Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
13 replies to this topic

#1 noman

noman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 04 January 2007 - 10:39 PM

TIA!

Hope someone can help me eliminate these problems with my son's PC running XP Pro with up to date patches.

Symptoms below and HJT log at bottom.

--------------------------
at login:

Error loading: c:\documents and Settings\Devon\Local Settings\Application Data\hrcopul.dll

The specified module could not be found.

---------------------

at login:

AVG finds: Worm.locksky.aq

-------------------

Every 2 minutes I get a pop-up that says:

16 bit MS-DOS Subsystem
C:\DOCUM~!\Devon\LOCALS~1\Temp\cnd.exe
The NTVDM CPU has encountered an illegal instruction.
CS:054a IP:023e OP:63 68 65 2f 31

Choose 'Close' to terminate

--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:29:57 PM, on 1/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\gilkoeaA.exe
C:\WINDOWS\winsock32.exe
C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Devon\Desktop\Save for Dad\MalWare\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 16.7.36.140 www.sophos.com
O1 - Hosts: 6.243.141.253 sophos.com
O1 - Hosts: 57.166.181.189 www.viruslist.com
O1 - Hosts: 7.202.154.43 viruslist.com
O1 - Hosts: 76.55.244.82 viruslist.com
O1 - Hosts: 12.100.143.239 f-secure.com
O1 - Hosts: 110.120.85.107 www.f-secure.com
O1 - Hosts: 13.120.16.32 kaspersky.com
O1 - Hosts: 234.225.107.109 kaspersky-labs.com
O1 - Hosts: 12.131.173.16 www.avp.com
O1 - Hosts: 57.50.253.240 www.kaspersky.com
O1 - Hosts: 239.159.37.220 avp.com
O1 - Hosts: 4.232.43.84 www.networkassociates.com
O1 - Hosts: 241.67.175.125 networkassociates.com
O1 - Hosts: 120.63.231.199 www.ca.com
O1 - Hosts: 88.139.165.95 ca.com
O1 - Hosts: 175.125.156.21 secure.nai.com
O1 - Hosts: 162.104.2.0 nai.com
O1 - Hosts: 196.37.234.66 www.nai.com
O1 - Hosts: 241.241.4.10 securityresponse.symantec.com
O1 - Hosts: 163.253.65.231 symantec.com
O1 - Hosts: 179.30.138.200 www.sophos.com
O1 - Hosts: 181.154.54.219 sophos.com
O1 - Hosts: 197.228.103.15 www.mcafee.com
O1 - Hosts: 211.59.250.220 mcafee.com
O1 - Hosts: 16.248.82.107 liveupdate.symantecliveupdate.com
O1 - Hosts: 207.249.142.0 www.viruslist.com
O1 - Hosts: 145.147.111.231 viruslist.com
O1 - Hosts: 145.124.99.84 viruslist.com
O1 - Hosts: 117.61.142.99 f-secure.com
O1 - Hosts: 24.248.63.186 www.f-secure.com
O1 - Hosts: 246.156.47.120 kaspersky.com
O1 - Hosts: 192.214.237.218 kaspersky-labs.com
O1 - Hosts: 149.92.222.112 www.avp.com
O1 - Hosts: 103.87.58.28 www.kaspersky.com
O1 - Hosts: 154.151.217.205 avp.com
O1 - Hosts: 206.203.203.57 www.networkassociates.com
O1 - Hosts: 236.227.138.97 networkassociates.com
O1 - Hosts: 225.104.58.216 www.ca.com
O1 - Hosts: 52.223.79.111 ca.com
O1 - Hosts: 189.149.6.193 mast.mcafee.com
O1 - Hosts: 81.83.142.229 my-etrust.com
O1 - Hosts: 14.224.83.23 www.my-etrust.com
O1 - Hosts: 31.103.170.41 download.mcafee.com
O1 - Hosts: 57.246.0.166 dispatch.mcafee.com
O1 - Hosts: 7.100.45.222 secure.nai.com
O1 - Hosts: 221.42.129.197 nai.com
O1 - Hosts: 232.7.87.97 www.nai.com
O1 - Hosts: 161.144.148.195 update.symantec.com
O1 - Hosts: 76.225.249.44 updates.symantec.com
O1 - Hosts: 199.172.188.100 us.mcafee.com
O1 - Hosts: 100.78.28.231 liveupdate.symantec.com
O1 - Hosts: 161.42.25.113 customer.symantec.com
O1 - Hosts: 232.114.243.125 rads.mcafee.com
O1 - Hosts: 202.37.131.215 trendmicro.com
O1 - Hosts: 55.82.173.193 www.trendmicro.com
O1 - Hosts: 55.135.250.85 www.grisoft.com
O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.ten.hctamtnetnoc (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103664057462
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab
O16 - DPF: }6DAB6E8EE299-AD9A-1E74-4BDC-9876DA51{ - http://static.windupdates.com/cab/WebsiteA...e/bridge-c9.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E25646C-396A-4B58-9562-8FAD4EF634E5}: NameServer = 192.168.1.1
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

