Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
7 replies to this topic

#1 jhhu

jhhu

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 November 2006 - 03:13 AM

Hi, Ad-Aware and Spybot S&D have been run. I've deleted many files related with many kinds of Trojan. When I try to deteled ldcore.dll, my desktop is gone and everything stops. I cannot log in the normal mode after I got this Logfile. Thank you for the help.

Logfile of HijackThis v1.99.1
Scan saved at 下午 02:15:03, on 2006/11/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\MATLAB6p5p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\dumprep.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeEventObj Class - {0FAFD871-DFE0-496D-8953-0D5BA28E9766} - C:\Program Files\Internet Explorer\PLUGINS\AviPlayer.dll
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5156.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://*/activex/AxisCamControl.ocx
O16 - DPF: {EAA105FE-7BBD-4196-8B96-D46743894195} (MjpegControl Class) - http://*/plugin/mjpegcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS1\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS2\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS3\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\cmspl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Print Spooler Service (bqx2ea1w7ig5) - Unknown owner - C:\WINDOWS\system32\B.tmp.exe (file missing)
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: ION Java Daemon 2.0 - Unknown owner - D:\RSI\IDL60\products\ion20\ion_java\bin\ion_srv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:29 AM

Posted 07 November 2006 - 10:30 AM

Hi jhhu, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

#3 jhhu

jhhu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 November 2006 - 10:38 AM

Thank you very much. I have run SmitFraudFix v2.119. (smitfraudfix.cmd)
Here is the rapport.txt.


SmitFraudFix v2.119

Scan done at 22:56:32.93, 2006/11/07 星期二
Run from C:\Documents and Settings\user\桌面\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
Fix run in safe mode

遙遙遙遙遙遙遙遙遙遙遙遙 C:\


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\Web


遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINDOWS\system32


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\user


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\user\Application Data


遙遙遙遙遙遙遙遙遙遙遙遙 Start Menu

C:\DOCUME~1\user\「開始~1\程式集\BraveSentry FOUND !

遙遙遙遙遙遙遙遙遙遙遙遙 C:\DOCUME~1\user\FAVORI~1


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop


遙遙遙遙遙遙遙遙遙遙遙遙 C:\Program Files


遙遙遙遙遙遙遙遙遙遙遙遙 Corrupted keys


遙遙遙遙遙遙遙遙遙遙遙遙 Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows NT\\teledi.html"
"SubscribedURL"=""
"FriendlyName"=""


遙遙遙遙遙遙遙遙遙遙遙遙 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


遙遙遙遙遙遙遙遙遙遙遙遙 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" c:\\windows\\system32\\ldcore.dll"


遙遙遙遙遙遙遙遙遙遙遙遙 pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

遙遙遙遙遙遙遙遙遙遙遙遙 Scanning wininet.dll infection


遙遙遙遙遙遙遙遙遙遙遙遙 End

#4 jhhu

jhhu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 07 November 2006 - 11:13 PM

Hi, I have two more logfiles here in case you need more information. Because I saw "pe386 detected" in the report from SmitFraudFix, I run the Avenger with the code "Drivers to unload: pe386". <= I just follow someone who had pe386 detected problem. And the I run the AVG Anti-Spyware again. Everything I did is in the Safe Mode. I still can't get into normal mode. I guess I should stop here and wait. Hope I don't make things worse. Thanks!!!



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xryojncy

*******************

Script file located at: \??\C:\WINDOWS\eqijskwb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xryojncy

*******************

Script file located at: \??\C:\WINDOWS\eqijskwb.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!



=====================AVG Anti-Spyware logfile =====================
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 上午 11:42:44 2006/11/8

+ Scan result:



C:\WINDOWS\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[292] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[340] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[352] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[360] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[528] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[612] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[676] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[780] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[936] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.l : Cleaned with backup (quarantined).
C:\Documents and Settings\res\桌面\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Ignored.


