Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection & Removal


  • Please log in to reply
27 replies to this topic

#1 LeBoW120

LeBoW120

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 19 May 2007 - 08:48 AM

Hi guys,

I could do with some help. I recently installed a program that may contain some spywares and trojans. I've installed programs like Ad-Aware, Spybot, Stinger and Zone Alarm to try to remove it. The problem is that Spybot won't even install, it keeps going off on the installation page. Every Ad-Aware scan shows up different Trojans and spywares on EVERY scan. It seems endless. I installed Zone Alarm but had to remove it because the vector keeps freezing and it's playing havoc with my system and finally, Stinger doesn't find anything at all, even though Ad-Aware keeps reporting several trojans in every scan. Spyware Guard also keeps popping up with warnings about BHOs being installed and won't remove it even when I click on the remove button.

I would appreciate some help on removing these infections and restoring my system to the way it was.

I'm going to post my HijackThis log below in the hope that someone here can help me.

I would like to thank any one that helps in advance.

Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 14:29:50, on 19/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
E:\Program Files\SealedMedia\sealmon.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\System32\avp.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
E:\WINDOWS\System32\ZoneLabs\vsmon.exe
E:\WINDOWS\smanager.7.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sealmon] E:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Barclays Business Manager] E:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe /server
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avp] E:\WINDOWS\System32\avp.exe
O4 - HKLM\..\Run: [Cleanup] e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [runner1] E:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "E:\WINDOWS\System32\ptayjugv.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0b\aoltray.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to AMV Convert Tool... - E:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - E:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PPA Dumper (ppa_service) - Unknown owner - E:\WINDOWS\System32\ppa_service.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 20 May 2007 - 07:53 PM

Please download OTMoveIt by OldTimer.
Save it to the Desktop
We’ll use this later.

~~~~
Next, run HijackThis, Scan
Check box for:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [runner1] E:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "E:\WINDOWS\System32\ptayjugv.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe

Select: Fix checked

~~~~
Double-click OTMoveIt.exe to run it.
Copy the file paths below (blue) by highlighting all of them, right-clicking and choosing Copy:

E:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
E:\WINDOWS\System32\ptayjugv.dll
E:\WINDOWS\smanager.7.exe


Return to OTMoveIt, right click Paste List of Files/Folders to be moved and choose Paste.
Click the red Moveit! button.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes

Copy the text in the Results window to provide in your reply.
Close OTMoveIt

~~~~
If OTMoveIt did not reboot the computer, please do so now.

~~~~
Also, please go to Virus Total:
http://www.virustotal.com/flash/index_en.html

Click Browse, and go to the following file:
E:\WINDOWS\System32\ppa_service.exe

Then, press: Send
It may take a little while to scan.

When the scan completes, copy the report, and post the results.

~~~~
Now, please download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

SilentRunners shows a few Registry keys that HijackThis does not, so let's get more of the picture.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

~~~~
Please provide the following in your reply:
The OTMoveIt information
The Virus Total report
The SilentRunners log

Old duck...


#3 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 21 May 2007 - 05:51 PM

Hi Aaflac,

Thanks for the help, I really appreciate it. I did as you asked and the results are posted below.

The OTMoveIt information
File/Folder E:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 not found.
DllUnregisterServer procedure not found in E:\WINDOWS\System32\ptayjugv.dll
E:\WINDOWS\System32\ptayjugv.dll NOT unregistered.
E:\WINDOWS\System32\ptayjugv.dll moved successfully.
E:\WINDOWS\smanager.7.exe moved successfully.
Created on 05/21/2007 21:22:52