Edited by noman, 04 January 2007 - 11:06 PM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 10:43 AM

Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.


You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKLM\..\RunServices: [winsock32] winsock32

O4 - HKCU\..\Run: [winsock32] winsock32

O15 - Trusted Zone: http://ny.ten.hctamtnetnoc (HKLM)

O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nucleus.com/CABUPDATES/winwcd.cab

O16 - DPF: }6DAB6E8EE299-AD9A-1E74-4BDC-9876DA51{ - http://static.windupdates.com/cab/WebsiteA...e/bridge-c9.cab

O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe
====================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

winsock32

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.


======================
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\gilkoeaA.exe
C:\WINDOWS\winsock32.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot


Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 12:57 PM

Thank-you for the recommendations. I have followed all of the proceedures and provide the requested logs below.

KillBox and C:\Windows\Temp file deletes accomplished without problem. Status:

- I no longer recieve the hrcopul.dll error at start-up
- AVG still finds Worm.locksky.aq at start-up
(appears to be in file C:\WINDOWS\system32\cmdlg77.dll)
- the 2 minute interval pop-up problem has gone away

Awaiting your instructions.



--------------- SUPERAntispyware Log -------------------

SUPERAntiSpyware Scan Log
Generated 01/05/2007 at 12:41 PM

Application Version : 3.4.1000

Core Rules Database Version : 3159
Trace Rules Database Version: 1172

Scan type : Complete Scan
Total Scan Time : 00:46:29

Memory items scanned : 313
Memory threats detected : 0
Registry items scanned : 4352
Registry threats detected : 44
File items scanned : 38290
File threats detected : 52

Adware.Apropos Media
HKU\S-1-5-21-1844237615-1580436667-839522115-1003\Software\Aprps

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Trojan.Malware
C:\asdf.txt

Adware.Elite Media
C:\WINDOWS\em06y.ini

Adware.FullContext
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{04CDB16C-AB38-43CD-A86A-6FEB90290939}

Malware.Ultimate Defender
C:\Program Files\Ultimate Defender

Malware.Antispyware Soldier
C:\Documents and Settings\Devon\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware Soldier.lnk

Adware.DeluxeCommunications
HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks#{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
C:\DOCUMENTS AND SETTINGS\DEVON\APPLICATION DATA\DXCUKNWRD.DLL

Malware.AntiVermins
C:\Documents and Settings\Devon\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVermins 2.1.lnk

Adware.SysMon
C:\!KILLBOX\GILKOEAA.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP216\A0092282.EXE

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\DEVON\DESKTOP\SAVE FOR DAD\MALWARE\CLICK TO FIND AND FIX ERRORS.URL

Adware.Mirar/NetNucleus
C:\DOCUMENTS AND SETTINGS\DEVON\DESKTOP\SAVE FOR DAD\MALWARE\HIJACKTHIS\BACKUPS\BACKUP-20070105-105644-670.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP216\A0092266.DLL

