Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Delsim Dialer


  • Please log in to reply
7 replies to this topic

#1 tranqiller

tranqiller

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 29 May 2007 - 12:11 PM

I have been infected with Delsim Dialer Trojan and i deleted it with Avas Antivirus,but i think infected files are still on my computer.Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 19:06:43, on 29.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobar.ba/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: 75180 - Unknown owner - \\192.168.28.52\Admin$\56883.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 29 May 2007 - 12:27 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tranqiller :thumbsup:

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one:

SC STOP 75180

SC DELETE 75180


Then type EXIT then press Enter.

Restart your pc.

************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image

#3 tranqiller

tranqiller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 May 2007 - 07:49 AM

Trojan is still there and now it blocks my connection so i cant use intenet at all.Below is SDFix report:
SDFix: Version 1.85

Run by PC User - sri 30.05.2007 - 13:04:34,15

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ISP Ampi Service

ImagePath:
"C:\WINDOWS\isampi.exe"

ISP Ampi Service - Deleted


C:\WINDOWS\system32\Microsoft\backup.ftp Found...
C:\WINDOWS\system32\Microsoft\backup.tftp Found...

Checking files:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp

Dummy:
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Files copied to SDFix\Backups

Restoring files if backups are found

Final Check:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Dummy:



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\eraseme_07100.exe - Deleted
C:\WINDOWS\eraseme_08447.exe - Deleted
C:\WINDOWS\eraseme_20725.exe - Deleted
C:\WINDOWS\eraseme_21373.exe - Deleted
C:\WINDOWS\eraseme_40786.exe - Deleted
C:\WINDOWS\eraseme_53481.exe - Deleted
C:\WINDOWS\system32\eraseme_24751.exe - Deleted
C:\WINDOWS\iexplore.exe - Deleted
C:\WINDOWS\services.exe - Deleted
C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted
C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"E:\\GoJoin_Voip\\Skype\\Skype.exe"="E:\\GoJoin_Voip\\Skype\\Skype.exe:*:Enabled:Skype"
"C:\\Documents and Settings\\PC User\\Desktop\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\PC User\\Desktop\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\03206.exe
C:\WINDOWS\04206.exe
C:\WINDOWS\08502.exe
C:\WINDOWS\08868.exe
C:\WINDOWS\10416.exe
C:\WINDOWS\14757.exe
C:\WINDOWS\23333.exe
C:\WINDOWS\24353.exe
C:\WINDOWS\26464.exe
C:\WINDOWS\26576.exe
C:\WINDOWS\38271.exe
C:\WINDOWS\41577.exe
C:\WINDOWS\41651.exe
C:\WINDOWS\48104.exe
C:\WINDOWS\52858.exe
C:\WINDOWS\56416.exe
C:\WINDOWS\56883.exe
C:\WINDOWS\62070.exe
C:\WINDOWS\62235.exe
C:\WINDOWS\62270.exe
C:\WINDOWS\65485.exe
C:\WINDOWS\67588.exe
C:\WINDOWS\68321.exe
C:\WINDOWS\81364.exe
C:\WINDOWS\84813.exe
C:\WINDOWS\87612.exe
C:\WINDOWS\87851.exe
C:\WINDOWS\ctfmon.exe
C:\WINDOWS\system32\87851.exe
C:\WINDOWS\system32\drivers\NetMotCM.sys
C:\Documents and Settings\PC User\Desktop\~WRL0001.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0002.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0003.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0004.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0005.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0006.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0029.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0270.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0285.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0502.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0773.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0820.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0858.tmp
C:\Documents and Settings\PC User\Desktop\~WRL0991.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1066.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1131.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1150.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1164.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1239.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1254.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1301.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1316.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1377.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1720.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1745.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1909.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1948.tmp
C:\Documents and Settings\PC User\Desktop\~WRL1963.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2020.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2481.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2573.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2601.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2709.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2729.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2810.tmp
C:\Documents and Settings\PC User\Desktop\~WRL2964.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3019.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3175.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3199.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3217.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3277.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3490.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3569.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3578.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3657.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3669.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3676.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3677.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3765.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3787.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3803.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3804.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3838.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3854.tmp
C:\Documents and Settings\PC User\Desktop\~WRL3923.tmp
C:\Documents and Settings\PC User\My Documents\~WRL1824.tmp
C:\Documents and Settings\PC User\My Documents\~WRL2704.tmp
C:\Documents and Settings\PC User\My Documents\~WRL3285.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\bb546fbc47a59146ba0fcd75a5ff4ea3\BIT2.tmp

Finished
------------------------------------------------------------------------------------------------------------------------
This is Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 13:28:28, on 30.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobar.ba/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Alternative User Input Services (Ctfmon) - Unknown owner - C:\WINDOWS\ctfmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe (file missing)

Thnx for your help.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 30 May 2007 - 08:07 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\03206.exe
C:\WINDOWS\04206.exe
C:\WINDOWS\08502.exe
C:\WINDOWS\08868.exe
C:\WINDOWS\10416.exe
C:\WINDOWS\14757.exe
C:\WINDOWS\23333.exe
C:\WINDOWS\24353.exe
C:\WINDOWS\26464.exe
C:\WINDOWS\26576.exe
C:\WINDOWS\38271.exe
C:\WINDOWS\41577.exe
C:\WINDOWS\41651.exe
C:\WINDOWS\48104.exe
C:\WINDOWS\52858.exe
C:\WINDOWS\56416.exe
C:\WINDOWS\56883.exe
C:\WINDOWS\62070.exe
C:\WINDOWS\62235.exe
C:\WINDOWS\62270.exe
C:\WINDOWS\65485.exe
C:\WINDOWS\67588.exe
C:\WINDOWS\68321.exe
C:\WINDOWS\81364.exe
C:\WINDOWS\84813.exe
C:\WINDOWS\87612.exe
C:\WINDOWS\87851.exe
C:\WINDOWS\system32\87851.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Let me know whats happening now.

