Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Agent.100


  • Please log in to reply
13 replies to this topic

#1 tj25

tj25

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 March 2007 - 02:06 PM

hi all i hope i have done thi right if not please excuse me , okay i have a problem with agent.100 i keep finding it deleteing it but it comes righ back please help as its dooin my nut in now as it i takeing over my internet here is my log ( i hope)



Logfile of HijackThis v1.99.1
Scan saved at 18:58:57, on 01/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110128516567
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169336979516
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

many thanks

tom

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 01 March 2007 - 03:50 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Make sure all windows and browsers are closed before proceeding to run HijackThis.
Access its Process Manager option as follows:
-Click on Config
-Click on Misc Tools
-Click on Open Process Manager
(This window lists all open processes running on the machine)
-Click once on the process below to select it:

C:\WINDOWS\svchost.exe <- Make sure it is this one!!

-Click: Kill Process to end the process
-Click on the Back button twice to exit Process Manager, and exit HijackThis.

~~~~
Now reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies
(You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~~
In Safe Mode, launch AVG AS
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the AVG AS report in your reply.

Old duck...


#3 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 01 March 2007 - 04:45 PM

hi i have got up to the c:windows\svchost.exe but i can only find c:windows\system38\svchost.exe is this the same thing ? anyway tried to kill process but it says process could not be killed it may have already closed or is protected by windows what do i do now just ignore it and carry on with the rest ? sorry for being so stupid : (

sorry should be system32

#4 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 March 2007 - 08:26 AM

hi again sorry to be a pain but it is getting worse my internet is being took over with popups !! please help :thumbsup:

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 02 March 2007 - 08:53 AM

Boot to Safe Mode and follow on with the rest of the instructions.

Old duck...


#6 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 March 2007 - 11:30 AM

hi again done all you asked ,my computer is now so slow its almost on the way to the
wheelie bin !! took 10mins to boot up and to openany folder takes 4 to 5 mins ??? i also run trojanhunter and it still finds this "" registry key exists: hkey_local_machines\software\microsoft\mssmgr(matches agent.100) "" , even writeing this is a probem curser stops and starts on its own and freezes ?
okay here the report

regards
tom
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 15:43:52 02/03/2007

+ Scan result:



C:\WINDOWS\system32\yixcczl.dll -> Downloader.Busky.be : Cleaned.
C:\Documents and Settings\Home\Cookies\home@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Home\Cookies\home@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Home\Cookies\home@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Home\Cookies\home@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Home\Cookies\home@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Home\Cookies\home@e-2dj6wbkiwgcpcep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Home\Cookies\home@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Home\Cookies\home@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Home\Cookies\home@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Home\Cookies\home@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Home\Cookies\home@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Home\Cookies\home@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Home\Cookies\home@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Home\Cookies\home@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 02 March 2007 - 04:20 PM

The Trojan not only creates:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

But it also creates the following Registry key so it is loaded every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win[three random characters]32

The second entry we need to find!

~~~~
Please download SilentRunners to the Desktop:
http://www.silentrunners.org/
Go to the top of the page, and select: Download
In the next page, download the zip file
Unzip it to the folder created
Start: SilentRunners.vbs

If you get a security alert, allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.
Provide the content of the SilentRunners log in your reply.

Old duck...


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 02 March 2007 - 07:16 PM

tj25,

If you keep having problems and cannot download SilentRunners, please go to the folder where you saved HijackThis.exe:
C:\Program Files\HijackThis\HijackThis.exe

Right-click on HijackThis.exe, then select Rename
Change the name to: PCAnalysis (or whatever you wish)

Then, double-click PCAnalysis (or whatever you renamed it) to run the program
(There is some malware that may hide, and only shows when HijackThis is renamed.)

Then run HijackThis again, Scan, and post the log.

Old duck...