Adware.Tracking Cookie
C:\Documents and Settings\LocalService\Cookies\system@ad.zanox[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adknowledge[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.realtechnetwork[2].txt
C:\Documents and Settings\LocalService\Cookies\system@belnk[1].txt
C:\Documents and Settings\LocalService\Cookies\system@dist.belnk[2].txt
C:\Documents and Settings\LocalService\Cookies\system@exitexchange[1].txt
C:\Documents and Settings\LocalService\Cookies\system@hits.clickandtrack[2].txt
C:\Documents and Settings\LocalService\Cookies\system@hurricanedigitalmedia[1].txt
C:\Documents and Settings\LocalService\Cookies\system@interclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@jamster[1].txt
C:\Documents and Settings\LocalService\Cookies\system@offeroptimizer[1].txt
C:\Documents and Settings\LocalService\Cookies\system@redorbit[1].txt
C:\Documents and Settings\LocalService\Cookies\system@regalinteractive[2].txt
C:\Documents and Settings\LocalService\Cookies\system@www.redorbit[2].txt

Trojan.Hacktool
C:\PROGRAM FILES\COMMON FILES\{B893BE7A-067B-1033-1221-041024050001}\SYSTEM.DLL

Adware.Spyware Labs/Virtual Bouncer
C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\1372B329-0D5D-49C1-ABFD-8F76F1\32B62B8D-9966-4F68-867A-F9D0AC
C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\6B3FDA83-BF84-492C-9412-8C90F7\9BA7CB86-BA46-465D-807D-AC2915

Adware.Spyware Labs
C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\82E1AD5B-B32B-4DEB-AB80-D7BAED\DB520550-CEEB-4476-9BFA-DDD9E7

Adware.eXact Advertising
C:\PROGRAM FILES\MICROSOFT ANTISPYWARE\QUARANTINE\A0926FFB-6C41-45BD-BCD9-D81B2B\85AE8C67-5706-43DC-BBB5-2FC0B7

Trojan.Downloader-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP173\A0061899.EXE
C:\WINDOWS\SYSTEM32\WINPFG32.SYS

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP188\A0071325.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP206\A0074890.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP215\A0091963.EXE

Adware.ClickSpring/Yazzle
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP195\A0071542.EXE

Trojan.Downloader-WebHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP195\A0071549.EXE

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP195\A0071550.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP195\A0071553.EXE

Unclassified.Unknown Origin/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP195\A0071554.SYS

Trojan.BraveSentry
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP210\A0081130.EXE

Trojan.TaskDir
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP210\A0081139.DLL

Trojan.Rootkit-FullContext
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP213\A0091380.SYS

Trojan.Freeprod
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP216\A0092257.EXE

Adware.FullContext/SCA
C:\WINDOWS\SRVHAPFZQQ.EXE
C:\WINDOWS\SRVHCUQTJR.EXE
C:\WINDOWS\SRVTHEOCHW.EXE

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ADLCONTROLCOMP.XML
C:\WINDOWS\SYSTEM32\SP32.XML

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\BANG-006.ICO
C:\WINDOWS\TEMPF.TXT