The Virus Total report
STATUS: FINISHED
Complete scanning result of "ppa_service.exe", received in VirusTotal at 05.21.2007, 22:55:20 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.21.2007 no virus found
AntiVir 7.4.0.23 05.21.2007 no virus found
Authentium 4.93.8 05.21.2007 no virus found
Avast 4.7.997.0 05.21.2007 no virus found
AVG 7.5.0.467 05.21.2007 no virus found
BitDefender 7.2 05.21.2007 no virus found
CAT-QuickHeal 9.00 05.21.2007 no virus found
ClamAV devel-20070416 05.21.2007 no virus found
DrWeb 4.33 05.21.2007 no virus found
eSafe 7.0.15.0 05.21.2007 no virus found
eTrust-Vet 30.7.3651 05.21.2007 no virus found
Ewido 4.0 05.21.2007 no virus found
FileAdvisor 1 05.21.2007 no virus found
Fortinet 2.85.0.0 05.21.2007 no virus found
F-Prot 4.3.2.48 05.21.2007 no virus found
F-Secure 6.70.13030.0 05.21.2007 no virus found
Ikarus T3.1.1.7 05.21.2007 no virus found
Kaspersky 4.0.2.24 05.21.2007 no virus found
McAfee 5035 05.21.2007 no virus found
Microsoft 1.2503 05.21.2007 no virus found
NOD32v2 2283 05.21.2007 no virus found
Norman 5.80.02 05.21.2007 no virus found
Panda 9.0.0.4 05.21.2007 no virus found
Prevx1 V2 05.21.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.21.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.21.2007 no virus found
VirusBuster 4.3.23:9 05.21.2007 no virus found
Webwasher-Gateway 6.0.1 05.21.2007 no virus found
Aditional Information
File size: 90112 bytes
MD5: 182dbb93f91e93cacc6156d636f07d13
SHA1: ba4ffc676b0471c42502e947574b5174e9a9fb39


The SilentRunners log
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "E:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"svchost.exe" = "E:\WINDOWS\svchost.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AOL Spyware Protection" = ""E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"LFAgent" = "(empty string)" [file not found]
"SoundMAXPnP" = "E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"SiSRaid" = "E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" ["SiS"]
"RealTray" = "E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"sealmon" = "E:\Program Files\SealedMedia\sealmon.exe" ["SealedMedia"]
"Barclays Business Manager" = "E:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe /server" [null data]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PWRISOVM.EXE" = "E:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"avp" = "E:\WINDOWS\System32\avp.exe" [null data]
"Cleanup" = "e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup" [file not found]
"!AVG Anti-Spyware" = ""E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"SManager" = "smanager.7.exe" [null data]
"setup" = "rundll32.exe "E:\WINDOWS\System32\mlxfeqiy.dll",realset" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{9B3B26B0-4DC0-4987-922F-1FA856678812}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\System32\jkhff.dll" [null data]
{A6C16391-B966-4676-B898-6F55E586BF56}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\System32\jkkkhgg.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" = "Code Download Agent"
-> {HKLM...CLSID} = "Code Download Agent"
\InProcServer32\(Default) = "E:\WINDOWS\System32\webcheck.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{FBE1DB69-5026-42cf-BE97-D52DDB70DB87}" = "AOL"
-> {HKLM...CLSID} = "AOL"
\InProcServer32\(Default) = "E:\PROGRA~1\COMMON~1\aolshare\shell\uk\shellext.dll" ["America Online, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "E:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
<<!>> "{A6C16391-B966-4676-B898-6F55E586BF56}" = "*W" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\System32\jkkkhgg.dll" [null data]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> jkhff\DLLName = "E:\WINDOWS\System32\jkhff.dll" [null data]
<<!>> jkkkhgg\DLLName = "jkkkhgg.dll" [null data]
<<!>> winnya32\DLLName = "winnya32.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "http://img.alibaba.com/js/commons.js"
"SubscribedURL" = "http://img.alibaba.com/js/commons.js"


Startup items in "Adam" & "All Users" startup folders:
------------------------------------------------------

E:\Documents and Settings\Adam\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"SpywareGuard" -> shortcut to: "E:\Program Files\SpywareGuard\sgmain.exe" [null data]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 8.0 Tray Icon" -> shortcut to: "E:\Program Files\AOL 8.0b\aoltray.exe -check" [file not found]
"Palo Alto Software Update Manager 8.0" -> shortcut to: "E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe" ["Palo Alto Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
E:\WINDOWS\System32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 19
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "E:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\(Default) = "iMeshBar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\WINDOWS\System32\shdocvw.dll" [MS]

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 21 May 2007 - 10:07 PM

Please download the following to the Desktop:
VundoFix.exe
* Double-click VundoFix.exe to run it
* Click: Scan for Vundo
* Once done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* The Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

A log is created and found in C:\vundofix.txt!

~~~~
Also download ComboFix (by sUBs):
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log: combofix.txt

~~~~
Last download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Please provide the following in your reply:
C:\VundoFix.txt
The SuperAntiSpyware log
ComboFix.txt

Old duck...


#5 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 22 May 2007 - 01:19 PM

Hi Aaflac,

Did what you said. Here are my latest posts.


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 04:58:54 22/05/2007

Listing files found while scanning....


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 05:39:02 22/05/2007

Listing files found while scanning....


VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 14:32:36 22/05/2007

Listing files found while scanning....