#9 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 02 March 2007 - 07:37 PM

hi again sorry took so long to reply pc is going nuts takeing a age to do anything , here the log

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"svchost.exe" = "C:\WINDOWS\svchost.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06E6DE2C-E9FD-41C6-80F4-708BD97025A7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnkj.dll" [file not found]
{616FB267-5C60-482C-A8FC-D19468D981DF}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvurrp.dll" [null data]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{C3AAD22B-2A08-42B0-B47B-B37A44A9B810}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\efcyy.dll" [null data]
{D38439EC-4A7F-42b4-90C2-D810D7778FDD}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\uadsxomp.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll" ["CA, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Labtec Pictures"
-> {HKLM...CLSID} = "My Labtec Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Labtec Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{616FB267-5C60-482C-A8FC-D19468D981DF}" = "*i" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvurrp.dll" [null data]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> efcyy\DLLName = "C:\WINDOWS\system32\efcyy.dll" [null data]
<<!>> tuvurrp\DLLName = "tuvurrp.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll" ["CA, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\avshlext.dll" ["CA, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Home\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 21
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 133 seconds, including 24 seconds for message boxes)




thanks
tom

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 02 March 2007 - 08:33 PM

Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the prompts

This program may generate a "BLUE SCREEN OF DEATH". Do not be concerned.
Just reboot if your system "jams".

The VirtumundoBeGone log VBG.txt is found on the Desktop.

====
Please provide the VirtumundoBeGone log VBG.txt, and a new SilentRunners log.

Old duck...


#11 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 03 March 2007 - 06:57 AM

