 |  |  |  |  |  |  |  |
MSN virus--need help
Thread Solved |
•
•
•
•
Originally Posted by gerbil 
Imran, you should run a good AntiSpyware to fix those things; try this, clean and then scan
lol this used to be my brother's laptop before. my names aneesah)anyways, heres the log file from the AVG scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:46:39 PM 9/20/2007
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-507921405-1935655697-682003330-1001\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP0\A0000002.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP0\A0000012.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP2\A0006011.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Backdoor.Bulknet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\secdrv.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP1\A0001013.sys -> Rootkit.Agent.dw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ws2_32.dll:fork2 -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wsys.dll -> Trojan.Pakes : Cleaned with backup (quarantined).
[516] C:\WINDOWS\System32\shell.dll -> Trojan.Pakes : Cleaned with backup (quarantined).
::Report end
And heres the loge file from Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:02 PM, on 9/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {46E17A50-CEFA-42A8-A2BF-ABEE91E5339A} - c:\windows\system32\huxyqjds.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Image Helper - {646782DF-07D9-5816-C17D-32459D631863} - C:\WINDOWS\system\bpmdm32.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Cole2k Media Toolbar Helper - {C672F4AB-780B-45C0-BAEC-91F455C86F8D} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O2 - BHO: (no name) - {E1E7FE6D-3D02-445E-8D99-8B61AF609A4C} - c:\windows\system32\iplaipl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Cole2k Media Toolbar - {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MicrosoftService] service.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6402 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
Hello, Aneesah.. 
..you must have been waiting. You can see from the AVG log that you had both a backdoor trojan and another trojan, plus a rootkit agent - theyhave been placed in quarantine. Delete all those quarantined entries in AVG AS.
Some more work:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Next, run one of these two rootkit scans, both if you wish... and post any positive results. Do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sys...tRevealer.mspx -read that page, dl the file at foot, start it and Scan.
As an interim measure follow with this:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {46E17A50-CEFA-42A8-A2BF-ABEE91E5339A} - c:\windows\system32\huxyqjds.dll (file missing)
O2 - BHO: Image Helper - {646782DF-07D9-5816-C17D-32459D631863} - C:\WINDOWS\system\bpmdm32.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Cole2k Media Toolbar Helper - {C672F4AB-780B-45C0-BAEC-91F455C86F8D} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O2 - BHO: (no name) - {E1E7FE6D-3D02-445E-8D99-8B61AF609A4C} - c:\windows\system32\iplaipl.dll
O3 - Toolbar: Cole2k Media Toolbar - {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MicrosoftService] service.exe
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
Delete this file:
C:\WINDOWS\System32\service.exe
Post the contents of C:\vundofix.txt, the rootkit scan results plus a new HijackThis log.
..you must have been waiting. You can see from the AVG log that you had both a backdoor trojan and another trojan, plus a rootkit agent - theyhave been placed in quarantine. Delete all those quarantined entries in AVG AS.
Some more work:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Next, run one of these two rootkit scans, both if you wish... and post any positive results. Do not use your computer while it scans.
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==RKR from http://www.microsoft.com/technet/sys...tRevealer.mspx -read that page, dl the file at foot, start it and Scan.
As an interim measure follow with this:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {46E17A50-CEFA-42A8-A2BF-ABEE91E5339A} - c:\windows\system32\huxyqjds.dll (file missing)
O2 - BHO: Image Helper - {646782DF-07D9-5816-C17D-32459D631863} - C:\WINDOWS\system\bpmdm32.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Cole2k Media Toolbar Helper - {C672F4AB-780B-45C0-BAEC-91F455C86F8D} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O2 - BHO: (no name) - {E1E7FE6D-3D02-445E-8D99-8B61AF609A4C} - c:\windows\system32\iplaipl.dll
O3 - Toolbar: Cole2k Media Toolbar - {2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MicrosoftService] service.exe
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
Delete this file:
C:\WINDOWS\System32\service.exe
Post the contents of C:\vundofix.txt, the rootkit scan results plus a new HijackThis log.
Last edited by gerbil; Sep 21st, 2007 at 1:00 am.