E:\WINDOWS\system32\ffhkj.bak1
E:\WINDOWS\System32\ffhkj.bak2
E:\WINDOWS\System32\ffhkj.ini
E:\WINDOWS\System32\jkhff.dll
E:\WINDOWS\system32\jkkkhgg.dll
E:\WINDOWS\System32\mlxfeqiy.dll
E:\WINDOWS\system32\pmnopon.dll
E:\WINDOWS\system32\sklafsjw.dll
E:\WINDOWS\system32\uepntuwk.dll
E:\WINDOWS\system32\yiqefxlm.ini

Beginning removal...

Attempting to delete E:\WINDOWS\system32\ffhkj.bak1
E:\WINDOWS\system32\ffhkj.bak1 Has been deleted!

Attempting to delete E:\WINDOWS\System32\ffhkj.bak2
E:\WINDOWS\System32\ffhkj.bak2 Has been deleted!

Attempting to delete E:\WINDOWS\System32\ffhkj.ini
E:\WINDOWS\System32\ffhkj.ini Has been deleted!

Attempting to delete E:\WINDOWS\System32\jkhff.dll
E:\WINDOWS\System32\jkhff.dll Could not be deleted.

Attempting to delete E:\WINDOWS\system32\jkkkhgg.dll
E:\WINDOWS\system32\jkkkhgg.dll Could not be deleted.

Attempting to delete E:\WINDOWS\System32\mlxfeqiy.dll
E:\WINDOWS\System32\mlxfeqiy.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\pmnopon.dll
E:\WINDOWS\system32\pmnopon.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\sklafsjw.dll
E:\WINDOWS\system32\sklafsjw.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\uepntuwk.dll
E:\WINDOWS\system32\uepntuwk.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\yiqefxlm.ini
E:\WINDOWS\system32\yiqefxlm.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete E:\WINDOWS\System32\jkhff.dll
E:\WINDOWS\System32\jkhff.dll Has been deleted!

Attempting to delete E:\WINDOWS\system32\jkkkhgg.dll
E:\WINDOWS\system32\jkkkhgg.dll Has been deleted!

Performing Repairs to the registry.
Done!


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2007 at 06:31 PM

Application Version : 3.7.1018

Core Rules Database Version : 3242
Trace Rules Database Version: 1253

Scan type : Complete Scan
Total Scan Time : 01:00:42

Memory items scanned : 350
Memory threats detected : 3
Registry items scanned : 6595
Registry threats detected : 27
File items scanned : 67482
File threats detected : 48

Trojan.Mezzia/Resident
E:\WINDOWS\SYSTEM32\WINNYA32.DLL
E:\WINDOWS\SYSTEM32\WINNYA32.DLL

Trojan.Downloader-Gen/AVP
E:\WINDOWS\SYSTEM32\AVP.EXE
E:\WINDOWS\SYSTEM32\AVP.EXE
[avp] E:\WINDOWS\SYSTEM32\AVP.EXE
E:\WINDOWS\Prefetch\AVP.EXE-22FDBE86.pf

Trojan.Downloader-SManager
E:\WINDOWS\SMANAGER.7.EXE
E:\WINDOWS\SMANAGER.7.EXE
[SManager] E:\WINDOWS\SMANAGER.7.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0754244.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0757244.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0757281.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0759429.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0759447.EXE
E:\_OTMOVEIT\MOVEDFILES\WINDOWS\SMANAGER.7.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{16FC1EF9-DF70-4508-8B44-CD5139912225}
HKCR\CLSID\{16FC1EF9-DF70-4508-8B44-CD5139912225}
HKCR\CLSID\{16FC1EF9-DF70-4508-8B44-CD5139912225}\InprocServer32
HKCR\CLSID\{16FC1EF9-DF70-4508-8B44-CD5139912225}\InprocServer32#ThreadingModel
E:\WINDOWS\SYSTEM32\JKHFF.DLL

