glogglog
2006-03-07, 05:28
Hi guys. I just got back from my friends house and his computer is totally messed up.
Since 3-4 days, I'm trying to find what's wrong with it and the same problem is always there. First there was VCC client but it seems to be gone.
There seems to be look2me stuff and some trojans or worms too but i aint sure. There is always that tox.bihsecurity or irc.bihsecurity popping and asking me to connect to the internet at the start, sometimes the comp is slowing and sometimes, theres a wave of massive popups.
I can now run spybot and adaware ( i couldnt 2-3 days ago), i cant go into the regedit, i cant run panda, trend micro and i cant run nod 32 scan nor hijackthis.
I however figured that spybot was able to do what hijackthis do and heres the log
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-03 Includes\Cookies.sbi
2006-03-03 Includes\Dialer.sbi
2006-03-03 Includes\Hijackers.sbi
2006-03-03 Includes\Keyloggers.sbi
2006-03-03 Includes\Malware.sbi
2006-03-03 Includes\PUPS.sbi
2006-03-03 Includes\Revision.sbi
2006-03-03 Includes\Security.sbi
2006-03-03 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-03 Includes\Trojans.sbi
Located: HK_LM:Run, AdobeReader
command: msni.exe
file: C:\WINDOWS\system32\msni.exe
size: 90624
MD5: 75690fb6b0fe3d2ea7406b71bfb9321f
Located: HK_LM:Run, AdobeReaderPro
command: svxhost.exe
file:
Located: HK_LM:Run, AdobeReaderPros
command: sysmsn.exe
file: C:\WINDOWS\system32\sysmsn.exe
size: 93184
MD5: 5f6c8c40c21588eb4b90521d9b5658a0
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 86ac1442724f36f77ce400b5c7b0df92
Located: HK_LM:Run, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_LM:Run, E-nrgyPlus
command: C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
file: C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
size: 43272
MD5: dcf55340e6a6b455d1ea03bd4fa3ed8f
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 274432
MD5: e9766c6a4fd03c23607b064d0f5dcf3e
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 30208
MD5: aeed3f03a5869d0774bf8c75be4ba7a0
Located: HK_LM:Run, keyboard
command: C:\\keyboard.exe
file:
Located: HK_LM:Run, Microsoft Incroporate
command: mfs.exe
file: C:\WINDOWS\system32\mfs.exe
size: 90371
MD5: ffd351e80c24c4856556e9de198def66
Located: HK_LM:Run, Microsoft Machine Script
command: iexplorersis.exe
file:
Located: HK_LM:Run, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_LM:Run, Microsoft Update
command: wuamkop.exe
file: C:\WINDOWS\system32\wuamkop.exe
size: 249344
MD5: 96081f4b97efc9e4b084850f1f26a893
Located: HK_LM:Run, mousepad
command: C:\\mousepad.exe
file:
Located: HK_LM:Run, ms036489891182
command: C:\WINDOWS\ms036489891182.exe
file: C:\WINDOWS\ms036489891182.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, ms044898911826
command: C:\WINDOWS\ms044898911826.exe
file:
Located: HK_LM:Run, NeroCheck
command: C:\WINDOWS\System32\\NeroCheck.exe
file: C:\WINDOWS\System32\\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 917504
MD5: 79bc2731c22df0a02f8cb9a79dd208e1
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: 3e7d91f24d28c968b92c85c7e2882eed
Located: HK_LM:Run, SECRETSERVICE
command: C:\WINDOWS\System32\Ghost.exe
file:
Located: HK_LM:Run, sys022648989118
command: C:\WINDOWS\sys022648989118.exe
file: C:\WINDOWS\sys022648989118.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, sys036489891182
command: C:\WINDOWS\sys036489891182.exe
file: C:\WINDOWS\sys036489891182.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, TheMonitor
command: C:\WINDOWS\SYSC00.exe
file: C:\WINDOWS\SYSC00.exe
size: 98304
MD5: dda0e48b94a163ab6ce6fc0705b27f2c
Located: HK_LM:Run, win32078911826489
command: C:\WINDOWS\win32078911826489.exe
file:
Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\winampa.exe
file: C:\Program Files\Winamp\winampa.exe
size: 33792
MD5: 11aa6662a1be30375afd1a8407811e7e
Located: HK_LM:Run, Windows pad
command: qpad.exe
file:
Located: HK_LM:Run, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_LM:Run, Winsock2 driver
command: SAXVFMVXD.EXE
file: C:\WINDOWS\system32\SAXVFMVXD.EXE
size: 31744
MD5: 7a01a77fea58c3d7dacc4871a2a9fc9a
Located: HK_LM:Run, YeppStudioAgent
