Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.generic3.rfa


  • This topic is locked This topic is locked
24 replies to this topic

#1 Hypertoxin

Hypertoxin

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 04 February 2007 - 05:02 PM

:/

i just had my PC taken to a specialists, because i got the STOP: 0x00000050 error, and it couldn't start up in safe mode...blah blah, and couldn't even format or repair windows

so...
when i have my comp back, i put my files back, and AVG came up with a trojan called BackDoor.Generic3.RFA
and as it can't remove it, i used hijackthis and this is the script i got

---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:52:21, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Documents and Settings\RWang.DELL\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126167082796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

----------------

ty guys...hope you can help me :s

EDIT:

halfway through panda activescan, i had 18 spywares :s
looks like i'm gonna need fast help

Edited by Hypertoxin, 04 February 2007 - 05:07 PM.


BC AdBot (Login to Remove)

 


m

#2 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 February 2007 - 02:19 PM

*bump*

seriously...anyone?
kinda desperate here, cos AVG doesn't seem to help in any way :thumbsup:

#3 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 05 February 2007 - 02:37 PM

Also, AVG recently came up with Downloader.Generic3.JTO

i think my comp is gonna have to go and get fixed again :/

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 09 February 2007 - 12:32 AM

Hello Hypertoxin,

I am SifuMike and I will be helping you. :thumbsup:

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


*******************

Download ATF (Atribune Temp File) Cleanerę by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

AVG recently came up with Downloader.Generic3.JTO BackDoor.Generic3.RFA


Where is it finding this? What is the location of the file?

Edited by SifuMike, 09 February 2007 - 12:32 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 09 February 2007 - 03:05 PM

i'm not sure, but does the AVG vault stop the trojans?

because i've already tried AVG-AS, and it only comes up with tracking cookies.

As for the files, it was found in some of the files i had before my computer broke down.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 09 February 2007 - 03:12 PM

i'm not sure, but does the AVG vault stop the trojans?


What did the AVG tell you? Did it say it quarentined them or deleted them? Post the AVG antivirus log.

because i've already tried AVG-AS, and it only comes up with tracking cookies.


Run it again in the Safe Mode, and post the AVG antispyware log and Bitdefender log as per my previous instructions.

As for the files, it was found in some of the files i had before my computer broke down


That is no help. :thumbsup:

Edited by SifuMike, 09 February 2007 - 03:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 09 February 2007 - 04:06 PM

lol, i just finished the bitdefender thingy...nothing was wrong...

i dunno if this helps, but i deleted the original file.
I used AVG:AS as well, nothing was found...does that mean it's fixed?

i'll post the hijackthis now..

Logfile of HijackThis v1.99.1
Scan saved at 21:05:00, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PacSteam\Steam.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Documents and Settings\RWang.DELL\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126167082796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 09 February 2007 - 05:41 PM

I am not seeing any malware in your Hijackthis log. :thumbsup:

Go here and run the online scan, allow it to delete whatever is found:

Panda ActiveScan
Note: This Scanner is for Internet Explorer Only!
Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the contents of Panda scan
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 09 February 2007 - 05:58 PM

last time i did panda activescan i ddin't get anything, but i had to cancel it half way through, i got to go to sleep now, i'll post it tomorrow :w

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 09 February 2007 - 06:25 PM

Good.

Run ComboFix also.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 09 February 2007 - 06:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 10 February 2007 - 11:51 AM