Adware.Tracking Cookie
E:\Documents and Settings\Adam\Cookies\adam@advertising[1].txt
E:\Documents and Settings\Adam\Cookies\adam@ad.yieldmanager[1].txt
E:\Documents and Settings\Adam\Cookies\adam@www.winantiviruspro[1].txt
E:\Documents and Settings\Adam\Cookies\adam@azjmp[1].txt
E:\Documents and Settings\Adam\Cookies\adam@enhance[2].txt
E:\Documents and Settings\Adam\Cookies\adam@ads.adbrite[1].txt
E:\Documents and Settings\Adam\Cookies\adam@new-pcp[1].txt
E:\Documents and Settings\Adam\Cookies\adam@ads.allafrica[2].txt
E:\Documents and Settings\Adam\Cookies\adam@klik.klikadvertising[1].txt
E:\Documents and Settings\Adam\Cookies\adam@winantivirus[2].txt
E:\Documents and Settings\Adam\Cookies\adam@adcentriconline[1].txt
E:\Documents and Settings\Adam\Cookies\adam@msnaccountservices.112.2o7[1].txt
E:\Documents and Settings\Adam\Cookies\adam@a[1].txt
E:\Documents and Settings\Adam\Cookies\adam@cpvfeed[2].txt
E:\Documents and Settings\Adam\Cookies\adam@www.drivecleaner[1].txt
E:\Documents and Settings\Adam\Cookies\adam@stats.drivecleaner[2].txt
E:\Documents and Settings\Adam\Cookies\adam@atwola[1].txt
E:\Documents and Settings\Adam\Cookies\adam@drivecleaner[1].txt
E:\Documents and Settings\Adam\Cookies\adam@www.amaena[1].txt
E:\Documents and Settings\Adam\Cookies\adam@goclick[2].txt
E:\Documents and Settings\Adam\Cookies\adam@ad[1].txt
E:\Documents and Settings\Adam\Cookies\adam@msnportal.112.2o7[1].txt
E:\Documents and Settings\Guest\Cookies\guest@commonsensemedia[1].txt

Trojan.32 Bit System Bus Driver
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#Type
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#Start
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32#ExtParam
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Security
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\sysbus32\Enum#INITSTARTFAILED

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP590\A0751163.VBS

Clear Search Toolbar BHO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34DAC3B1-DE0E-434E-8388-231C7F75A4D4}\RP3\A0011737.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{34DAC3B1-DE0E-434E-8388-231C7F75A4D4}\RP5\A0026810.DLL

Adware.SurfSideKick
E:\DOCUMENTS AND SETTINGS\GUEST\APPLICATION DATA\SSKKNWRD.DLL

Trojan.Downloader-Gen/SwampDonk
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP590\A0751135.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0759433.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0759440.DLL
E:\VUNDOFIX BACKUPS\JKKKHGG.DLL.BAD
E:\VUNDOFIX BACKUPS\PMNOPON.DLL.BAD

Trojan.Downloader-Gen/RetAd
E:\SYSTEM VOLUME INFORMATION\_RESTORE{52A2A1BF-7B11-457E-BDD1-3CFC6681891F}\RP591\A0752192.EXE

Trojan.CoolWebSearch Variant
E:\WINDOWS\N_KOSBRN.LOG
E:\WINDOWS\N_KPPKCQ.DAT

Trace.Known Threat Sources
E:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\MFKJOD4H\cmd[1].php
E:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\EKLWLP6N\text[1].dat

"Adam" - 2007-05-22 17:22:08 Service Pack 1
ComboFix 07-05.19.3V - Running from: "E:\Documents and Settings\Adam\Desktop\"