::Report end

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:29 AM

Posted 08 November 2006 - 04:57 AM

Hi jhhu, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. A browser hijacker and downloader called Backdoor.Win32.Bifrose.aat has been/is active on your machine. It is known that the trojan can communicate with remote computers, download and run code, send emails and redirect browser requests.

I would counsel you to disconnect this PC from the Internet immediately until it's clean. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Visit the following sites for more information on internet theftand when to reformat!

If you have any questions before to come to a final decision, please feel free to ask.

2.

I cannot log in the normal mode after I got this Logfile. Thank you for the help.


Did you try to reboot your computer and then log in? Please let me know. In order to follow my instructions it's necessary that you are in Normal mode!

3. Unfortunately I see no firewall in your runing processes which probably means that you have none. I urge you to install one since it's your first defense against malware: there are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

I would advise not to use all the tools you can lay your hands on (like The Avenger) since some of them really need expert help to apply.

Please let me know what you want to do.

Edited by Falu, 08 November 2006 - 05:01 AM.


#6 jhhu

jhhu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 08 November 2006 - 07:55 AM

Hi,Falu,

Thank you for your help and information. I would like to try to clean the computer first. It's fine for me if I need to format the computer at last.

I reboot and log in many times, but I cannot get into normal mode. The problem is caused by Backdoor.Win32.Bifrose.aat or other infections? Do you know any method that I can log in Normal mode? If I can't log in normal mode, the reformat is the only solution?

jhhu

#7 jhhu

jhhu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 08 November 2006 - 08:41 AM

Hi Falu,

I don't know if it is good news. I can log in Normal Mode. What I did is uninstall Prevx1. I found that Prevx1 can get rid of rpcc.dll so I install it before I came here. Unfortunately, I don't have a chance to use it because it needs to run in Normal Mode. Is it possible Backdoor.Win32.Bifrose.aat can detect the Prevx1? That's why I cannot get into Normal Mode?

Here is the HijackThis logfile. I will do my best to stop myself to run other anti-XX programs before I hear from you. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 下午 09:42:51, on 2006/11/8
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\MATLAB6p5p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\enbalpt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\enbalptA.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeEventObj Class - {0FAFD871-DFE0-496D-8953-0D5BA28E9766} - C:\Program Files\Internet Explorer\PLUGINS\AviPlayer.dll (file missing)
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:\Documents and Settings\All Users\Application Data\Microsoft\UserData\IEHelper_5156.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [enbalptA] C:\WINDOWS\enbalptA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://*/activex/AxisCamControl.ocx
O16 - DPF: {EAA105FE-7BBD-4196-8B96-D46743894195} (MjpegControl Class) - http://*/plugin/mjpegcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS1\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS2\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O17 - HKLM\System\CS3\Services\Tcpip\..\{51B3DC76-787F-45E6-ACC6-410D33922B0E}: NameServer = *
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: NetWork - {FC055E7D-8144-4706-8586-2F1C49FCDD2A} - C:\WINDOWS\system32\cmspl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Print Spooler Service (bqx2ea1w7ig5) - Unknown owner - C:\WINDOWS\system32\B.tmp.exe (file missing)
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: ION Java Daemon 2.0 - Unknown owner - D:\RSI\IDL60\products\ion20\ion_java\bin\ion_srv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5p1\webserver\bin\win32\matlabserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\enbalpt.exe

Edited by jhhu, 08 November 2006 - 09:02 AM.


#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:29 AM

Posted 09 November 2006 - 09:03 AM

Hi jhhu, :thumbsup:

Thank you for your help and information. I would like to try to clean the computer first.


You're very welcome and okay let's continue.

1. You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

2. Download rustbfix.exe and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles in your next repy.

3. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

4. Update AVG Anti-Spyware 7.5

After the update finishes (the status bar at the bottom will display "Update successful"), close AVG Anti-Spyware 7.5. Do not run it yet.

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 a few times before Windows loads. Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and
    Uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Please post the AVG report along with the uninstall_list.txt the two rustbfix logs, the Smitfraud report and a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users