------------------------------------------
--------------- HJT Log -----------------
------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:50:10 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Documents and Settings\Devon\Desktop\Save for Dad\MalWare\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 82.219.163.188 securityresponse.symantec.com
O1 - Hosts: 13.58.185.190 symantec.com
O1 - Hosts: 21.204.241.238 www.sophos.com
O1 - Hosts: 147.223.212.150 sophos.com
O1 - Hosts: 177.168.111.207 www.mcafee.com
O1 - Hosts: 167.44.231.205 mcafee.com
O1 - Hosts: 174.120.32.252 liveupdate.symantecliveupdate.com
O1 - Hosts: 254.65.55.159 www.viruslist.com
O1 - Hosts: 180.49.86.111 viruslist.com
O1 - Hosts: 80.146.154.230 viruslist.com
O1 - Hosts: 157.137.39.44 f-secure.com
O1 - Hosts: 196.15.142.213 www.f-secure.com
O1 - Hosts: 203.233.172.124 kaspersky.com
O1 - Hosts: 189.206.35.62 kaspersky-labs.com
O1 - Hosts: 217.227.17.195 www.avp.com
O1 - Hosts: 229.85.47.98 www.kaspersky.com
O1 - Hosts: 21.59.242.88 avp.com
O1 - Hosts: 152.103.221.223 www.networkassociates.com
O1 - Hosts: 205.3.22.246 networkassociates.com
O1 - Hosts: 153.235.3.168 www.ca.com
O1 - Hosts: 110.202.227.188 ca.com
O1 - Hosts: 142.220.196.3 mast.mcafee.com
O1 - Hosts: 237.81.181.182 my-etrust.com
O1 - Hosts: 99.201.23.35 www.my-etrust.com
O1 - Hosts: 7.85.0.132 download.mcafee.com
O1 - Hosts: 223.112.254.211 dispatch.mcafee.com
O1 - Hosts: 71.238.59.254 secure.nai.com
O1 - Hosts: 37.212.177.41 nai.com
O1 - Hosts: 234.247.164.0 www.nai.com
O1 - Hosts: 110.125.242.73 update.symantec.com
O1 - Hosts: 11.9.212.40 updates.symantec.com
O1 - Hosts: 40.176.217.66 us.mcafee.com
O1 - Hosts: 22.131.151.195 liveupdate.symantec.com
O1 - Hosts: 81.197.81.240 customer.symantec.com
O1 - Hosts: 34.40.163.54 rads.mcafee.com
O1 - Hosts: 51.14.112.245 trendmicro.com
O1 - Hosts: 132.199.149.120 www.trendmicro.com
O1 - Hosts: 226.63.41.64 www.grisoft.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103664057462
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E25646C-396A-4B58-9562-8FAD4EF634E5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


---------------

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 02:13 PM

You have no active AntiVirus!

Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

AVG AV 7.5 - http://free.grisoft.com/freeweb.php/doc/2/

(Not to be confused with AVG AS 7.5)
==============================


Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.
========================
You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKLM\..\RunServices: [winsock32] winsock32

O4 - HKCU\..\Run: [winsock32] winsock32

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\winsock32.exe
C:\WINDOWS\system32\cmdlg77.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 04:27 PM

1. Loaded AVG AV 7.5
2. Restored Hosts
3. KillBox reported winsock32.exe and cmdlg77.dll _NOT_ present
4. Deleted files in %temp% and C:\Windows\Temp
5. Logs below

Status: AVG still finds Worm.locksky.aq at start-up
(appears to be in file C:\WINDOWS\system32\cmdlg77.dll which KillBox reports not present)

Appreciate any help you can give me to get rid of Worm.locksky.aq.

----
PS1: Can I HJT-fix this:
-----------------------------
- O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)

PS2: Should I get rid of this:
---------------------------------
- C:\WINDOWS\system32\sdfghjgewaertyutrew.exe


---------------------------------------------
--------------- HJT Log --------------------
---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:44:29 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Devon\Desktop\Save for Dad\MalWare\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103664057462
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E25646C-396A-4B58-9562-8FAD4EF634E5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-------------------------------------------------------------
------------------- SUPERAntiSpyware Log --------------
-------------------------------------------------------------

SUPERAntiSpyware Scan Log
Generated 01/05/2007 at 04:14 PM

Application Version : 3.4.1000

Core Rules Database Version : 3159
Trace Rules Database Version: 1172

Scan type : Complete Scan
Total Scan Time : 00:51:27

Memory items scanned : 333
Memory threats detected : 0
Registry items scanned : 4415
Registry threats detected : 0
File items scanned : 38499
File threats detected : 6

Adware.SysMon
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092299.EXE

Adware.Mirar/NetNucleus
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092300.DLL

Adware.FullContext/SCA
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092303.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092304.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092305.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{15D75BD9-C442-46FE-81A7-90A1CFDEDE2B}\RP217\A0092306.ICO


-------------------------------------------------------------
------------------- SUPERAntiVirusware Log --------------
-------------------------------------------------------------

not sure how to get log, but it removed

C:\ Document\.......\svchosts(1).exe
C:\Program Files\Microsoft AntiSpyware\Quarintine\3A05....
C:\WINDOWS\50002.exe
C:\WINDOWS\SSK3_B5_SSK3_B5.exe
C:\WINDOWS\system32\ir6ol5j31.dll

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 04:52 PM

Yes delete those files
===========
1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
===================

Microsoft AntiSpy is preventing the changes - but also it has been replaced with Windows defender