/wow section - STAGE #3

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


E:\WINDOWS\system32\mit.bat


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-22 04:58 <DIR> d-------- E:\VundoFix Backups
2007-05-22 02:16 1,156 --a------ E:\WINDOWS\mozver.dat
2007-05-22 02:06 <DIR> d-------- E:\DOCUME~1\Adam\APPLIC~1\Talkback
2007-05-21 21:32 11,776 --a------ E:\WINDOWS\smanager.7.exe
2007-05-21 03:11 <DIR> d-------- E:\Program Files\Common Files\McAfee
2007-05-19 02:24 <DIR> d-------- E:\Program Files\Lavasoft
2007-05-19 02:23 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-05-19 00:57 3,968 --a------ E:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-19 00:52 49,152 --a------ E:\WINDOWS\nircmd.exe
2007-05-19 00:49 <DIR> d-------- E:\WINDOWS\CAVTemp
2007-05-19 00:42 478 --a------ E:\CFCleanUp.bat
2007-05-18 23:33 <DIR> d-------- E:\DOCUME~1\Adam\APPLIC~1\MailFrontier
2007-05-18 23:28 <DIR> d-------- E:\DOCUME~1\Adam\APPLIC~1\SiteAdvisor
2007-05-18 23:24 77,824 --a------ E:\WINDOWS\system32\driverif.dll
2007-05-18 23:24 75,776 --a------ E:\WINDOWS\zllsputility.exe
2007-05-18 23:24 733,236 --------- E:\WINDOWS\system32\vete.dll
2007-05-18 23:24 645,904 --a------ E:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-18 23:24 21,605 --a------ E:\WINDOWS\system32\drivers\vet-filt.sys
2007-05-18 23:24 15,668 --a------ E:\WINDOWS\system32\drivers\vet-rec.sys
2007-05-18 23:24 12,288 --a------ E:\WINDOWS\system32\vetntmsg.dll
2007-05-18 23:24 115,088 --a------ E:\WINDOWS\system32\drivers\vetfddnt.sys
2007-05-18 23:24 11,264 --a------ E:\WINDOWS\system32\SpOrder.dll
2007-05-18 16:24 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-05-18 05:32 93,696 --a------ E:\WINDOWS\system32\drvjah.dll
2007-05-18 05:32 18,944 --a------ E:\WINDOWS\system32\winnya32.dll
2007-05-18 05:32 17,408 --a------ E:\WINDOWS\system32\avp.exe
2007-05-18 05:23 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\AVS4YOU
2007-05-18 05:23 <DIR> d-------- E:\DOCUME~1\Adam\APPLIC~1\AVSMedia
2007-05-18 05:22 524,288 --a------ E:\WINDOWS\system32\xvidcore.dll
2007-05-18 05:22 139,264 --a------ E:\WINDOWS\system32\xvidvfw.dll
2007-05-18 05:22 <DIR> d-------- E:\Program Files\Common Files\AVSMedia
2007-05-18 05:22 <DIR> d-------- E:\Program Files\AVSMedia
2007-05-17 14:51 <DIR> d-------- E:\WINDOWS\CSC
2007-05-17 14:42 12,964 --a------ E:\WINDOWS\system32\drivers\kbfilter.sys
2007-05-17 14:38 28,160 --a------ E:\WINDOWS\system32\drivers\usbccgp.sys
2007-05-17 14:38 20,480 --a------ E:\WINDOWS\system32\hidserv.dll
2007-05-17 14:38 12,160 --a------ E:\WINDOWS\system32\drivers\mouhid.sys
2007-05-14 19:37 <DIR> d-------- E:\Program Files\MagicISO
2007-05-12 04:49 <DIR> d-------- E:\Program Files\Avex
2007-05-10 20:54 <DIR> d-------- E:\Program Files\PowerISO
2007-05-10 17:14 <DIR> d-------- E:\Program Files\MP3 Player Utilities 4.00
2007-05-09 14:18 9,600 --a------ E:\WINDOWS\system32\drivers\hidusb.sys
2007-05-09 14:18 13,952 --a------ E:\WINDOWS\system32\drivers\kbdhid.sys
2007-05-02 05:57 <DIR> d-------- E:\DOCUME~1\Adam\APPLIC~1\DivX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 03:11:22 -------- d-----w E:\Program Files\McAfee
2007-05-22 02:31:17 -------- d-----w E:\Program Files\Winamp
2007-05-22 01:01:06 -------- d-----w E:\Program Files\DivX
2007-05-21 03:48:52 -------- d-----w E:\Program Files\SpywareGuard
2007-05-19 01:24:25 -------- d-----w E:\DOCUME~1\Adam\APPLIC~1\Lavasoft
2007-05-19 01:14:54 -------- d-----w E:\Program Files\EVE2.5
2007-05-18 23:16:41 -------- d-----w E:\Program Files\McAfee.com
2007-05-18 22:27:22 4,212 ---h--w E:\WINDOWS\system32\zllictbl.dat
2007-05-10 15:26:11 -------- d-----w E:\Program Files\GustoSoft
2007-04-23 18:17:28 -------- d-----w

E:\DOCUME~1\Adam\APPLIC~1\OpenOffice.org1.9.79
2007-04-13 23:49:38 -------- d-----w E:\DOCUME~1\Adam\APPLIC~1\Apple

Computer
2007-04-13 23:35:38 -------- d--h--w E:\Program Files\InstallShield Installation

