFwcEhlb
HAuZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcQ0xCQ0FUUS5ETEwN
Cj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxDT01SZXMuZGxsDQo+IEM6XFd
JTkRPV1NcU3lzdGVtMzJcY3NjdWkuZGxsDQo+IEM6XFdJTkRPV1NcU3
lzdGVtMzJcQ1NDRExMLmRsbA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyX
HRoZW1ldWkuZGxsDQo+IEM6XFdJTkRPV1NcU3lzdGVtMzJcU2VjdXIz
Mi5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW0zMlxNU0lNRzMyLmRsbA0
KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXHhwc3AycmVzLmRsbA0KPiBDOl
xXSU5ET1dTXHN5c3RlbTMyXFNBTUxJQi5kbGwNCj4gQzpcV0lORE9XU
1xzeXN0ZW0zMlx1cmxtb24uZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVt
MzJcbnRzaHJ1aS5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxBVEw
uRExMDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcU0VUVVBBUEkuZGxsDQ
o+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcTElOS0lORk8uZGxsDQo+IEM6X
FdJTkRPV1Ncc3lzdGVtMzJcTkVUU0hFTEwuZGxsDQo+IEM6XFdJTkRP
V1Ncc3lzdGVtMzJccnR1dGlscy5kbGwNCj4gQzpcV0lORE9XU1xzeXN
0ZW0zMlxjcmVkdWkuZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcV1
MyXzMyLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXFdTMkhFTFAuZ
GxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcaXBobHBhcGkuZGxsDQo+
IEM6XFdJTkRPV1Ncc3lzdGVtMzJcbXNpLmRsbA0KPiBDOlxXSU5ET1d
TXHN5c3RlbTMyXFdJTlNUQS5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW
0zMlx3ZWJjaGVjay5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW0zMlxXU
09DSzMyLmRsbA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXHN0b2JqZWN0
LmRsbA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXEJhdE1ldGVyLmRsbA0
KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXFBPV1JQUk9GLmRsbA0KPiBDOl
xXSU5ET1dTXFN5c3RlbTMyXFdUU0FQSTMyLmRsbA0KPiBDOlxQcm9nc
mFtbWlcRmlsZSBjb211bmlcTG9naXRlY2hcU2Nyb2xsaW5nXExnTXNn
SGsuZGxsDQpDcmVhdGVkIGJ5IHRoZSBQcm9kdWN0aXZpdHkgU29mdHd
hcmUgdGVhbQ0KTG9naXRlY2ggSW5jLg0KTG9naXRlY2ggTWVzc2FnZS
BIb29rIExpYnJhcnkNCjEuMS4wDQpMZ01zZ0hrDQooQykgMTk4Ny0yM
DAzIExvZ2l0ZWNoLiBBbGwgcmlnaHRzIHJlc2VydmVkLg0KTG9naXRl
Y2iuLCBNb3VzZVdhcmWuIGFuZCBpVG91Y2iuIGFyZSByZWdpc3RlcmV
kIHRyYWRlbWFya3Mgb2YgTG9naXRlY2ggSW5jLg0KTGdNc2dIay5kbG
wNCjEuMS4wDQpQcm9kdWN0aXZpdHkgU29mdHdhcmUgQ29tbW9uIEZpb
GVzDQoNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxNU1ZDUDYwLmRsbA0K