hi again here are the two logs as regs

regards
tom



[03/03/2007, 11:46:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Home\My Documents\downloads\VirtumundoBeGone.exe" )
[03/03/2007, 11:46:47] - Detected System Information:
[03/03/2007, 11:46:47] - Windows Version: 5.1.2600, Service Pack 2
[03/03/2007, 11:46:47] - Current Username: Home (Admin)
[03/03/2007, 11:46:47] - Windows is in NORMAL mode.
[03/03/2007, 11:46:48] - Searching for Browser Helper Objects:
[03/03/2007, 11:46:48] - BHO 1: {06E6DE2C-E9FD-41C6-80F4-708BD97025A7} ()
[03/03/2007, 11:46:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:48] - Checking for HKLM\...\Winlogon\Notify\nnnkj
[03/03/2007, 11:46:48] - Key not found: HKLM\...\Winlogon\Notify\nnnkj, continuing.
[03/03/2007, 11:46:48] - BHO 2: {616FB267-5C60-482C-A8FC-D19468D981DF} ()
[03/03/2007, 11:46:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:49] - Checking for HKLM\...\Winlogon\Notify\tuvurrp
[03/03/2007, 11:46:49] - Found: HKLM\...\Winlogon\Notify\tuvurrp - This is probably Virtumundo.
[03/03/2007, 11:46:49] - Assigning {616FB267-5C60-482C-A8FC-D19468D981DF} MSEvents Object
[03/03/2007, 11:46:49] - BHO list has been changed! Starting over...
[03/03/2007, 11:46:49] - BHO 1: {06E6DE2C-E9FD-41C6-80F4-708BD97025A7} ()
[03/03/2007, 11:46:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:49] - Checking for HKLM\...\Winlogon\Notify\nnnkj
[03/03/2007, 11:46:49] - Key not found: HKLM\...\Winlogon\Notify\nnnkj, continuing.
[03/03/2007, 11:46:50] - BHO 2: {616FB267-5C60-482C-A8FC-D19468D981DF} (MSEvents Object)
[03/03/2007, 11:46:50] - ALERT: Found MSEvents Object!
[03/03/2007, 11:46:50] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/03/2007, 11:46:50] - BHO 4: {BA92CF81-C4B2-42B1-B446-C73A90901193} ()
[03/03/2007, 11:46:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:50] - Checking for HKLM\...\Winlogon\Notify\efcyy
[03/03/2007, 11:46:50] - Found: HKLM\...\Winlogon\Notify\efcyy - This is probably Virtumundo.
[03/03/2007, 11:46:50] - Assigning {BA92CF81-C4B2-42B1-B446-C73A90901193} MSEvents Object
[03/03/2007, 11:46:50] - BHO list has been changed! Starting over...
[03/03/2007, 11:46:50] - BHO 1: {06E6DE2C-E9FD-41C6-80F4-708BD97025A7} ()
[03/03/2007, 11:46:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:51] - Checking for HKLM\...\Winlogon\Notify\nnnkj
[03/03/2007, 11:46:51] - Key not found: HKLM\...\Winlogon\Notify\nnnkj, continuing.
[03/03/2007, 11:46:51] - BHO 2: {616FB267-5C60-482C-A8FC-D19468D981DF} (MSEvents Object)
[03/03/2007, 11:46:51] - ALERT: Found MSEvents Object!
[03/03/2007, 11:46:51] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/03/2007, 11:46:51] - BHO 4: {BA92CF81-C4B2-42B1-B446-C73A90901193} (MSEvents Object)
[03/03/2007, 11:46:51] - ALERT: Found MSEvents Object!
[03/03/2007, 11:46:51] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[03/03/2007, 11:46:52] - BHO 6: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/03/2007, 11:46:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:52] - Checking for HKLM\...\Winlogon\Notify\uadsxomp
[03/03/2007, 11:46:52] - Key not found: HKLM\...\Winlogon\Notify\uadsxomp, continuing.
[03/03/2007, 11:46:52] - Finished Searching Browser Helper Objects
[03/03/2007, 11:46:52] - *** Detected MSEvents Object
[03/03/2007, 11:46:52] - Trying to remove MSEvents Object...
[03/03/2007, 11:46:53] - Terminating Process: IEXPLORE.EXE
[03/03/2007, 11:46:54] - Terminating Process: RUNDLL32.EXE
[03/03/2007, 11:46:54] - Disabling Automatic Shell Restart
[03/03/2007, 11:46:55] - Terminating Process: EXPLORER.EXE
[03/03/2007, 11:46:56] - Suspending the NT Session Manager System Service
[03/03/2007, 11:46:56] - Terminating Windows NT Logon/Logoff Manager
[03/03/2007, 11:46:56] - Re-enabling Automatic Shell Restart
[03/03/2007, 11:46:57] - File to disable: C:\WINDOWS\system32\tuvurrp.dll
[03/03/2007, 11:46:57] - Renaming C:\WINDOWS\system32\tuvurrp.dll -> C:\WINDOWS\system32\tuvurrp.dll.vir
[03/03/2007, 11:46:57] - File successfully renamed!
[03/03/2007, 11:46:57] - Removing HKLM\...\Browser Helper Objects\{616FB267-5C60-482C-A8FC-D19468D981DF}
[03/03/2007, 11:46:57] - Removing HKCR\CLSID\{616FB267-5C60-482C-A8FC-D19468D981DF}
[03/03/2007, 11:46:57] - Adding Kill Bit for ActiveX for GUID: {616FB267-5C60-482C-A8FC-D19468D981DF}
[03/03/2007, 11:46:57] - Deleting ATLEvents/MSEvents Registry entries
[03/03/2007, 11:46:57] - Removing HKLM\...\Winlogon\Notify\tuvurrp
[03/03/2007, 11:46:57] - Searching for Browser Helper Objects:
[03/03/2007, 11:46:58] - BHO 1: {06E6DE2C-E9FD-41C6-80F4-708BD97025A7} ()
[03/03/2007, 11:46:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:58] - Checking for HKLM\...\Winlogon\Notify\nnnkj
