Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command Services


  • Please log in to reply
7 replies to this topic

#1 cowie

cowie

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 12 May 2007 - 07:01 PM

sadly, now my desktop is infected.
SpybotSD found some command services which it cannot remove even on startup.
and my Yahoo Messenger keeps messaging people on my list some infected links. Here's my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:27 PM, on 5/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\taskmng.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotvn.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.myownemail.com/moe4/login/default.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.hotvn.us hot hot hot
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\taskmng.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.226.22/glassroom/GlassRoomVoice.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://musicoffaith.aavalue.com/mof/toolbar/mof-toolbar.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ticklehehe.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A854AD6D-6DB5-41FB-8044-0BD38092A007} (Ganymede Sudoku) - http://67.15.101.3/g_bin/eng/sudoku_2_0_0_6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D0E2D4C6-F65D-4967-A22C-BB0C6245A631} (HanafosDN Control) - http://bin.hanafos.com/HanafosDN/HanafosDN.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/eng/mahjong_2_0_0_20.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


m

#2 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 12 May 2007 - 07:24 PM

Welcome to BC :thumbsup:

Download cmdservice.zip and save to your Desktop.
  • Extract delcmdservice folder to your Desktop. (Click here for information on how to do this if not sure).
  • Open the delcmdservice folder and double-click on delreg.bat to launch the tool. A DOS-windows will open and rapidlly close--this is normal.
  • When the tool has finished, please reboot your computer.
=====================================

Download DellDomains by Right-Clicking on DellDomains and select (for IE) Save Target As.
Save [color]DelDomains.inf[/color] to your Desktop.
Right-Click on DelDomains.inf and click on Install.

[color="red"]Note:[/color] This .inf file will remove ALL entries in the Trusted Zone and Restricted Zone. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.


======================================

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#3 cowie

cowie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 12 May 2007 - 09:44 PM

ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Thai\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\DOWNLO~1\cnsio.dll_tobedeleted
C:\DOCUME~1\THAI\APPLIC~1\Sskdmns.dll
C:\Program Files\install.log
C:\Program Files\tclock\tclock_install.exe
C:\WINDOWS\cnsinfo.dat
C:\WINDOWS\system32\drivers\sfsync02.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NM
-------\LEGACY_SFSYNC02
-------\nm
-------\sfsync02


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-12 22:37 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-05-12 17:25 <DIR> d-------- C:\VundoFix Backups
2007-04-27 00:38 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-04-27 00:38 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2007-04-27 00:38 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2007-04-27 00:38 26,096 --a------ C:\WINDOWS\system32\xmlinst.exe
2007-04-27 00:38 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-27 00:38 <DIR> d-------- C:\Program Files\Ubisoft
2007-04-25 22:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Age of Empires 3
2007-04-14 12:28 2,297,552 --a------ C:\WINDOWS\system\d3dx9_26.dll
2007-04-14 12:28 <DIR> d-------- C:\DOCUME~1\Thai\APPLIC~1\My Games
2007-04-14 12:16 <DIR> d-------- C:\Program Files\Firaxis Games
2007-04-13 18:01 2,337,488 --a------ C:\WINDOWS\system\d3dx9_25.dll
2007-04-13 17:50 <DIR> d-------- C:\Program Files\Microsoft Games


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 07:12:30 7,611 ----a-w C:\WINDOWS\mozver.dat
2007-04-11 23:30:20 -------- d-----w C:\DOCUME~1\Thai\APPLIC~1\CrystalSpace
2007-04-11 23:30:20 -------- d-----w C:\DOCUME~1\Thai\APPLIC~1\CrystalApp
2007-04-11 23:29:28 -------- d-----w C:\Program Files\PlaneShift Crystal Blue
2007-04-10 20:53:26 -------- d-----w C:\Program Files\Sega
2007-04-06 23:21:28 -------- d-----w C:\DOCUME~1\Thai\APPLIC~1\Viewpoint
2007-04-02 04:25:34 82 ----a-w C:\WINDOWS\popcinfo.dat
2007-04-01 23:02:40 -------- d-----w C:\DOCUME~1\Thai\APPLIC~1\SopCast
2007-04-01 23:02:38 -------- d-----w C:\Program Files\SopCast
2007-03-10 07:21:08 53,435 ----a-w C:\WINDOWS\War3Unin.dat
2007-03-10 07:08:38 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2007-03-10 07:08:38 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-03-05 02:38:34 -------- d-----w C:\Program Files\Mp3 My Mp3 2.0