Edited by RichieUK, 30 May 2007 - 08:07 AM.

Posted Image
Posted Image

#5 tranqiller

tranqiller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 30 May 2007 - 12:16 PM

The problem is still there,i cant use internet at all.
Avenger report:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ayceuwhe

*******************

Script file located at: \??\C:\Documents and Settings\axygwaoc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\03206.exe deleted successfully.
File C:\WINDOWS\04206.exe deleted successfully.
File C:\WINDOWS\08502.exe deleted successfully.
File C:\WINDOWS\08868.exe deleted successfully.
File C:\WINDOWS\10416.exe deleted successfully.
File C:\WINDOWS\14757.exe deleted successfully.
File C:\WINDOWS\23333.exe deleted successfully.
File C:\WINDOWS\24353.exe deleted successfully.
File C:\WINDOWS\26464.exe deleted successfully.
File C:\WINDOWS\26576.exe deleted successfully.
File C:\WINDOWS\38271.exe deleted successfully.
File C:\WINDOWS\41577.exe deleted successfully.
File C:\WINDOWS\41651.exe deleted successfully.
File C:\WINDOWS\48104.exe deleted successfully.
File C:\WINDOWS\52858.exe deleted successfully.
File C:\WINDOWS\56416.exe deleted successfully.
File C:\WINDOWS\56883.exe deleted successfully.
File C:\WINDOWS\62070.exe deleted successfully.
File C:\WINDOWS\62235.exe deleted successfully.
File C:\WINDOWS\62270.exe deleted successfully.
File C:\WINDOWS\65485.exe deleted successfully.
File C:\WINDOWS\67588.exe deleted successfully.
File C:\WINDOWS\68321.exe deleted successfully.
File C:\WINDOWS\81364.exe deleted successfully.
File C:\WINDOWS\84813.exe deleted successfully.
File C:\WINDOWS\87612.exe deleted successfully.
File C:\WINDOWS\87851.exe deleted successfully.
File C:\WINDOWS\system32\87851.exe deleted successfully.

Completed script processing.

*******************
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:45:05, on 30.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
\192.168.28.52\Admin$\16317.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobar.ba/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: 33082 - Unknown owner - \\192.168.28.52\Admin$\16317.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Alternative User Input Services (Ctfmon) - Unknown owner - C:\WINDOWS\ctfmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe

Does this last entry(" Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe"),look
dubious to you?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 30 May 2007 - 03:05 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service's called:
33082
Microsoft Internet Explorer

In the next window that opens, click their 'Stop' buttons.
Then change their 'Startup Types' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

***************************

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\iexplore.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

***************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O23 - Service: 33082 - Unknown owner - \192.168.28.52Admin$16317.exe (file missing)
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe


***************************

Download 'e Scan MWAV' from here to your desktop:
http://www.mwti.net/download/tools/mwav.exe
Close any open programs.
Double click on the mwav icon on your desktop.
The program will start,the Licence Agreement will pop up.
Select 'I accept the agreement',then press Ok.
The program will open,leave all the settings as they are.
Now press the 'Scan & Clean' button.
The program will now start scanning your pc.
Once the scan has finished,post the results from the lower window 'Virus Log Information'.

Edited by RichieUK, 30 May 2007 - 03:05 PM.

Posted Image
Posted Image

#7 tranqiller

tranqiller
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 31 May 2007 - 10:20 AM

I tried to follow your instructions,so here is what ive done:ive started Services.msc like you sad,but i couldnt use any options like delete stop,etc;and i couldnt find service 33082;so i went to msconfig and ive disabled Microsoft Internet Explorer service.I used OTMoveIt and succesfuly moved iexplore.exe,but when i scannned with Hijackthis there was no more entries:
O23 - Service: 33082 - Unknown owner - \192.168.28.52Admin$16317.exe (file missing)
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe
I cleaned the system with MWAV,here is the log: http://www.geocities.com/cukiwebsite/MWAV.LOG
When the machine rebooted,everything was doing fine for a while,i could use internet again.But after few minutes internet slowed down,and then it stopped working again.So i scanned with Hijackthis and found O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe again.This is the newest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:58, on 31.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infobar.ba/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\iexplore.exe

Im beginning to think that the best solution is to format the disk and reinstall Windows XP :thumbsup:

Edited by tranqiller, 31 May 2007 - 10:21 AM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 31 May 2007 - 10:32 AM

Ok,maybe formatting will be the best way to go,lets try the following first:

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT:*
Do NOT run any other options until you are asked to do so!

*************************************

Run the following again:
Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users