Hastur Posted January 24, 2008 ID:12290 Share Posted January 24, 2008 Hi all,My PC is giving me false alerts in the task bar and also web pages are popping up that shouldn't be. I ran AVG anti-virus and AVG Anti-Spyware. Trojan.Agent.NH was removed but when I reboot the problems persist. I can post AVG scans and HiJack scans - I will try and do Panda tomorrow.Thanks in advance for any help!---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 11:13:50 PM 1/23/2008 + Scan result: C:\Documents and Settings\Hastur\Local Settings\Temporary Internet Files\Content.IE5\D0JYBN97\click[1].htm -> Hijacker.Agent.ai : Cleaned with backup (quarantined).:mozilla.18:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.:mozilla.29:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.:mozilla.30:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.:mozilla.7:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.:mozilla.9:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.:mozilla.37:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Advertising : Cleaned.:mozilla.38:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Advertising : Cleaned.:mozilla.43:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Advertising : Cleaned.:mozilla.44:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Advertising : Cleaned.:mozilla.32:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Atdmt : Cleaned.:mozilla.76:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.:mozilla.63:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Connextra : Cleaned.:mozilla.64:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Connextra : Cleaned.:mozilla.65:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Connextra : Cleaned.:mozilla.31:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.:mozilla.39:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.40:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.41:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.42:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.19:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Fastclick : Cleaned.:mozilla.20:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Fastclick : Cleaned.:mozilla.21:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Fastclick : Cleaned.:mozilla.22:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Fastclick : Cleaned.:mozilla.23:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Fastclick : Cleaned.:mozilla.66:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.:mozilla.13:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Overture : Cleaned.:mozilla.78:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.79:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.80:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.81:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.82:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.83:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.84:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Pointroll : Cleaned.:mozilla.75:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Revsci : Cleaned.:mozilla.77:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.:mozilla.48:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.:mozilla.49:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.:mozilla.50:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.:mozilla.51:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.:mozilla.52:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.:mozilla.53:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.:mozilla.70:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Zedo : Cleaned.:mozilla.71:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Zedo : Cleaned.:mozilla.72:C:\Games\EverQuest II\mozilla\cookies.txt -> TrackingCookie.Zedo : Cleaned.::Report end Link to post Share on other sites More sharing options...
Hastur Posted January 24, 2008 Author ID:12291 Share Posted January 24, 2008 Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 12:34:24 AM, on 1/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\WINDOWS\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\FlashGet\flashget.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HiJack\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /minO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: Logitech SetPoint.lnk = ?O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe--End of file - 6183 bytes Link to post Share on other sites More sharing options...
Hastur Posted January 24, 2008 Author ID:12309 Share Posted January 24, 2008 Panda Scan:Incident Status Location Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@advancedcleaner[1].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@atwola[1].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@kinghost[2].txt Virus:Generic Trojan Not disinfected Personal Folders\Inbox\Keep\FW: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Trojan Not disinfected Personal Folders\Sent Items\Fw: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Malware Not disinfected Personal Folders\Sent Items\Re: yo\embrace.rar[keygen.exe] Spyware:Cookie/Overture Not disinfected C:\Games\EverQuest II\mozilla\cookies.txt[.overture.com/] Spyware:Cookie/Apmebf Not disinfected C:\Games\EverQuest II\mozilla\cookies.txt[.apmebf.com/] Spyware:Cookie/FastClick Not disinfected C:\Games\EverQuest II\mozilla\cookies.txt[.fastclick.net/] Spyware:Cookie/Adrevolver Not disinfected C:\Games\EverQuest II\mozilla\cookies.txt[.adrevolver.com/] Spyware:Cookie/Adserver Not disinfected C:\Games\EverQuest II\mozilla\cookies.txt[.adserver.easyad.info/] Virus:Generic Trojan Not disinfected Personal Folders\Inbox\Keep\FW: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Trojan Not disinfected Personal Folders\Sent Items\Fw: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Malware Not disinfected Personal Folders\Sent Items\Re: yo\embrace.rar[keygen.exe] Virus:Generic Trojan Not disinfected Local Folders\Inbox\Keep\FW: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Trojan Not disinfected Local Folders\Sent Items\Fw: \Windows.Keygens.rar[wxpo2k3kg_mskey.exe] Virus:Generic Malware Not disinfected Local Folders\Sent Items\Re: yo\embrace.rar[keygen.exe] Link to post Share on other sites More sharing options...