Information
2007-04-13 23:35:09 -------- d-----w E:\Program Files\QuickTime
2007-04-13 23:32:55 -------- d-----w E:\Program Files\iTunes
2007-04-13 23:30:32 -------- d-----w E:\Program Files\iPod
2007-03-27 07:55:57 524,288 ----a-w E:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 118,520 ------w E:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ------w E:\WINDOWS\system32\pxcpyi64.exe
2007-03-27 07:55:23 200,704 ----a-w E:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w E:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w E:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w E:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w E:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w E:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w E:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w E:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w E:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w E:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w E:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w E:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w E:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w E:\WINDOWS\system32\DivX.dll
2007-03-07 23:51:00 43,528 ------w E:\WINDOWS\system32\drivers\pxhelp20.sys
2007-03-07 23:51:00 129,784 ------w E:\WINDOWS\system32\pxafs.dll
2007-02-16 01:40:35 124,472 ----a-w

E:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser

Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=E:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}=E:\Program Files\SpywareGuard\dlprotect.dll

[2003-08-02 23:24]
{A6C16391-B966-4676-B898-6F55E586BF56}=E:\WINDOWS\System32\jkkkhgg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 12:31]
"AOL Spyware Protection"="E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[2004-10-18 17:42]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"LFAgent"="" []
"SoundMAXPnP"="E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14

10:11]
"SoundMAX"="E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41]
"SiSRaid"="E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-03-01

11:56]
"RealTray"="E:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-26 21:09]
"sealmon"="E:\Program Files\SealedMedia\sealmon.exe" [2006-03-15 03:20]
"Barclays Business Manager"="E:\Program Files\Barclays\Business

Manager\bin\BarclaysBusinessManager.exe" [2005-08-09 12:14]
"SiSPower"="SiSPower.dll" [2005-05-26 04:01 E:\WINDOWS\system32\SiSPower.dll]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-04-14 00:34]
"PWRISOVM.EXE"="E:\Program Files\PowerISO\PWRISOVM.EXE" [2006-03-18 03:24]
"avp"="E:\WINDOWS\System32\avp.exe" [2007-05-18 05:32]
"Cleanup"="e:\program files\mcafee.com\shared\mcappins.exe" []
"!AVG Anti-Spyware"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07

13:20]
"SManager"="smanager.7.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"ctfmon.exe"="E:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteH

ooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="E:\Program Files\ewido

anti-malware\shellhook.dll" [2004-09-30 13:21]
"{A6C16391-B966-4676-B898-6F55E586BF56}"="E:\WINDOWS\System32\jkkkhgg.dll" []
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="E:\Program Files\Grisoft\AVG Anti-Spyware

7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnya32]
winnya32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* -PROCEXP90

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 17:24:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 17:25:04
E:\ComboFix-quarantined-files.txt ... 2007-05-22 17:25
E:\ComboFix2.txt ... 2007-05-19 00:52


--- E O F ---

Look forward to your next post mate.

Cheers.

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 22 May 2007 - 02:16 PM

Looks as if 'something' is recreating malware files.

~~~~
Please download RootChk by ejvindh:
http://www.uploads.ejvindh.net/rootchk.exe
Save it to the Desktop
Run the program.
When done, a log file appears.

Please copy the contents of the Rootchk report and provide it in your reply.

~~~~
Also run SilentRunners and provide a new log from it.

Old duck...


#7 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 22 May 2007 - 03:07 PM

Here are the new logs.

~~~~

********************************* ROOTCHK-(21-05-07)-LOG, by ejvindh
22/05/2007 20:39:00.90

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 20:39:02
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

~~~~

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "E:\WINDOWS\System32\ctfmon.exe" [MS]
"SUPERAntiSpyware" = "E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AOL Spyware Protection" = ""E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"LFAgent" = "(empty string)" [file not found]
"SoundMAXPnP" = "E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"SiSRaid" = "E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" ["SiS"]
"RealTray" = "E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"sealmon" = "E:\Program Files\SealedMedia\sealmon.exe" ["SealedMedia"]
"Barclays Business Manager" = "E:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe /server" [null data]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PWRISOVM.EXE" = "E:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"Cleanup" = "e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup" [file not found]
"!AVG Anti-Spyware" = ""E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"avp" = "E:\WINDOWS\System32\avp.exe" [file not found]
"SManager" = "smanager.7.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{A6C16391-B966-4676-B898-6F55E586BF56}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\System32\jkkkhgg.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{FBE1DB69-5026-42cf-BE97-D52DDB70DB87}" = "AOL"
-> {HKLM...CLSID} = "AOL"
\InProcServer32\(Default) = "E:\PROGRA~1\COMMON~1\aolshare\shell\uk\shellext.dll" ["America Online, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "E:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
<<!>> "{A6C16391-B966-4676-B898-6F55E586BF56}" = "*W" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\System32\jkkkhgg.dll" [file not found]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "E:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> winnya32\DLLName = "winnya32.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "http://img.alibaba.com/js/commons.js"
"SubscribedURL" = "http://img.alibaba.com/js/commons.js"