Deep, deep in the woods, but walking about.
okay
heres the vundofix log:
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 10:03:04 AM 9/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
the rootkit log:
09/21/07 10:31:38 [Info]: BlackLight Engine 1.0.64 initialized
09/21/07 10:31:38 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/21/07 10:31:39 [Note]: 7019 4
09/21/07 10:31:39 [Note]: 7005 0
09/21/07 10:31:43 [Note]: 7006 0
09/21/07 10:31:43 [Note]: 7011 1412
09/21/07 10:31:43 [Note]: 7026 0
09/21/07 10:31:43 [Note]: 7026 0
09/21/07 10:31:43 [Note]: 7024 3
09/21/07 10:31:43 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
09/21/07 10:31:55 [Note]: FSRAW library version 1.7.1022
09/21/07 10:33:58 [Info]: Hidden file: c:\WINDOWS\system32\drivers\runtime2.sys
09/21/07 10:33:58 [Note]: 10002 1
09/21/07 10:35:36 [Note]: 7007 0
and finally, the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:43 AM, on 9/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5856 bytes
heres the vundofix log:
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 10:03:04 AM 9/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
the rootkit log:
09/21/07 10:31:38 [Info]: BlackLight Engine 1.0.64 initialized
09/21/07 10:31:38 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/21/07 10:31:39 [Note]: 7019 4
09/21/07 10:31:39 [Note]: 7005 0
09/21/07 10:31:43 [Note]: 7006 0
09/21/07 10:31:43 [Note]: 7011 1412
09/21/07 10:31:43 [Note]: 7026 0
09/21/07 10:31:43 [Note]: 7026 0
09/21/07 10:31:43 [Note]: 7024 3
09/21/07 10:31:43 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
09/21/07 10:31:55 [Note]: FSRAW library version 1.7.1022
09/21/07 10:33:58 [Info]: Hidden file: c:\WINDOWS\system32\drivers\runtime2.sys
09/21/07 10:33:58 [Note]: 10002 1
09/21/07 10:35:36 [Note]: 7007 0
and finally, the hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:43 AM, on 9/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5856 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Congratulations, Aneesah, you have a rootkit: c:\WINDOWS\system32\drivers\runtime2.sys, but we can fix that now we know it is there.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2]
[-HKLM\SYSTEM\CurrentControlSet\Services\runtime2]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startdrv" = -
__________________________________________________________
==Fix these two with hijackthis:
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Paste this pathname into the textbox Full Path of File to Delete:
C:\WINDOWS\SYSTEM32\iplaipl.dll
Select "Delete on reboot", "Unregister dll before deleting", click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service Windows Network Service Monitor, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
I am not sure why your internet explorer executable is shown as hidden by the rootkit scan.. please do this: Go Start, run, type cmd -press Enter. Paste into the black command window this next line and press Enter, close the window:
attrib -s -r -h "C:\Program Files\Internet Explorer\iexplore.exe"
Run CCleaner and then update AVG AS and scan again.
Good-oh, please post the combofix report, AVG AS log and a fresh hijackthis log.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2]
[-HKLM\SYSTEM\CurrentControlSet\Services\runtime2]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"startdrv" = -
__________________________________________________________
==Fix these two with hijackthis:
O20 - Winlogon Notify: wzatyvah - C:\WINDOWS\SYSTEM32\iplaipl.dll
O23 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe (file missing)
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
Paste this pathname into the textbox Full Path of File to Delete:
C:\WINDOWS\SYSTEM32\iplaipl.dll
Select "Delete on reboot", "Unregister dll before deleting", click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service Windows Network Service Monitor, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
I am not sure why your internet explorer executable is shown as hidden by the rootkit scan.. please do this: Go Start, run, type cmd -press Enter. Paste into the black command window this next line and press Enter, close the window:
attrib -s -r -h "C:\Program Files\Internet Explorer\iexplore.exe"
Run CCleaner and then update AVG AS and scan again.
Good-oh, please post the combofix report, AVG AS log and a fresh hijackthis log.
Last edited by gerbil; Sep 22nd, 2007 at 5:19 am.
Deep, deep in the woods, but walking about.
arrite, heres the combofix report:
ComboFix 07-09-21.2 - "Imran" 2007-09-22 13:10:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.51 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\myglobalsearch
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\drivers\neoggqgg.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\iplaipl.dll
C:\WINDOWS\system32\iplaipl.dll.bak
C:\WINDOWS\system32\service.exe
Infected copy of C:\WINDOWS\system32\winlogon.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_EXAMPLE
-------\LEGACY_HEUNUALX
-------\LEGACY_KRTCDCJL
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\heunualx
-------\krtcdcjl
-------\Runtime
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.