JeanInMontana Posted January 24, 2008 ID:12313 Share Posted January 24, 2008 Hi Hasture and welcome to Malwarebytes. Please get rid of everything shown in the Panda scan associated with the Key gen program(s). Malwarebytes does not condone or associate with cracking software. This is most likely how you got infected also.Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm You are running a beta version of HJT please get this version and post a log from it after removing the beta version. HiJack This! Link to post Share on other sites More sharing options...
Hastur Posted January 25, 2008 Author ID:12335 Share Posted January 25, 2008 Hi, thanks for the help! Most of the issues seem to be fixed - no more re-direction of my web pages when I surf. The only issue left that I can see is the phony messages in the task bar on the bottom right of the screen. They are made to look like Windows alerts but they are fake. Anyway I can live with those as they appear to be a non-issue. I got the HiJack you mentioned and redid a log - let me know if you think I should do anything more. Thanks again.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:02:21 PM, on 1/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\FlashGet\flashget.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /minO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: Logitech SetPoint.lnk = ?O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe--End of file - 6137 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted January 25, 2008 ID:12366 Share Posted January 25, 2008 You need to post the log from SmitFraud fix also. If your still getting the alert your still infected.Run HJT again and put a check next to these items below:O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dllO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundPress fix and exit HJT.Please post the SmitFraud log and a new HJT after reboot. Also please run another Panda scan and post that log. Link to post Share on other sites More sharing options...
Hastur Posted January 26, 2008 Author ID:12399 Share Posted January 26, 2008 Hi, ok I ran HiJack again and removed those lines. I could not remove the one linked to asycfilta.dll though. I did manage to remove the DLL by booting my Win XP bootable CD and using dos.Once I did this all the problems went away so I think it must have been linked to this DLL. Anywho all is well so thanks for your help. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:46:30 PM, on 1/26/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\WINDOWS\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\FlashGet\flashget.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\NewsLeecher3\newsLeecher.exeC:\Program Files\NewsLeecher3\newsLeecher.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /minO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exeO4 - Global Startup: Logitech SetPoint.lnk = ?O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe--End of file - 6009 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted January 28, 2008 ID:12479 Share Posted January 28, 2008 There is no way of knowing with what your posting if the system is actually clean. Yes that dll was part of the infection. You need to follow instructions. The Smitfraud log is essential. Another Panda log would be good also.O2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing) <====== remove that line with HJT. Link to post Share on other sites More sharing options...
Hastur Posted January 28, 2008 Author ID:12482 Share Posted January 28, 2008 O2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing) <====== remove that line with HJT. HiJack will not remove this line - I tried several times. I could not remove the DLL until I went into DOS mode with the boot CD. Maybe they go into use when windows boots or something. I tried using regedit and I could not remove the reference to the DLL either. SmitFraudFix v2.276Scan done at 10:27:02.59, Mon 01/28/2008Run from C:\Documents and Settings\Hastur\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode Link to post Share on other sites More sharing options...
Hastur Posted January 28, 2008 Author ID:12486 Share Posted January 28, 2008 Panda Scan:Incident Status Location Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@adserver.easyad[2].txt Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@advancedcleaner[1].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@advertising[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@atwola[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@cgi-bin[1].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Hastur\Cookies\hastur@kinghost[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Hastur\Desktop\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Hastur\Desktop\SmitfraudFix\Reboot.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Hastur\Desktop\SmitfraudFix\restart.exe Virus:Generic Malware Not disinfected Personal Folders\Sent Items\Re: yo\embrace.rar[keygen.exe] Virus:Bck/Dumador.GM Disinfected C:\Program Files\HijackThis\backups\backup-20080125-231234-241.dll Virus:Bck/Dumador.GM Disinfected C:\Program Files\HijackThis\backups\backup-20080125-231359-451.dll Virus:Bck/Dumador.GM Disinfected C:\Program Files\HijackThis\backups\backup-20080126-000049-835.dll Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Link to post Share on other sites More sharing options...