"RWang" - 07-02-10 16:47:30 Service Pack 2
ComboFix 07-02-10 - Running from: "C:\Documents and Settings\RWang.DELL\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-09 20:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-02-09 16:50 <DIR> d-------- C:\DOCUME~1\SHARE~1.DEL\Contacts
2007-02-07 20:29 <DIR> d-------- C:\DOCUME~1\SHARE~1.DEL\Application Data\AVG7
2007-02-07 20:29 <DIR> d-------- C:\DOCUME~1\SHARE~1.DEL\Application Data\Adobe
2007-02-07 20:28 786,432 --ah----- C:\DOCUME~1\SHARE~1.DEL\NTUSER.DAT
2007-02-06 22:00 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2007-02-06 22:00 <DIR> d-------- C:\PacSteam
2007-02-06 21:46 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-02-06 21:09 <DIR> d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\Apple Computer
2007-02-06 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Apple Computer
2007-02-06 20:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-01 00:23 <DIR> d-------- C:\Program Files\GnuWin32
2007-02-01 00:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-02-01 00:01 839,936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-01 00:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-02-01 00:01 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-01 00:01 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-01 00:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-02-01 00:01 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-01 00:01 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-01 00:01 18,432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-01 00:01 <DIR> d-------- C:\Program Files\Grisoft
2007-02-01 00:01 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-01 00:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-01 00:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-02-01 00:00 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-01-31 23:54 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-01-31 23:54 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-01-31 23:54 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-01-31 23:54 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-01-31 23:53 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-01-31 23:53 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-01-31 23:53 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-01-31 23:53 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-01-31 23:53 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-01-31 23:53 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-01-31 23:53 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-01-31 23:52 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-01-31 23:52 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-01-31 23:52 112,128 --a------ C:\WINDOWS\system32\staco.dll
2007-01-31 23:51 172,032 --a------ C:\WINDOWS\system32\stacapi.dll
2007-01-31 23:51 1,047,816 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2007-01-31 23:51 <DIR> d-------- C:\Program Files\SigmaTel
2007-01-31 21:41 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-01-31 21:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-31 21:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-31 21:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-31 09:31 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-31 09:31 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-31 09:30 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-31 09:30 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-31 09:30 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-31 09:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-31 09:26 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-01-31 00:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-01-31 00:14 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-31 00:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-01-31 00:14 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-19 12:53 51,056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 16:44 -------- d---s---- C:\DOCUME~1\RWANG~1.DEL\Application Data\microsoft
2007-02-10 16:43 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\avg7
2007-01-31 23:51 -------- d--h----- C:\Program Files\installshield installation information
2007-01-31 09:32 -------- d-------- C:\Program Files\messenger
2007-01-06 17:31 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\utorrent
2007-01-06 17:16 19575 --a------ C:\WINDOWS\hpoins01.dat
2007-01-06 17:15 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2007-01-06 17:14 -------- d-------- C:\Program Files\hewlett-packard
2007-01-05 21:27 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2007-01-05 20:49 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\adobe
2007-01-05 19:26 -------- d-------- C:\Program Files\msn messenger
2007-01-04 21:58 -------- d-------- C:\Program Files\utorrent
2007-01-04 21:32 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\help
2007-01-04 21:24 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\macromedia
2007-01-04 21:18 25360 --a------ C:\DOCUME~1\RWANG~1.DEL\Application Data\gdipfontcachev1.dat
2007-01-04 21:16 -------- d-------- C:\Program Files\microsoft activesync
2007-01-04 21:15 -------- d-------- C:\Program Files\Common Files\l&h
2007-01-04 19:50 -------- d-------- C:\Program Files\skype
2007-01-04 19:50 -------- d-------- C:\Program Files\Common Files\skype
2007-01-04 18:53 -------- d-------- C:\Program Files\Common Files\pestpatrol
2007-01-04 18:53 -------- d-------- C:\Program Files\Common Files\command software
2007-01-04 17:12 -------- d-------- C:\Program Files\broadjump
2007-01-04 17:10 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\ntl
2007-01-04 17:08 -------- d-------- C:\Program Files\ntl
2007-01-04 17:07 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-04 17:05 -------- d-------- C:\DOCUME~1\RWANG~1.DEL\Application Data\identities
2007-01-04 16:55 12288463 --------- C:\AVG7QT.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-10 16:49:36




looks like i got nothin? :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 10 February 2007 - 12:19 PM

The ComboFix log and your Hijackthis log is clean. :thumbsup: How is your computer working?

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 10 February 2007 - 12:23 PM

hmm, panda activescan found 5 spyware files, surely these are tracking cookies? it hasn't finished so i can't check, but i doubt 5 different spyware files could've gotten past all those checkups we did :/

#14 Hypertoxin

Hypertoxin
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 10 February 2007 - 12:25 PM

Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\RWang.DELL\Cookies\rwang@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\RWang.DELL\Cookies\rwang@atwola[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\RWang.DELL\Cookies\rwang@media.adrevolver[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\RWang.DELL\Cookies\rwang@toplist[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\RWang.DELL\Cookies\rwang@xiti[1].txt

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:10 PM

Posted 10 February 2007 - 12:25 PM

Post the Pandascan log and we'll see what it found.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users