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"="C:\Program Files\Yahoo!\Common\yiesrvc.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Task Manager"="C:\\WINDOWS\\taskmng.exe"
"kmw_run.exe"="kmw_run.exe"
"MSWheel"=""
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Steam"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=dword:00000000
"DisableTaskMgr"=dword:00000001
"DisableRegistryTools"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=hex:01,00,00,00
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^netassistant.lnk
C:\PROGRA~1\NETASS~1\bin\matcli.exe -boot

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^thai^start menu^programs^startup^shortcut to mirc.lnk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^thai^start menu^programs^startup^webshots.lnk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim
C:\Program Files\AIM\aim.exe -cnetwait.odl

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aticcc
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atipta
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blockads

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccregvfy

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\windows\System32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools-1033
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\internet optimizer

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck
%systemroot%\system32\dumprep 0 -k

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\logitech utility
Logi_MwX.Exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcafee quickclean imonitor

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagentexe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcregwiz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcupdateexe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\motive smartbridge
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerocheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ni.uwfx5

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\openwares liveupdate
C:\Program Files\LiveUpdate\LiveUpdate.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop-up-blocker

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qd fastandsafe
C:\WINDOWS\system32\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\registrymechanic


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\steam


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\surfaccuracy

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tclock.exe
C:\Program Files\TClock\tclock_install.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxk451ee
RUNDLL32.EXE w185dea4.dll,n 002451ec0000000a185dea4

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\viewmgr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\virusscan online

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vsochecktask

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wgzym6f48

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wt gamechannel

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yahoo! pager
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_antispyware


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1084064091.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 22:40:37
Windows 5.1.2600 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 22:41:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-12 22:41

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 12 May 2007 - 10:10 PM

  • Download the file UnHookExec.inf and save it to your Windows desktop.

    Note: The tool has a .inf file extension.
  • Locate the download file, either on the Windows desktop.
  • Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
=====================================

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\taskmng.exe
C:\WINDOWS\system32\w185dea4.dll

Folders to delete:
C:\Program Files\TClock

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tclock.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxk451ee

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | Task Manager


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

========================================

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
=======================================

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Microsoft MVP Consumer Security--2007-2010

#5 cowie

cowie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 13 May 2007 - 04:30 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/13/2007 at 05:17 PM

Application Version : 3.7.1018

Core Rules Database Version : 3237
Trace Rules Database Version: 1248

Scan type : Complete Scan
Total Scan Time : 01:40:08

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 6163
Registry threats detected : 16
File items scanned : 95105
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Thai\Cookies\thai@apmebf[1].txt
C:\Documents and Settings\Thai\Cookies\thai@ads.adbrite[2].txt

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.MediaMotor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\System32\safe.tlb [  ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/amm06.ocx#{5526B4C6-63D6-41A1-9783-0FABF529859A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/safe.tlb#{5526B4C6-63D6-41A1-9783-0FABF529859A}
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\System32\safe.tlb

Adware.Elite Media
C:\WINDOWS\em06y.ini

Adware.180solutions
C:\WINDOWS\DELMSBB.EXE

Adware.Unknown Origin
C:\PROGRAM FILES\COMMON FILES\WOZF\WOZFD\CLASS-BARREL

-------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wieavijk

*******************

Script file located at: \??\C:\Program Files\pdqlrjut.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\taskmng.exe deleted successfully.


File C:\WINDOWS\system32\w185dea4.dll not found!
Deletion of file C:\WINDOWS\system32\w185dea4.dll failed!