Startup items in "Adam" & "All Users" startup folders:
------------------------------------------------------

E:\Documents and Settings\Adam\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"SpywareGuard" -> shortcut to: "E:\Program Files\SpywareGuard\sgmain.exe" [null data]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 8.0 Tray Icon" -> shortcut to: "E:\Program Files\AOL 8.0b\aoltray.exe -check" [file not found]
"Palo Alto Software Update Manager 8.0" -> shortcut to: "E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe" ["Palo Alto Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
E:\WINDOWS\System32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 19
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "E:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\(Default) = "iMeshBar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

E:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "E:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""E:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 685 seconds, including 12 seconds for message boxes)

~~~~

You said something appears to be recreating malware files. Any ideas?

Edited by LeBoW120, 22 May 2007 - 03:37 PM.


#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 22 May 2007 - 03:20 PM

It looks as if the SilentRunners log is cut off. Please post the full log.
There are 'file missing' indications, so things may be heading in the right direction, and we are just dealing with some remnants.

Also, please run HijackThis, Scan, and post its log.

Old duck...


#9 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 22 May 2007 - 03:42 PM

Hi,

Noticed the cut off myself too. I was in the middle of editing the post when i saw your comment. If you check back, the full log should be up now. HijackThis log is below.

~~~~

Logfile of HijackThis v1.99.1
Scan saved at 21:34:56, on 22/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\WINDOWS\system32\taskmgr.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A6C16391-B966-4676-B898-6F55E586BF56} -

E:\WINDOWS\System32\jkkkhgg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP

Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] E:\Program Files\Silicon Integrated

Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sealmon] E:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Barclays Business Manager] E:\Program Files\Barclays\Business

Manager\bin\BarclaysBusinessManager.exe /server
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Cleanup] e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKLM\..\Run: [avp] E:\WINDOWS\System32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0b\aoltray.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = E:\Program Files\Common

Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://e:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to AMV Convert Tool... - E:\Program Files\MP3 Player Utilities

4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - E:\Program Files\MP3 Player Utilities

4.00\MediaManager\grab.html
O8 - Extra context menu item: Backward Links - res://e:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winnya32 - winnya32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program

Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe (file

missing)
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony

Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony

Shared\AVLib\PACSPTISVR.exe
O23 - Service: PPA Dumper (ppa_service) - Unknown owner -

E:\WINDOWS\System32\ppa_service.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc.

- E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common

Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

E:\WINDOWS\wanmpsvc.exe

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 22 May 2007 - 03:47 PM

Have to go somewhere for a while, but will be back this evening...

Don't mean to pick on you :thumbsup: but it looks as if the HijackThis log text is using Word Wrap!

Please open the HijackThis log text in Notepad.
At the top, click: Format

If there is a check next to Word wrap, click on Word wrap to turn it off.

Then post your log. It will be easier to read.

Thank you.

Old duck...


#11 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 22 May 2007 - 03:54 PM

Hey,

It's cool. Sorry about the word wrap thing. Didn't really check. I'll repost the log again in the usual way.

Logfile of HijackThis v1.99.1
Scan saved at 21:34:56, on 22/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\wanmpsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\WINDOWS\system32\taskmgr.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A6C16391-B966-4676-B898-6F55E586BF56} - E:\WINDOWS\System32\jkkkhgg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sealmon] E:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [Barclays Business Manager] E:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe /server
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Cleanup] e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avp] E:\WINDOWS\System32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = E:\Program Files\AOL 8.0b\aoltray.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Add to AMV Convert Tool... - E:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - E:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winnya32 - winnya32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - E:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PPA Dumper (ppa_service) - Unknown owner - E:\WINDOWS\System32\ppa_service.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 22 May 2007 - 10:29 PM

Have you configured this Active Desktop Component (xx stand for other letters):
hxxp://img.alibaba.com/js/commons.js

If the above is not familiar, do the following:

Go to Start > Control Panel
Double-click on the Display control panel icon.
Click on the Desktop tab
Click on Customize Desktop
Click on the Web tab on the new Windows that pops up.

