Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Help Please


  • Please log in to reply
3 replies to this topic

#1 patrickmcgroin

patrickmcgroin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 31 January 2007 - 01:52 AM

Here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 1:42:30 AM, on 1/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\PC Tools Firewall Plus\PCTFW.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {490064B5-248D-CC5E-B686-0097DB41EC14} - C:\WINDOWS\System32\fklgvj.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [PCTools FW] C:\Program Files\PC Tools Firewall Plus\PCTFW.exe /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - Startup: WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {11865A2A-649F-4FA1-8B99-B97DF8070B7C} -
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304BB60787} - C:\WINDOWS\System32\fquld.dll
O21 - SSODL: VKeVdQl - {10F8555D-BA52-FFF7-65DE-C04A52122D80} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe




Thanks for any help. :thumbsup:

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:34 AM

Posted 03 February 2007 - 08:44 AM

Hi and welcome

1. Download this file and save it to c:\ :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 patrickmcgroin

patrickmcgroin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 03 February 2007 - 09:00 PM

"Smith" - 07-02-03 20:32:58 Service Pack 1
ComboFix 07.02.04 - Running from: "C:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\vxga4m1et4.exe
C:\WINDOWS\system32\vxga5me3.exe
C:\WINDOWS\system32\vxga8me6.exe
C:\DOCUME~1\Smith\Application Data\Install.dat
C:\WINDOWS\system32\zlbw.dll
C:\Program Files\Common Files\{10F85~1
C:\Program Files\Common Files\{30F85~1
C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))


2007-02-01 22:11 <DIR> d-------- C:\wotwsacd
2007-02-01 17:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-02-01 17:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-02-01 17:54 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-02-01 17:46 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-02-01 17:46 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-02-01 15:52 <DIR> d-------- C:\100NCD1H
2007-01-31 01:29 77,312 --a------ C:\WINDOWS\system32\drivers\pctfw1.sys
2007-01-31 01:29 37,376 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2007-01-31 01:29 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-31 01:29 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-01-30 17:58 <DIR> d-------- C:\Program Files\AOL
2007-01-30 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL
2007-01-30 17:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Ipswitch
2007-01-30 17:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-29 23:07 <DIR> d-------- C:\Program Files\HJT
2007-01-29 20:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AVG7
2007-01-29 10:05 169,984 --a------ C:\WINDOWS\system32\fquld.dll
2007-01-28 18:56 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-21 19:12 <DIR> d-------- C:\Pictures
2007-01-21 18:33 36,808,256 --a------ C:\iTunesSetup.exe
2007-01-07 13:13 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-07 13:09 243,824 --a------ C:\WINDOWS\unicows.dll
2007-01-04 19:17 <DIR> d-------- C:\WINDOWS\system32\bak
2007-01-04 19:17 <DIR> d-------- C:\WINDOWS\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-03 20:31 -------- d-------- C:\DOCUME~1\Smith\Application Data\foobar2000
2007-02-03 20:29 -------- d-------- C:\Program Files\peerguardian2
2007-02-03 18:14 879262 --a------ C:\combofix.exe
2007-02-03 10:05 -------- d-------- C:\Program Files\google
2007-02-01 17:40 721 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-01-31 12:08 -------- d-------- C:\Program Files\vso
2007-01-31 12:06 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-31 09:39 -------- d--h----- C:\Program Files\installshield installation information
2007-01-31 09:34 -------- d-------- C:\Program Files\macromedia
2007-01-31 09:22 -------- d-------- C:\Program Files\dvdfab decrypter 3
2007-01-30 17:15 -------- d-------- C:\Program Files\Common Files\scanner
2007-01-29 20:40 -------- d-------- C:\Program Files\spywareblaster
2007-01-25 21:02 -------- d-------- C:\Program Files\mozilla firefox
2007-01-24 12:53 -------- d-------- C:\Program Files\quicktime
2007-01-24 12:53 -------- d-------- C:\Program Files\apple software update
2007-01-21 18:36 -------- d-------- C:\Program Files\itunes
2007-01-10 22:35 -------- d-------- C:\DOCUME~1\Smith\Application Data\vso
2007-01-04 19:51 -------- d-------- C:\Program Files\registry clean expert
2006-12-29 16:00 -------- d-------- C:\Program Files\memoriesontv3
2006-12-28 20:54 -------- d-------- C:\Program Files\cucusoft
2006-12-25 03:31 -------- d-------- C:\DOCUME~1\Smith\Application Data\apple computer
2006-12-25 02:42 -------- d-------- C:\Program Files\ipod
2006-12-25 00:27 -------- d-------- C:\DOCUME~1\Smith\Application Data\flickr
2006-12-23 20:12 -------- d-------- C:\Program Files\flickr uploadr
2006-12-15 20:54 36864 --a------ C:\WINDOWS\system32\helper.dll
2006-12-12 21:14 -------- d-------- C:\Program Files\mfinstall
2006-12-10 23:34 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2006-12-10 16:08 -------- d-------- C:\Program Files\cleancache 3.0
2006-12-10 09:16 -------- d-------- C:\Program Files\grisoft
2006-12-10 08:47 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-12-10 03:51 69 --a-s---- C:\WINDOWS\test.bat
2006-12-05 10:40 -------- d-------- C:\Program Files\thq
2006-12-05 10:40 -------- d-------- C:\Program Files\java
2006-11-19 21:43 176776 --a------ C:\FixEzula.exe
2006-11-16 18:47 774144 --a------ C:\Program Files\rnginterstitial.dll
2006-11-12 23:48 81920 --a------ C:\DOCUME~1\Smith\Application Data\ezpinst.exe
2006-11-12 23:48 7176 --a------ C:\DOCUME~1\Smith\Application Data\pcouffin.cat
2006-11-12 23:48 47360 --a------ C:\DOCUME~1\Smith\Application Data\pcouffin.sys
2006-11-12 23:48 34 --a------ C:\DOCUME~1\Smith\Application Data\pcouffin.log
2006-11-12 23:48 1144 --a------ C:\DOCUME~1\Smith\Application Data\pcouffin.inf