PiBDOlxQcm9ncmFtbWlcTG9naXRlY2hcTW91c2VXYXJlXFN5c3RlbVx
MZ1duZEhrLmRsbA0KQ3JlYXRlZCBieSB0aGUgTW91c2VXYXJlIHRlYW
0NCkxvZ2l0ZWNoIEluYy4NCkxvZ2l0ZWNoIENhbGwgV2luZG93IEhvb
2sgTGlicmFyeQ0KOS43OS4wMjUNCkxnV25kSGsNCihDKSAxOTg3LTIw
MDMgTG9naXRlY2guIEFsbCByaWdodHMgcmVzZXJ2ZWQuDQpMb2dpdGV
jaK4gYW5kIE1vdXNlV2FyZa4gYXJlIHJlZ2lzdGVyZWQgdHJhZGVtYX
JrcyBvZiBMb2dpdGVjaCBJbmMuDQpMZ1duZEhrLmRsbA0KOS43OS4wM
jUNCk1vdXNlV2FyZQ0KDQo+IEM6XFByb2dyYW1taVxTb2Z0d2luXEJp
dERlZmVuZGVyMTBcYmRvZS5kbGwNCg0KU09GVFdJTiBTLlIuTC4NCmJ
kb2UuZGxsIExpbmsgTGlicmFyeQ0KMTAsIDAsIDAsIDANCmJkb2UNCi
CpIDIwMDUgU09GVFdJTiBTLlIuTC4NCmJkb2UuZGxsDQoxMCwgMCwgM
CwgMA0KQml0ZGVmZW5kZXIgOA0KDQo+IEM6XFdJTkRPV1Ncc3lzdGVt
MzJcWENPTU0uZGxsDQpDb3JlIGNvbW11bmljYXRpb24gY29tcG9uZW5
0IGJldHdlZW4gYWxsIEJpdERlZmVuZGVyIHByb2R1Y3RzDQpTb2Z0d2
luDQpCaXREZWZlbmRlciBDb21tdW5pY2F0b3INCjEsIDgsIDEyLCAwD
QpYQ09NTQ0KQ29weXJpZ2h0IKkgMjAwMy0yMDA0IFNvZnR3aW4NCnhj
b21tLmRsbA0KMSwgOCwgMTIsIDANClNvZnR3aW4gQml0RGVmZW5kZXI
gQ29tbXVuaWNhdG9yDQoNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxNU1
ZDUjcxLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXFdaQ1NBUEkuR
ExMDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcTVBSLmRsbA0KPiBDOlxX
SU5ET1dTXFN5c3RlbTMyXGRycHJvdi5kbGwNCj4gQzpcV0lORE9XU1x
TeXN0ZW0zMlxudGxhbm1hbi5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW
0zMlxORVRVSTAuZGxsDQo+IEM6XFdJTkRPV1NcU3lzdGVtMzJcTkVUV
UkxLmRsbA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXE5FVFJBUC5kbGwN
Cj4gQzpcV0lORE9XU1xTeXN0ZW0zMlxkYXZjbG50LmRsbA0KPiBDOlx
XSU5ET1dTXHN5c3RlbTMyXHJzYWVuaC5kbGwNCj4gQzpcV0lORE9XU1
xzeXN0ZW0zMlxicm93c2VsYy5kbGwNCj4gQzpcV0lORE9XU1xzeXN0Z
W0zMlxTWFMuRExMDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcRFVTRVIu
ZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcTUxBTkcuZGxsDQo+IEM
6XFdJTkRPV1Ncc3lzdGVtMzJcd2RtYXVkLmRydg0KPiBDOlxXSU5ET1
dTXHN5c3RlbTMyXG1zYWNtMzIuZHJ2DQo+IEM6XFdJTkRPV1Ncc3lzd
GVtMzJcbWlkaW1hcC5kbGwNCj4gQzpcUFJPR1JBfjFcV0lOWklQXFda
U0hMU1RCLkRMTA0KU3RyaW5nRmlsZUluZm86IFUuUy4gRW5nbGlzaA0
KV2luWmlwIENvbXB1dGluZywgSW5jLg0KV2luWmlwIFNoZWxsIEV4dG
Vuc2lvbiBETEwNCjQuMSAoMzItYml0KQ0KV1pTVFVCU0UuRExMDQpDb
3B5cmlnaHQgKGMpIFdpblppcCBDb21wdXRpbmcsIEluYy4gMTk5MS0y
MDAxIC0gQWxsIFJpZ2h0cyBSZXNlcnZlZA0KV2luWmlwIGlzIGEgcmV
naXN0ZXJlZCB0cmFkZW1hcmsgb2YgV2luWmlwIENvbXB1dGluZywgSW