Under the Web pages box you will see a list of Active Desktop Components.
Select hxxp://img.alibaba.com/js/commons.js and click: Delete
Press the OK button to close this screen.
Press the Apply button and then the OK button to close the Display control panel.

~~~~
Next, since the step that follows modifies the Registry, let’s make a backup of it.

Go to Start > Run and paste the following in the Open area:

regedit /e E:\registrybackup.reg

Click OK

It appears that nothing is happening, but the mouse pointer changes its shape.
The Registry backup takes a couple of minutes, a when the mouse pointer turns back to its normal shape, the backup should be complete.

Look for the following to verify it is there, but do nothing with this file:
E:\registrybackup.reg


~~~~
Now, please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue REGEDIT below to it:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{A6C16391-B966-4676-B898-6F55E586BF56}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6C16391-B966-4676-B898-6F55E586BF56}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\avp]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SManager]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
{A6C16391-B966-4676-B898-6F55E586BF56}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnya32]


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: delete.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Next, enable the viewing of Hidden Files and Folders as follows:
-At your Desktop, go to Start > My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

~~~~
Search for, and verify whether the following files (bold) exist. If they do, right-click and select Delete:
E:\WINDOWS\System32\avp.exe
E:\WINDOWS\smanager.7.exe

~~~~
Restart the computer.

~~~~
Please run SilentRunners once again, and post its log.

Edited by Aaflac, 23 May 2007 - 08:06 AM.

Old duck...


#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 23 May 2007 - 08:06 AM

Aaarrgh!! :thumbsup:

Noticed I have two mistakes in the above instructions!!!

Corrected to:
regedit /e E:\registrybackup.reg

and added REGEDIT4 to Registry merge

My apology!!

Old duck...


#14 LeBoW120

LeBoW120
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 23 May 2007 - 01:19 PM

Hi Aaflac,

Thanks for the correction. Every time i tried to follow your instruction before I kept getting a weird error message:

"Cannot import E:\DOCUME-1\Adam\Desktop\delete.reg: The specified file is not a registry script.
You can only import binary registry files from within the registry editor".

I thought it was a mistake on my part. Anyway, I've followed the revised intructions and it worked. My SilentRunners log is posted below.

~~~~

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "E:\WINDOWS\System32\ctfmon.exe" [MS]
"SUPERAntiSpyware" = "E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AOL Spyware Protection" = ""E:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"LFAgent" = "(empty string)" [file not found]
"SoundMAXPnP" = "E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"SiSRaid" = "E:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" ["SiS"]
"RealTray" = "E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"sealmon" = "E:\Program Files\SealedMedia\sealmon.exe" ["SealedMedia"]
"Barclays Business Manager" = "E:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe /server" [null data]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PWRISOVM.EXE" = "E:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"Cleanup" = "e:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup" [file not found]
"!AVG Anti-Spyware" = ""E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"avp" = "E:\WINDOWS\System32\avp.exe" [file not found]
"SManager" = "smanager.7.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\dlprotect.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{FBE1DB69-5026-42cf-BE97-D52DDB70DB87}" = "AOL"
-> {HKLM...CLSID} = "AOL"
\InProcServer32\(Default) = "E:\PROGRA~1\COMMON~1\aolshare\shell\uk\shellext.dll" ["America Online, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "E:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "E:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "E:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "E:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Program Files\OpenOffice.org 1.9.79\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "E:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "E:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "E:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\WINDOWS\Web\Wallpaper\Bliss.bmp"


Startup items in "Adam" & "All Users" startup folders:
------------------------------------------------------

E:\Documents and Settings\Adam\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"SpywareGuard" -> shortcut to: "E:\Program Files\SpywareGuard\sgmain.exe" [null data]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL 8.0 Tray Icon" -> shortcut to: "E:\Program Files\AOL 8.0b\aoltray.exe -check" [file not found]
"Palo Alto Software Update Manager 8.0" -> shortcut to: "E:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe" ["Palo Alto Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
E:\WINDOWS\System32\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 01 - 03, 19
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "E:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\(Default) = "iMeshBar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

E:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "E:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
WAN Miniport (ATW) Service, WANMiniportService, ""E:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 73 seconds, including 7 seconds for message boxes)

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:29 AM

Posted 23 May 2007 - 03:34 PM

:thumbsup: Good job!!

Please post a new HijackThis log, and let's see what it shows. However, before doing so, it doesn't look as if you are not running an AntiVirus program!!

No offense, but that is rather foolish!!

Please take action now to install an AV Program!!
There are free programs you can download:

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

AntiVir Personal Edition: http://www.free-av.com/

Active Virus Shield http://www.activevirusshield.com/antivirus/freeav/index.adp

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users