2007-09-22 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-21 10:03 <DIR> d-------- C:\VundoFix Backups
2007-09-20 21:57 <DIR> d-------- C:\hijackthis
2007-09-20 21:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-20 21:10 <DIR> d-------- C:\Program Files\CCleaner
2007-09-18 14:51 41,080 -r-hs---- C:\WINDOWS\wksvr.exe
2007-09-17 00:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-16 22:26 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-16 22:24 <DIR> d-------- C:\DOCUME~1\Imran\.housecall6.6
2007-08-27 14:44 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 11:48 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\U3
2007-09-17 00:02 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-20 16:50 --------- d-------- C:\Program Files\LimeWire
2007-08-18 20:26 --------- d-------- C:\Program Files\AvantDVDPlayer
2007-08-16 12:57 98304 --a------ C:\WINDOWS\system32\oofdnztj.dll
2007-08-16 12:57 43520 --a------ C:\WINDOWS\system32\ypmgewoo.dll
2007-08-15 14:16 41984 --a------ C:\WINDOWS\system32\gjkqkyee.dll
2007-08-15 14:16 122368 --a------ C:\WINDOWS\system32\awxddbui.dll
2007-08-07 13:37 751616 --a------ C:\WINDOWS\system32\ekuwrsoz.dll
2007-08-06 15:11 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\DivX
2007-08-01 10:28 --------- d-------- C:\Program Files\Symantec
2007-08-01 10:27 --------- d-------- C:\Program Files\SymNetDrv
2007-08-01 10:27 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-01 10:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-01 10:10 4096 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-07-30 13:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-07-29 16:23 --------- d-------- C:\Program Files\Windows Live
2007-07-29 16:23 --------- d-------- C:\Program Files\MSN Messenger
2007-07-29 16:23 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-29 13:09 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\Help
2007-07-28 23:18 --------- d-------- C:\Program Files\Rogers
2007-07-28 23:11 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-28 23:11 165888 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-28 23:11 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-28 22:52 33 --a------ C:\Program Files\Yahoo!
2007-07-28 22:51 --------- d-------- C:\Program Files\Rogers Client CD
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}"= C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll [ ]
[HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 18:26]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 18:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-01 10:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-07-05 14:53]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-07-05 14:53]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]
C:\WINDOWS\System32\mqxiaaaa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
S2 nsmss;Windows Network Service Monitor;C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe
S3 CHXPRTU;CHXPRTU;C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe
S3 PJ;PJ;C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe
*Newly Created Service* - KRTCDCJL
.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 01:54:05 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Imran.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-09-22 17:15:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 13:15:56
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-22 13:23:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 13:23
.
--- E O F ---
the AVG AS log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:12:03 PM 9/22/2007
+ Scan result:
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir -> Downloader.Agent.acl : No action taken.
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP9\A0018019.sys -> Rootkit.Agent.ey : No action taken.
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir -> Rootkit.Agent.ey : No action taken.
::Report end
and finally, the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:04 PM, on 9/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Imran\My Documents\Aneesah\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5969 bytes
ComboFix 07-09-21.2 - "Imran" 2007-09-22 13:10:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.51 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\myglobalsearch
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\drivers\neoggqgg.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\secdrv.sys
C:\WINDOWS\system32\iplaipl.dll
C:\WINDOWS\system32\iplaipl.dll.bak
C:\WINDOWS\system32\service.exe
Infected copy of C:\WINDOWS\system32\winlogon.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_EXAMPLE
-------\LEGACY_HEUNUALX
-------\LEGACY_KRTCDCJL
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\heunualx
-------\krtcdcjl
-------\Runtime
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.