5jDQpXWlNUVUJTRS5ETEwNCjguMSAgKDQyNzgpDQpXaW5aaXANCg0KP
iBDOlxQcm9ncmFtbWlcV2luUkFSXHJhcmV4dC5kbGwNCj4gQzpcUHJv
Z3JhbW1pXFNvZnR3aW5cQml0RGVmZW5kZXIxMFxiZHNoZWx4dC5kbGw
NCg0KQkRTaGVsbEV4dCBNb2R1bGUNCjEsIDAsIDAsIDINCkJEU2hlbG
xFeHQNCkNvcHlyaWdodCAyMDA1DQpCRFNoZWxsRXh0LkRMTA0KMSwgM
CwgMCwgMg0KQkRTaGVsbEV4dCBNb2R1bGUNCg0KPiBDOlxQcm9ncmFt
bWlcQWRvYmVcQWNyb2JhdCA3LjBcQWN0aXZlWFxQREZTaGVsbC5kbGw
NCg0KQWRvYmUgU3lzdGVtcywgSW5jLg0KUERGIFNoZWxsIEV4dGVuc2
lvbg0KNy4wLjAuMA0KUERGU2hlbGwNCkNvcHlyaWdodCAyMDAwLTIwM
DQgQWRvYmUgU3lzdGVtcywgSW5jLg0KUERGU2hlbGwuZGxsDQo3LjAu
MC4wDQpBZG9iZSBQREYgU2hlbGwgRXh0ZW5zaW9uDQoNCj4gQzpcUHJ
vZ3JhbW1pXGV3aWRvIGFudGktc3B5d2FyZSA0LjBcc2hlbGxleGVjdX
RlaG9vay5kbGwNCg0KQW50aS1NYWx3YXJlIERldmVsb3BtZW50IGEuc
y4NCmV3aWRvIGFudGktc3B5d2FyZSBndWFyZA0KNCwgMCwgMCwgMTcy
DQpzaGVsbGV4ZWN1dGVob29rLmRsbA0KQ29weXJpZ2h0IKkgMjAwNSB
BbnRpLU1hbHdhcmUgRGV2ZWxvcG1lbnQgYS5zLg0Kc2hlbGxleGVjdX
RlaG9vay5kbGwNCjQsIDAsIDAsIDE3Mg0KZXdpZG8gYW50aS1zcHl3Y
XJlDQpFd2lkb18yMDA2XzA2MTZfMTYzNjI5KDE3MiksIFNWTlJldiA0
MzA5NCAoL3RydW5rKQ0KDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcTVN
HSU5BLmRsbA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMyXE9EQkMzMi5kbG
wNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxjb21kbGczMi5kbGwNCj4gQ
zpcV0lORE9XU1xzeXN0ZW0zMlxvZGJjaW50LmRsbA0KPiBDOlxXSU5E
T1dTXHN5c3RlbTMyXHNoZG9jbGMuZGxsDQo+IEM6XFdJTkRPV1NcU3l
zdGVtMzJcc3RpLmRsbA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXENGR0
1HUjMyLmRsbA0KPiBDOlxQcm9ncmFtbWlcQWRvYmVcQWNyb2JhdCA3L
jBcQWNyb2JhdCBFbGVtZW50c1xDb250ZXh0TWVudS5kbGwNClNyaW5p
IEdvd3RoYW1hbg0KQWRvYmUgU3lzdGVtcyBJbmMuDQpBZG9iZSBBY3J
vYmF0IENvbnRleHQgTWVudQ0KNy4wLjcuMjAwNjAxMTIwMFwwDQpBY3
JvYmF0IEVsZW1lbnRzDQpDb3B5cmlnaHQgMTk4NC0yMDA2IEFkb2JlI
FN5c3RlbXMgSW5jb3Jwb3JhdGVkIGFuZCBpdHMgbGljZW5zb3JzLiBB
bGwgcmlnaHRzIHJlc2VydmVkLg0KQ29udGV4dE1lbnUuZGxsDQo3LjA
uNy4wXDANCkFkb2JlIEFjcm9iYXQgRWxlbWVudHMNCg0KPiBDOlxXSU
5ET1dTXHN5c3RlbTMyXFdJTlNQT09MLkRSVg0KPiBDOlxXSU5ET1dTX
HN5c3RlbTMyXE1GQzcxLkRMTA0KPiBDOlxXSU5ET1dTXHN5c3RlbTMy
XE1TVkNQNzEuZGxsDQo+IEM6XFdJTkRPV1Ncc3lzdGVtMzJcTUZDNzF
JVEEuRExMDQo+IEM6XFByb2dyYW1taVxBZG9iZVxBY3JvYmF0IDcuMF
xBY3RpdmVYXEFjcm9JRUhlbHBlci5kbGwNCg0KQWRvYmUgU3lzdGVtc
yBJbmNvcnBvcmF0ZWQNCkFkb2JlIEFjcm9iYXQgSUUgSGVscGVyIFZl
cnNpb24gNy4wIGZvciBBY3RpdmVYDQo3LjAuNy4yMDA2MDExMjAwDQp