[03/03/2007, 11:46:58] - Key not found: HKLM\...\Winlogon\Notify\nnnkj, continuing.
[03/03/2007, 11:46:58] - BHO 2: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/03/2007, 11:46:58] - BHO 3: {BA92CF81-C4B2-42B1-B446-C73A90901193} (MSEvents Object)
[03/03/2007, 11:46:58] - ALERT: Found MSEvents Object!
[03/03/2007, 11:46:58] - BHO 4: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[03/03/2007, 11:46:58] - BHO 5: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/03/2007, 11:46:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:46:58] - Checking for HKLM\...\Winlogon\Notify\uadsxomp
[03/03/2007, 11:46:59] - Key not found: HKLM\...\Winlogon\Notify\uadsxomp, continuing.
[03/03/2007, 11:46:59] - Finished Searching Browser Helper Objects
[03/03/2007, 11:46:59] - *** Detected MSEvents Object
[03/03/2007, 11:46:59] - Trying to remove MSEvents Object...
[03/03/2007, 11:47:00] - Terminating Process: IEXPLORE.EXE
[03/03/2007, 11:47:00] - Terminating Process: RUNDLL32.EXE
[03/03/2007, 11:47:00] - Disabling Automatic Shell Restart
[03/03/2007, 11:47:00] - Terminating Process: EXPLORER.EXE
[03/03/2007, 11:47:01] - Suspending the NT Session Manager System Service
[03/03/2007, 11:47:01] - Terminating Windows NT Logon/Logoff Manager
[03/03/2007, 11:47:01] - Re-enabling Automatic Shell Restart
[03/03/2007, 11:47:01] - File to disable: C:\WINDOWS\system32\efcyy.dll
[03/03/2007, 11:47:01] - Renaming C:\WINDOWS\system32\efcyy.dll -> C:\WINDOWS\system32\efcyy.dll.vir
[03/03/2007, 11:47:01] - File successfully renamed!
[03/03/2007, 11:47:02] - Removing HKLM\...\Browser Helper Objects\{BA92CF81-C4B2-42B1-B446-C73A90901193}
[03/03/2007, 11:47:02] - Removing HKCR\CLSID\{BA92CF81-C4B2-42B1-B446-C73A90901193}
[03/03/2007, 11:47:02] - Adding Kill Bit for ActiveX for GUID: {BA92CF81-C4B2-42B1-B446-C73A90901193}
[03/03/2007, 11:47:02] - Deleting ATLEvents/MSEvents Registry entries
[03/03/2007, 11:47:02] - Removing HKLM\...\Winlogon\Notify\efcyy
[03/03/2007, 11:47:02] - Searching for Browser Helper Objects:
[03/03/2007, 11:47:02] - BHO 1: {06E6DE2C-E9FD-41C6-80F4-708BD97025A7} ()
[03/03/2007, 11:47:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:47:02] - Checking for HKLM\...\Winlogon\Notify\nnnkj
[03/03/2007, 11:47:02] - Key not found: HKLM\...\Winlogon\Notify\nnnkj, continuing.
[03/03/2007, 11:47:03] - BHO 2: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/03/2007, 11:47:03] - BHO 3: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[03/03/2007, 11:47:03] - BHO 4: {D38439EC-4A7F-42b4-90C2-D810D7778FDD} ()
[03/03/2007, 11:47:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/03/2007, 11:47:03] - Checking for HKLM\...\Winlogon\Notify\uadsxomp
[03/03/2007, 11:47:03] - Key not found: HKLM\...\Winlogon\Notify\uadsxomp, continuing.
[03/03/2007, 11:47:03] - Finished Searching Browser Helper Objects
[03/03/2007, 11:47:03] - Finishing up...
[03/03/2007, 11:47:03] - A restart is needed.
[03/03/2007, 11:47:15] - Attempting to Restart via STOP error (Blue Screen!)




"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"svchost.exe" = "C:\Program Files\Common Files\svchost.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06E6DE2C-E9FD-41C6-80F4-708BD97025A7}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnkj.dll" [file not found]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
{D38439EC-4A7F-42b4-90C2-D810D7778FDD}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\uadsxomp.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 03 March 2007 - 11:48 AM

Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06E6DE2C-E9FD-41C6-80F4-708BD97025A7}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D38439EC-4A7F-42b4-90C2-D810D7778FDD}]


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
The last SilentRunners log got cut off. Only part of it was posted.

Please post the entire SilentRunners log, and a new HijackThis log.

Edited by Aaflac, 03 March 2007 - 12:02 PM.

Old duck...


#13 tj25

tj25
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 03 March 2007 - 12:05 PM

hi again sorry about here is a new post for the two logs

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"svchost.exe" = "C:\Program Files\Common Files\svchost.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]


Logfile of HijackThis v1.99.1
Scan saved at 16:46:14, on 03/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110128516567
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169336979516
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:25 PM

Posted 03 March 2007 - 12:10 PM

Please look at post #12 and perform the instructions there.

I have to go out for a while, but will be back this evening.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users