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"RegClean Expert Scheduler"="\"C:\\Program Files\\Registry Clean Expert\\RCHelper.exe\" /startup"
"Notification Utility"=""
"windows http subsystem"=""
"PrinterSpool"=""
"sysreq"=""
"WinDisk32"=""
"my_backdoor (no x win 2000)"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""
"PCTools FW"="C:\\Program Files\\PC Tools Firewall Plus\\PCTFW.exe /s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroFilterCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NWEReboot"
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PhotoShow Deluxe Media Manager"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Ahead\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboForm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SCDEmuApp.exe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\PowerISO\\SCDEmuApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TkBellExe"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB60787}"="DCOM Server 60787"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304BB60787}"
"VKeVdQl"="{10F8555D-BA52-FFF7-65DE-C04A52122D80}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-03 20:39:57
C:\ComboFix2.txt ... 06-08-18 22:31

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:07:34 AM

Posted 04 February 2007 - 12:27 AM

Hi

Nasty.

Looks like several backdoors were installed.
Since some do have keylogging abilities I suggest you get to a clean computer and change ALL your passwords to any log-in sites.
If you do sensitive activities such as banking, credit card purchases you should contact these companies to alert them so they can watch your accounts.
Please don't use this computer for sensitive activites till we get it cleaned up.
Please don't use this computer to change passwords or attacker may get new info!


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

The next step involving Ewido/AVG if you are unable to uninstall Ewido please skip the next step.
We'll have to fix ewido before uninstalling if it has been affected.

Uninstall Ewido Antispyware 4.0 & reboot to finish.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.


Post AVG log you just saved.

Regardless wether or not you got Ewido uninstalled and AVG Antispyware installed please do the following:

Download this tool> save it and run it:

http://noahdfear.geekstogo.com/FindAWF.exe

Post the log it generates.

Let me know what problems you encountered if any and how the machine is running now.

We will have more work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users