BY3JvSUVIZWxwZXINCkNvcHlyaWdodCAxOTg0LTIwMDYgQWRvYmUgU3
lzdGVtcyBJbmNvcnBvcmF0ZWQgYW5kIGl0cyBsaWNlbnNvcnMuIEFsb
CByaWdodHMgcmVzZXJ2ZWQuDQpBY3JvSUVIZWxwZXIuRExMDQo3LCAw
LCAwLCAwDQpBY3JvSUVIZWxwZXIgTGlicmFyeQ0KDQo+IEM6XFByb2d
yYW1taVxNaWNyb3NvZnQgT2ZmaWNlXE9GRklDRTExXG1zb2hldi5kbG
wNCj4gQzpcV0lORE9XU1xTeXN0ZW0zMlxzaG1lZGlhLmRsbA0KPiBDO
lxXSU5ET1dTXFN5c3RlbTMyXE1TVkZXMzIuZGxsDQo+IEM6XFdJTkRP
V1NcU3lzdGVtMzJcQVZJRklMMzIuZGxsDQo+IEM6XFdJTkRPV1Ncc3l
zdGVtMzJcd212Y29yZS5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMl
xXTUFTRi5ETEwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlx3bXBzaGVsb
C5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW0zMlxsM2NvZGVjYS5hY20N
Cg0KRnJhdW5ob2ZlciBJbnN0aXR1dCBJbnRlZ3JpZXJ0ZSBTY2hhbHR
1bmdlbiBJSVMNCk1QRUcgTGF5ZXItMyBBdWRpbyBDb2RlYyBmb3IgTV
NBQ00NCjEsIDksIDAsIDAzMDUNCmwzY29kZWMuYWNtDQpDb3B5cmlna
HQgqSAxOTk2LTE5OTkgRnJhdW5ob2ZlciBJbnN0aXR1dCBJbnRlZ3Jp
ZXJ0ZSBTY2hhbHR1bmdlbiBJSVMNCmwzY29kZWMuYWNtDQoxLCAwLCA
wLCAwDQpNUEVHIExheWVyLTMgQXVkaW8gQ29kZWMgZm9yIE1TQUNNDQ
oNCj4gQzpcV0lORE9XU1xXaW5TeFNceDg2X01pY3Jvc29mdC5XaW5kb
3dzLkdkaVBsdXNfNjU5NWI2NDE0NGNjZjFkZl8xLjAuMjYwMC4yMTgw
X3gtd3dfNTIyZjlmODJcZ2RpcGx1cy5kbGwNCj4gQzpcV0lORE9XU1x
TeXN0ZW0zMlxxZWRpdC5kbGwNCj4gQzpcV0lORE9XU1xTeXN0ZW0zMl
xxdWFydHouZGxsDQo+IEM6XFdJTkRPV1NcU3lzdGVtMzJcZGV2ZW51b
S5kbGwNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxtc2Rtby5kbGwNCg0K
Ni41LjI2MDAuMjE4MA0KNi41LjI2MDAuMjE4MA0KDQo+IEM6XFByb2d
yYW1taVxDeWJlckxpbmtcUG93ZXJEVkRcVmlkZW9GaWx0ZXJcRFhkZW
MuYXgNCkJ1aWxkOiBiMTMzNS1Mb3dUaWRlIFJlbGVhc2UgDQpEaXZYT
mV0d29ya3MsIEluYy4NCkRpdliuIERlY29kZXIgRmlsdGVyDQo1LjIu
MS4xMzM1DQpEaXZYZGVjLmF4DQpDb3B5cmlnaHQgqSBEaXZYTmV0d29
ya3MsIDIwMDEtMjAwNA0KRGl2WGRlYy5heA0KNS4yLjEuMTMzNQ0KRG
l2WK4gRGVjb2RlciBGaWx0ZXINCg0KPiBDOlxXSU5ET1dTXHN5c3Rlb
TMyXE9MRVBSTzMyLkRMTA0KPiBDOlxXSU5ET1dTXFN5c3RlbTMyXHh2
aWQuYXgNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlx4dmlkY29yZS5kbGw
NCj4gQzpcUHJvZ3JhbW1pXEZpbGUgY29tdW5pXEFoZWFkXERTRmlsdG
VyXE5lVmlkZW8uYXgNCg0KTmVybyBBRw0KTVBFRy0xLzIvNCAmIEFWQ
yB2aWRlbyBkZWNvZGVyIHcvIER4VkENCjMsIDAsIDAsIDQNCkNvcHly
aWdodCAoYykgMTk5NS0yMDA1IE5lcm8gQUcgYW5kIGl0cyBsaWNlbnN
vcnMNCk5lVmlkZW8uYXgNCjIsIDAsIDIsIDMzDQpOZXJvIFNob3dUaW
1lDQoNCj4gQzpcV0lORE9XU1xzeXN0ZW0zMlxkZHJhdy5kbGwNCj4gQ
zpcV0lORE9XU1xzeXN0ZW0zMlxEQ0lNQU4zMi5kbGw=