Add remove programs - remove MS AntiSpy

then do the hijack fixes to remove those 2 entries

then you can get the new program

MS Windows Defender - http://www.microsoft.com/downloads/details...;displaylang=en (XP and only)
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 05:24 PM

1. Ran combofix (log below)
2. Microsoft AntiSpy not really on computer anymore (removed via add/remove)
3. HJT removed O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
4. HJT log at bottom (aertyutrew.exe not there now)


Status: AVG still finds Worm.locksky.aq at start-up


-----------------------------------------------------
---------------- ComboFix ----------------------
-----------------------------------------------------

Devon - 07-01-05 17:02:22.17 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Devon\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Devon\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\PrintView
C:\Program Files\Common Files\{3893BE7A-067B-1033-1221-041024050001}
C:\Program Files\Common Files\{B893BE7A-067B-1033-1221-041024050001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Devon\Application Data\YSTEM~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\ICROSO~1
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\SKS~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))


2007-01-05 14:54 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-05 14:24 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-05 14:24 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-05 14:24 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-05 14:24 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-05 14:24 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-05 14:24 <DIR> d-------- C:\Documents and Settings\Devon\Application Data\AVG7
2007-01-05 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-01-05 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-01-05 11:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-05 11:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-05 11:51 <DIR> d-------- C:\Documents and Settings\Devon\Application Data\SUPERAntiSpyware.com
2007-01-05 11:43 <DIR> d-------- C:\!KillBox
2007-01-04 12:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-01-04 10:24 140,288 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-01-04 00:56 <DIR> d-------- C:\bintheredunthat
2007-01-03 23:35 917 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-01-03 23:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-03 23:16 <DIR> d-------- C:\Program Files\Grisoft
2007-01-03 22:38 <DIR> d-------- C:\Qoofix
2007-01-03 22:31 <DIR> d-------- C:\BFU
2007-01-03 22:27 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2007-01-03 22:15 <DIR> d-------- C:\Program Files\Safer Networking
2007-01-02 23:09 0 --a------ C:\WINDOWS\winlogin.exe
2007-01-02 23:09 0 --a------ C:\WINDOWS\hotporn.exe
2007-01-02 23:09 <DIR> d-------- C:\Program Files\softwa~1
2006-12-31 14:01 79,657 --a------ C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
2006-12-31 14:01 79,657 --a------ C:\WINDOWS\system32\qvx5gamet2.exe
2006-12-31 14:00 16 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-31 13:59 51,201 --a------ C:\WINDOWS\lcass.exe
2006-12-31 13:59 10,298 --a------ C:\svhost.exe
2006-12-28 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-12-27 12:51 234,055 -r--s---- C:\WINDOWS\system32\fp6003jme.dll
2006-12-26 18:42 <DIR> d-------- C:\Program Files\802.11 Wireless LAN
2006-12-23 14:39 65,536 --a------ C:\WINDOWS\dls0523pmw.exe
2006-12-23 14:39 34,816 --a------ C:\WINDOWS\rau001978.exe
2006-12-18 07:30 <DIR> d-------- C:\Program Files\Silkroad
2006-12-15 17:42 <DIR> d-------- C:\Documents and Settings\Devon\Application Data\çasks
2006-12-09 16:30 <DIR> d-------- C:\WINDOWS\system32\ŕdobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-01-05 17:03 -------- d-a------ C:\Program Files\Common Files
2007-01-04 22:44 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-04 13:21 -------- d-------- C:\Program Files\MINOLTA-QMS
2007-01-04 10:10 -------- d-------- C:\Program Files\Java
2007-01-04 10:09 -------- d-------- C:\Program Files\Conquer 1.0
2007-01-04 09:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
2007-01-03 23:10 -------- d-------- C:\Program Files\Symantec
2007-01-03 23:08 -------- d-------- C:\Program Files\LimeWire
2007-01-03 22:44 329 --a------ C:\WINDOWS\gxeqx.dll
2007-01-02 23:58 -------- d-------- C:\Program Files\NavNT
2007-01-02 23:54 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-31 14:01 -------- dr------- C:\Program Files\Internet Explorer
2006-12-31 14:00 14336 --a------ C:\WINDOWS\system32\svchost.exe
2006-12-26 20:31 -------- d-------- C:\Program Files\THQ
2006-12-23 14:39 46592 --a------ C:\WINDOWS\gilkoea.exe
2006-12-03 12:59 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-02 13:56 -------- d-------- C:\Program Files\Diablo II
2006-11-06 19:57 -------- d-------- C:\Program Files\eMule