2007-09-22 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-21 10:03 <DIR> d-------- C:\VundoFix Backups
2007-09-20 21:57 <DIR> d-------- C:\hijackthis
2007-09-20 21:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-20 21:10 <DIR> d-------- C:\Program Files\CCleaner
2007-09-18 14:51 41,080 -r-hs---- C:\WINDOWS\wksvr.exe
2007-09-17 00:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-16 22:26 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-16 22:24 <DIR> d-------- C:\DOCUME~1\Imran\.housecall6.6
2007-08-27 14:44 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 11:48 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\U3
2007-09-17 00:02 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-20 16:50 --------- d-------- C:\Program Files\LimeWire
2007-08-18 20:26 --------- d-------- C:\Program Files\AvantDVDPlayer
2007-08-16 12:57 98304 --a------ C:\WINDOWS\system32\oofdnztj.dll
2007-08-16 12:57 43520 --a------ C:\WINDOWS\system32\ypmgewoo.dll
2007-08-15 14:16 41984 --a------ C:\WINDOWS\system32\gjkqkyee.dll
2007-08-15 14:16 122368 --a------ C:\WINDOWS\system32\awxddbui.dll
2007-08-07 13:37 751616 --a------ C:\WINDOWS\system32\ekuwrsoz.dll
2007-08-06 15:11 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\DivX
2007-08-01 10:28 --------- d-------- C:\Program Files\Symantec
2007-08-01 10:27 --------- d-------- C:\Program Files\SymNetDrv
2007-08-01 10:27 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-01 10:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-01 10:10 4096 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-07-30 13:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-07-29 16:23 --------- d-------- C:\Program Files\Windows Live
2007-07-29 16:23 --------- d-------- C:\Program Files\MSN Messenger
2007-07-29 16:23 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-29 13:09 --------- d-------- C:\DOCUME~1\Imran\APPLIC~1\Help
2007-07-28 23:18 --------- d-------- C:\Program Files\Rogers
2007-07-28 23:11 684567 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-28 23:11 165888 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-28 23:11 147729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-07-28 22:52 33 --a------ C:\Program Files\Yahoo!
2007-07-28 22:51 --------- d-------- C:\Program Files\Rogers Client CD
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}"= C:\Program Files\Cole2k Media Toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll [ ]
[HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-05-29 18:26]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-05-29 18:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-01 10:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-07-05 14:53]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-07-05 14:53]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]
C:\WINDOWS\System32\mqxiaaaa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
S2 nsmss;Windows Network Service Monitor;C:\DOCUME~1\Imran\LOCALS~1\Temp\84.exe
S3 CHXPRTU;CHXPRTU;C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe
S3 PJ;PJ;C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe
*Newly Created Service* - KRTCDCJL
.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 01:54:05 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Imran.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2007-09-22 17:15:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 13:15:56
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-22 13:23:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 13:23
.
--- E O F ---
the AVG AS log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:12:03 PM 9/22/2007
+ Scan result:
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir -> Downloader.Agent.acl : No action taken.
C:\System Volume Information\_restore{BFD89561-5EB5-4E0A-93D8-F77D4C2C4ACB}\RP9\A0018019.sys -> Rootkit.Agent.ey : No action taken.
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir -> Rootkit.Agent.ey : No action taken.
::Report end
and finally, the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:04 PM, on 9/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Imran\My Documents\Aneesah\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5969 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Oh dear...
Please delete the directory C:\qoobox and its contents.
Inside AVG AS remove all quarantined objects.
Let's stop these two services and remove them using same procedure as before:
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific services CHXPRTU and PJ - in each case rclick them, select properties. Write down the exact Service Names. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now.... and repeat for the other service name.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]
__________________________________________________________
Start Killbox [note the different pathname loading method this time for multiple filenames],
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\wksvr.exe
C:\WINDOWS\system32\ypmgewoo.dll
C:\WINDOWS\system32\gjkqkyee.dll
C:\WINDOWS\system32\awxddbui.dll
C:\WINDOWS\system32\ekuwrsoz.dll
C:\WINDOWS\System32\mqxiaaaa.exe
C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe
C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting"if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
Earlier I got you to clear your system restore points, the idea was to get rid of one reported source of reinfection....of course your sys was still infected with a rootkit which was discoverd afterward so your new restore point is also infected [an infected point is better than none at all if we break things]...anyway, please go through that restore point clearance procedure again:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean? restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
Now for a different scan... please clean first with CCleaner, then:
==use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus a fresh hijackthis log. Love to know how things feel, also...
Please delete the directory C:\qoobox and its contents.
Inside AVG AS remove all quarantined objects.