What is this, gosh?

I'm really thinking about formatting the whole thing since Kaspersky still is showing some files infected.

Anyways, while still waiting for the scan, resetTeatimer looked not to work because it told me that spybot shold have been closed (while it was). In addition vundofix showed the same results, i.e. no files found even if I pasted the three lines as you said. I run ccleaner ok and now I will post kaspersky log as soon as I have it. In the meantime I have the unhide log ready, but I will post it when I have kaspersky's.

Any comments?

Michael

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:11 AM

Posted 27 September 2006 - 04:46 PM

while I wait for Kaspersky scan, I click on an avi file downloaded in emule and it appeared this error message:


I have no idea about the error message. Emule may be a clean program, but I wouldn't trust the files you download. You were infected through file sharing to begin with.

Let me see the other scan results please.

#15 michael mellner

michael mellner
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 27 September 2006 - 05:13 PM

here we go with unhide (hijackthis) log:

Logfile of HijackThis v1.99.1
Scan saved at 20.16.09, on 27/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Softwin\BitDefender10\bdagent.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Softwin\BitDefender10\vsserv.exe
C:\Programmi\Internet Explorer\iexplore.exe
E:\storage\utili sicurezza\Unhide.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Programmi\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Programmi\SkypeMate\SkypeMate.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1158186161497
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programmi\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


..........and the kasper one (for this, since scanning with the choice 'my computer' was lasting more than 2 years for not more than 15%, I decide to scan my two hd separately. The E named is the one that contains the emule stuff while the C...well it is the C. The log is about the C since Kasper didn't find anything about E.

Thanks

I'm here waiting: in Italy is 0.11 am. Whats the time over there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users