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Jawa32"=""
"Display Drivers"=""
"sys32cmd"=""
"AUNPS2"=""
"Microsoft Task Manager"=""
"4ec22qp5z6al4n"=""
"DIRECT!"=""
"winsock32"="winsock32"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vreSsacg"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"sseccA aideM"=hex(74):43,3a,5c,72,67,6f,72,50,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
.....

Edited by noman, 05 January 2007 - 10:58 PM.


#8 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 05:25 PM

....

Edited by noman, 05 January 2007 - 10:58 PM.


#9 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 05:27 PM

....

Edited by noman, 05 January 2007 - 11:00 PM.


#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 05:31 PM

http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
· Close all windows before continuing.
· Double-click Look2Me-Destroyer.exe to run it.
· click the Scan for L2M button, your desktop icons will disappear, this is normal.
· Once it's done scanning, click the Remove L2M button.
· You will receive a Done Scanning message, click OK.
· When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
· Your computer will then shutdown.
· Turn your computer back on.
· Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
========================

Please download: http://www.uploads.ejvindh.net/rustbfix.exe and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of those logs along with a new HijackThis log from normal mode.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 07:01 PM

1. Downloaded Look2Me-Destroyer.exe but
"Scan for L2M" button grayed out so I checked "Run this program as a task", "OK", "Scan" button
it never reopened to scan

2. Downloaded/ran Rustbfix and it rebooted twice

3. Requested logs below

4. Status: AVG still finds Worm.locksky.aq at start-up (arrrggg......)


------------------------------------------------------------------------
--------------------------- avenger.txt ------------------------------
------------------------------------------------------------------------


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\eyxccpkg

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

------------------------------------------------------------------------
-------------------------- pelog.txt ----------------------------------
------------------------------------------------------------------------

************************* Rustock.b-fix -- By ejvindh *************************
Fri 01/05/2007 18:49:23.32

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

-----------------------------------------------------------------------
-------------------------- HJT log -----------------------------------
-----------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 6:59:19 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Documents and Settings\Devon\Desktop\Save for Dad\MalWare\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103664057462
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E25646C-396A-4B58-9562-8FAD4EF634E5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 07:24 PM

AVG still finds Worm.locksky.aq at start-up

Where - what file location

You still have MS ANtiSpy

O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"


And until its goen we can't remove these

O4 - HKLM\..\RunServices: [winsock32] winsock32

O4 - HKCU\..\Run: [winsock32] winsock32
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 noman

noman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 05 January 2007 - 10:41 PM

OK,

1. Gone:

- O4 - HKLM\..\Run: [vreSsacg] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
- O4 - HKLM\..\RunServices: [winsock32] winsock32
- O4 - HKCU\..\Run: [winsock32] winsock32

2. used avenger to get rid of:

- C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
- seemed to work, see logs below
- sdfghjgewaertyutrew.exe was not visible in C:\WINDOWS\system32\

3. AVG no longer finds Worm.locksky.aq

4. Do you see anything else I should be woried about?


.... really appreciate bleeping computer .... donation to follow !!!!




-------------------------------------------------------------------------
-------------------- avenger.txt ------------------------------------------
-------------------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lpxppbwa

*******************

Script file located at: \??\C:\eqcnbkei.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\sdfghjgewaertyutrew.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



-------------------------------------------------------------------------
-------------------- HJT log ------------------------------------------
-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:18:49 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Documents and Settings\Devon\Desktop\Save for Dad\MalWare\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103664057462
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E25646C-396A-4B58-9562-8FAD4EF634E5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by noman, 05 January 2007 - 11:21 PM.


#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 06 January 2007 - 09:30 AM

Good job! - Now you can get Windows defender


Clean Posted Image

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users