JeanInMontana Posted January 29, 2008 ID:12525 Share Posted January 29, 2008 You still have the key gen in sent folders Personal Folders\Sent Items\Re: yo\embrace.rar[keygen.exe] delete it please, and any other instances of it. Also uninstall the program it generates a key for. This is illegal and probably where you got infected.Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow">SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum.Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please. Link to post Share on other sites More sharing options...
Hastur Posted January 30, 2008 Author ID:12552 Share Posted January 30, 2008 Ok here are the logs:SDFix: Version 1.133Run by Hastur on Wed 01/30/2008 at 01:34 AMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\PROGRA~1\SDfix\SDFixSafe Mode:Checking Services: Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebooting...Normal Mode:Checking Files: No Trojan Files FoundRemoving Temp Files...ADS Check: Final Check:catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-01-30 01:38:46Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Auke66]"Type"=dword:00000001"Tag"=dword:00000002"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0""ErrorControl"=dword:00000001"Start"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Auke66]"Type"=dword:00000001"Tag"=dword:00000002"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0""ErrorControl"=dword:00000001"Start"=dword:00000000scanning hidden registry entries ...scanning hidden files ...C:\WINDOWS\system32\drivers\Auke66.sys 137728 bytes executablescan completed successfullyhidden processes: 0hidden services: 1hidden files: 1Remaining Services:------------------Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Games\\EverQuest II\\LaunchPad.exe"="C:\\Games\\EverQuest II\\LaunchPad.exe:*:Enabled:LaunchPad""C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:FlashGet""C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger""C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1""C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)""C:\\Program Files\\Hydra\\HydraIRC.exe"="C:\\Program Files\\Hydra\\HydraIRC.exe:*:Enabled:HydraIRC""C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled: Link to post Share on other sites More sharing options...
Hastur Posted January 30, 2008 Author ID:12553 Share Posted January 30, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:17:45 AM, on 1/30/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\FlashGet\flashget.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /minO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Global Startup: Logitech SetPoint.lnk = ?O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe--End of file - 4755 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted January 31, 2008 ID:12570 Share Posted January 31, 2008 Hi Hastur, we have uncovered more malware. I'm getting advice from a MSMVP as to best next step. I will post soon with action plan. Link to post Share on other sites More sharing options...
Hastur Posted January 31, 2008 Author ID:12582 Share Posted January 31, 2008 Hi Hastur, we have uncovered more malware. I'm getting advice from a MSMVP as to best next step. I will post soon with action plan.Wow ok thanks. Link to post Share on other sites More sharing options...
JeanInMontana Posted January 31, 2008 ID:12610 Share Posted January 31, 2008 Your welcome. We have decided to use this tool next to go after the two hidden files.1. Download this file :http://download.bleepingcomputer.com/sUBs/combofix.exeOr from here:http://www.techsupportforum.com/sectools/combofix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
Hastur Posted February 1, 2008 Author ID:12629 Share Posted February 1, 2008 When I try that tool it has an error: C:\Program Files\SDfix\cfldr not in expected location - Inform sUBs now!!This is odd - not sure why it's referring to SDfix. Link to post Share on other sites More sharing options...
JeanInMontana Posted February 2, 2008 ID:12726 Share Posted February 2, 2008 It is a powerful diagnostic tool and sUBs is the author. Do you still have the SDfix on your system? If so delete it and all files on C:/ and try to run CF again. Link to post Share on other sites More sharing options...
Hastur Posted February 5, 2008 Author ID:12829 Share Posted February 5, 2008 It is a powerful diagnostic tool and sUBs is the author. Do you still have the SDfix on your system? If so delete it and all files on C:/ and try to run CF again.Hi I deleted everything and it gives the same error. I got Kaspersky Anti-Virus and it detected a couple of things and deleted them. My system was more stable after Kaspersky - Windows would crash 2-3 times a day at least. Now it hasn't crashed in 3 days at all.I am going to 'ghost' my drive now that things are stable and leave things as is. Thanks a lot for all of your help - it saved me wiping my drive!Cheers. Link to post Share on other sites More sharing options...