Could not process line:
C:\WINDOWS\system32\w185dea4.dll
Status: 0xc0000034

Folder C:\Program Files\TClock deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tclock.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uxk451ee deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|Task Manager deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

--------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:32:56 PM, on 5/13/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotvn.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.myownemail.com/moe4/login/default.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.hotvn.us hot hot hot
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.226.22/glassroom/GlassRoomVoice.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://musicoffaith.aavalue.com/mof/toolbar/mof-toolbar.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ticklehehe.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A854AD6D-6DB5-41FB-8044-0BD38092A007} (Ganymede Sudoku) - http://67.15.101.3/g_bin/eng/sudoku_2_0_0_6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D0E2D4C6-F65D-4967-A22C-BB0C6245A631} (HanafosDN Control) - http://bin.hanafos.com/HanafosDN/HanafosDN.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/eng/mahjong_2_0_0_20.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

-----------------------
*edit* Panda scan:


Incident Status Location

Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\BIINI.INF
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\SATMAT.INF
Adware:adware/ipinsight Not disinfected C:\WINDOWS\LastGood\INF\FARMMEXT.INF
Adware:adware/transponder Not disinfected C:\WINDOWS\LastGood\INF\Pynix.inf
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Thai\My Documents\My Received Files\EZ-Emoticons.exe[SHNT288.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Thai\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.adultfriendfinder.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.perf.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.fastclick.net/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[stats1.reliablestats.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.errorsafe.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.247realmedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.bfast.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.adtech.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.as-eu.falkag.net/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.yadro.ru/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[stat.onestat.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.bravenet.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.maxserving.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.tickle.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.toplist.cz/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[hc2.humanclick.com/hc/46106420]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[searchportal.information.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Thai\Application Data\Mozilla\Firefox\Profiles\jhfg6t0w.default\COOKIES.TXT[www.burstbeacon.com/]
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Thai\Application Data\TVMKNWRD.DLL
Virus:Trj/Downloader.BJ Disinfected C:\Documents and Settings\Thai\.jpi_cache\JAR\1.0\archive.jar-27b6d963-205e3895.idx
Hacktool:Exploit/MIE.CHM Not disinfected C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5449497D
Virus:W32/Sohanat.Y.worm Disinfected C:\AVENGER\BACKUP.ZIP[avenger/taskmng.exe]
Virus:Bck/TclockBased.A Disinfected C:\AVENGER\BACKUP.ZIP[avenger/TClock/tclock.exe]
Virus:Bck/TclockBased.A Disinfected C:\QooBox\Quarantine\C\Program Files\TClock\tclock_install.exe.vir

Edited by cowie, 13 May 2007 - 05:24 PM.


#6 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 13 May 2007 - 09:13 PM

Please DELETE the following folder(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.


Files:

C:\WINDOWS\INF\BIINI.INF <-- this file
C:\WINDOWS\INF\SATMAT.INF <-- this file
C:\WINDOWS\LastGood\INF\FARMMEXT.INF <-- this file
C:\WINDOWS\LastGood\INF\Pynix.inf <-- this file
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf <-- this file
C:\Documents and Settings\Thai\My Documents\My Received Files\EZ-Emoticons.exe <-- this file
C:\Documents and Settings\Thai\Application Data\TVMKNWRD.DLL <-- this file


=======================================

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...



How is everything running???
Microsoft MVP Consumer Security--2007-2010

#7 cowie

cowie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 14 May 2007 - 07:58 AM

so far SpybotSD is able to remove all items found unlike before. YahooIM doesn't sent weird links to my contact list anymore so I'd say things have been fixed.
thanks a million!!!

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 14 May 2007 - 08:02 AM

Your Welcome !!!! :thumbsup:

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • If you don't have a Firewall installed, please choose from the following:
  • If you don't have a Anti-Virus installed, please download the following free program:
  • Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown
    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  • Anti-Spyware Programs I Recommend:
  • For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users