Let's stop these two services and remove them using same procedure as before:
O23 - Service: CHXPRTU - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe (file missing)
O23 - Service: PJ - Unknown owner - C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific services CHXPRTU and PJ - in each case rclick them, select properties. Write down the exact Service Names. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now.... and repeat for the other service name.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{2D2DE234-AB9F-4345-9D17-94FA78BA37E3}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mqxiaaaa]
__________________________________________________________
Start Killbox [note the different pathname loading method this time for multiple filenames],
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\wksvr.exe
C:\WINDOWS\system32\ypmgewoo.dll
C:\WINDOWS\system32\gjkqkyee.dll
C:\WINDOWS\system32\awxddbui.dll
C:\WINDOWS\system32\ekuwrsoz.dll
C:\WINDOWS\System32\mqxiaaaa.exe
C:\DOCUME~1\Imran\LOCALS~1\Temp\CHXPRTU.exe
C:\DOCUME~1\Imran\LOCALS~1\Temp\PJ.exe
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting"if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
Earlier I got you to clear your system restore points, the idea was to get rid of one reported source of reinfection....of course your sys was still infected with a rootkit which was discoverd afterward so your new restore point is also infected [an infected point is better than none at all if we break things]...anyway, please go through that restore point clearance procedure again:
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean? restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
Now for a different scan... please clean first with CCleaner, then:
==use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here plus a fresh hijackthis log. Love to know how things feel, also...
Last edited by gerbil; Sep 23rd, 2007 at 10:56 am.
Deep, deep in the woods, but walking about.
wow, okay..
heres the activescan log:
Incident Status Location
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Imran\Cookies\imran@atdmt[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Imran\Desktop\ComboFix.exe[nircmd.exe]
Virus:Trj/Agent.GLO Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir
Virus:Trj/Downloader.MDW Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir
Virus:Trj/Agent.GNN Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\service.exe.vir
Virus:Trj/Patchlog.A Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
and a new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:22 PM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Imran\My Documents\Aneesah\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5918 bytes
heres the activescan log:
Incident Status Location
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Imran\Cookies\imran@atdmt[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Imran\Desktop\ComboFix.exe[nircmd.exe]
Virus:Trj/Agent.GLO Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir
Virus:Trj/Downloader.MDW Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\drivers\secdrv.sys.vir
Virus:Trj/Agent.GNN Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\service.exe.vir
Virus:Trj/Patchlog.A Disinfected C:\RECYCLER\S-1-5-21-507921405-1935655697-682003330-1001\Dc3\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
and a new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:22 PM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Imran\My Documents\Aneesah\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138995005000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 5918 bytes
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Hello, Aneesah, looks like we got there!! You are looking clean to go.
Please keep in mind that you were infected by a backdoor trojan that may have allowed someone access to you computer.. whether they did or not is unknown.. I suggest you change passwords, esp if you use inet banking... email also....
One last thing to complete the job - Empty your recycle bin please.
Because you are clean now is the time to get SP2... it's a big dl [get the IT professional file from M$ and install yourself, don't follow the update auto installation path]. Or borrow a CD from a friend of the same type as your installation but which has SP2 on it .. eg OEM, or full retail version.
You must do it, cos without it you are a sitting duck. When you have it, or even now, get Spywareblaster... it's free. Delete combofix, vundofix, keep AVG AS... CCleaner.
Cheers.
Please keep in mind that you were infected by a backdoor trojan that may have allowed someone access to you computer.. whether they did or not is unknown.. I suggest you change passwords, esp if you use inet banking... email also....
One last thing to complete the job - Empty your recycle bin please.
Because you are clean now is the time to get SP2... it's a big dl [get the IT professional file from M$ and install yourself, don't follow the update auto installation path]. Or borrow a CD from a friend of the same type as your installation but which has SP2 on it .. eg OEM, or full retail version.
You must do it, cos without it you are a sitting duck. When you have it, or even now, get Spywareblaster... it's free. Delete combofix, vundofix, keep AVG AS... CCleaner.
Cheers.
Last edited by gerbil; Sep 23rd, 2007 at 11:06 pm.
Deep, deep in the woods, but walking about.
 |
Similar Threads
- MSN Virus? (Viruses, Spyware and other Nasties)
- Msn 'virus' or hacker! HJT log > scary and big (Viruses, Spyware and other Nasties)
- isass virus (Viruses, Spyware and other Nasties)
- 100% CPU Usage - No Virus, No gaming (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Blank save password box
- Next Thread: help with my computer files
Views: 4570 | Replies: 28
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial conficker control cybercrime cyberwarfare ddos education email europe exam exploit explorer facebook fake fancheckvirus firefox gtaiv halloween herss.exe hijack hosting ie8 internet iphone links logfiles malware mcafee microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents patch pc pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research rogueantivirus rootkit samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