JeanInMontana Posted February 5, 2008 ID:12833 Share Posted February 5, 2008 Ummm there is nothing to show your machine is clean. You have not followed instructions, and there is a real good chance you still have malware. Link to post Share on other sites More sharing options...
Hastur Posted February 6, 2008 Author ID:12859 Share Posted February 6, 2008 Ummm there is nothing to show your machine is clean. You have not followed instructions, and there is a real good chance you still have malware.You're instructions were "Do you still have the SDfix on your system? If so delete it and all files on C:/ and try to run CF again."The first sentence in my reply was:"Hi I deleted everything and it gives the same error." Which instructions did I not follow? Link to post Share on other sites More sharing options...
Hastur Posted February 6, 2008 Author ID:12860 Share Posted February 6, 2008 This is what Kaspersky did:Detected--------Status Object------ ------deleted: Trojan program Trojan-Downloader.Win32.Agent.hkb File: C:\WINDOWS\system32\AppCert\WSIL32.0LLdeleted: Trojan program Rootkit.Win32.Agent.vt File: C:\WINDOWS\system32\drivers\Auke66.sysHJ log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:47:53 AM, on 2/6/2008Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3244)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\FlashGet\flashget.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exeO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /minO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: Logitech SetPoint.lnk = ?O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe--End of file - 5358 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted February 6, 2008 ID:12866 Share Posted February 6, 2008 You're instructions were "Do you still have the SDfix on your system? If so delete it and all files on C:/ and try to run CF again."The first sentence in my reply was:"Hi I deleted everything and it gives the same error." Which instructions did I not follow?Using Kapersky's with out giving feed back first and waiting for the next set of instructions is what I am talking about. That is a poorly written sentence by me. Thank goodness you didn't delete all files on C:/ . My apologies for that.These things mutate with every new attempt to remove. We take a certain approach to try and not let them know we are on to them. Goofy as that may sound that's how it's done. Yes Kapersky's got some stuff. Was it what SDFix found? We don't know. Probably not by the looks of it. Bad news you had/have a root kit. There is no sure way to know if it ever goes away with out reformat. Take action now to change all passwords, notify any financial institutions etc you have used the machine to do business. If the machine is networked all machines may have been compromised. We can try to get you clean, but again, no way will we ever be sure you are not still rooted. The best course is really to back up what is most important and do a clean reformat. Don't ghost this drive. If you want to proceed we can.Delete these lines using HJTO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {F7973DF6-1D2D-4FB4-A3F2-D9326DD66947} - C:\WINDOWS\system32\asycfilta.dll (file missing)O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundReboot and get MBAM from the link in the pre-HJT post instructions at the top of this page. Please be sure to update then scan with it let it repost anything it finds and post that log and a new HJT.If you wan to try and clean it. If not just go for backing up and reformat. I really recommend this as your best choice. Link to post Share on other sites More sharing options...
Hastur Posted February 6, 2008 Author ID:12869 Share Posted February 6, 2008 >>> These things mutate with every new attempt to remove. We take a certain approach to try and not let them know we are on to them. Ah that's clever - that didn't occur to me. ;-)Ok I guess I will have to wipe the drive. I am not familiar with rootkits - would they allow outside users to get access to my system? Would it bypass the firewall in my router? Link to post Share on other sites More sharing options...
JeanInMontana Posted February 6, 2008 ID:12878 Share Posted February 6, 2008 >>> These things mutate with every new attempt to remove. We take a certain approach to try and not let them know we are on to them. Ah that's clever - that didn't occur to me. ;-)Ok I guess I will have to wipe the drive. I am not familiar with rootkits - would they allow outside users to get access to my system? Would it bypass the firewall in my router?Yes rootkits allow outside access to your system, that is why I warned you about passwords and any sensitive data that may have been stored or accessed. Yes it bypassed your router firewall. You wouldn't have it otherwise. Router firewalls don't alert you to anything "calling home" from your machine. I use a third party firewall also. This way I know what is accessing the web from my machine. There other preventative measures that are not apparent on your machine also. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsFor an excellent list of reliable free firewalls and antivirus programs see here Link to post Share on other sites More sharing options...
Recommended Posts