command: C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
file:
Located: HK_LM:RunServices, AdobeReader
command: msni.exe
file: C:\WINDOWS\system32\msni.exe
size: 90624
MD5: 75690fb6b0fe3d2ea7406b71bfb9321f
Located: HK_LM:RunServices, AdobeReaderPro
command: svxhost.exe
file:
Located: HK_LM:RunServices, AdobeReaderPros
command: sysmsn.exe
file: C:\WINDOWS\system32\sysmsn.exe
size: 93184
MD5: 5f6c8c40c21588eb4b90521d9b5658a0
Located: HK_LM:RunServices, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_LM:RunServices, Microsoft Incroporate
command: mfs.exe
file: C:\WINDOWS\system32\mfs.exe
size: 90371
MD5: ffd351e80c24c4856556e9de198def66
Located: HK_LM:RunServices, Microsoft Machine Script
command: iexplorersis.exe
file:
Located: HK_LM:RunServices, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_LM:RunServices, Microsoft Update
command: wuamkop.exe
file: C:\WINDOWS\system32\wuamkop.exe
size: 249344
MD5: 96081f4b97efc9e4b084850f1f26a893
Located: HK_LM:RunServices, Windows pad
command: qpad.exe
file:
Located: HK_LM:RunServices, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:Run, AIM
command: C:\Program Files\AIM\aim.exe -cnetwait.odl
file:
Located: HK_CU:Run, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_CU:Run, CTFMON.EXE
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: f95275cf5e7c30cea58b0b1b7b40210f
Located: HK_CU:Run, irssyncd
command: C:\WINDOWS\System32\irssyncd.exe
file:
Located: HK_CU:Run, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1077277
MD5: 10a98fa310d1b6664f999378efd031ba
Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 7094272
MD5: b83e12b5341c5dcecc5c217a824ffeb1
Located: HK_CU:Run, services32
command: C:\Program Files\Fichiers communs\Windows\mc-110-12-0000228.exe
file:
Located: HK_CU:Run, Shell
command: "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00001.exe"
file:
Located: HK_CU:Run, taskdir
command: C:\WINDOWS\System32\taskdir.exe
file: C:\WINDOWS\System32\taskdir.exe
size: 47136
MD5: 3c3317f0c6941fe0b4d56046d39d92a1
Located: HK_CU:Run, Windows pad
command: qpad.exe
file:
Located: HK_CU:Run, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:RunServices, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_CU:RunServices, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_CU:RunServices, Windows pad
command: qpad.exe
file:
Located: HK_CU:RunServices, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:RunOnce, Winsock2 driver
command: SAXVFMVXD.EXE
file: C:\WINDOWS\system32\SAXVFMVXD.EXE
size: 31744
MD5: 7a01a77fea58c3d7dacc4871a2a9fc9a
Located: WinLogon, RunOnce
command: C:\WINDOWS\system32\dn4s01h7e.dll
file: C:\WINDOWS\system32\dn4s01h7e.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???
Since 3-4 days, I'm trying to find what's wrong with it and the same problem is always there. First there was VCC client but it seems to be gone.
There seems to be look2me stuff and some trojans or worms too but i aint sure. There is always that tox.bihsecurity or irc.bihsecurity popping and asking me to connect to the internet at the start, sometimes the comp is slowing and sometimes, theres a wave of massive popups.
I can now run spybot and adaware ( i couldnt 2-3 days ago), i cant go into the regedit, i cant run panda, trend micro and i cant run nod 32 scan nor hijackthis.
I however figured that spybot was able to do what hijackthis do and heres the log
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-03 Includes\Cookies.sbi
2006-03-03 Includes\Dialer.sbi
2006-03-03 Includes\Hijackers.sbi
2006-03-03 Includes\Keyloggers.sbi
2006-03-03 Includes\Malware.sbi
2006-03-03 Includes\PUPS.sbi
2006-03-03 Includes\Revision.sbi
2006-03-03 Includes\Security.sbi
2006-03-03 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-03 Includes\Trojans.sbi
Located: HK_LM:Run, AdobeReader
command: msni.exe
file: C:\WINDOWS\system32\msni.exe
size: 90624
MD5: 75690fb6b0fe3d2ea7406b71bfb9321f
Located: HK_LM:Run, AdobeReaderPro
command: svxhost.exe
file:
Located: HK_LM:Run, AdobeReaderPros
command: sysmsn.exe
file: C:\WINDOWS\system32\sysmsn.exe
size: 93184
MD5: 5f6c8c40c21588eb4b90521d9b5658a0
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 86ac1442724f36f77ce400b5c7b0df92
Located: HK_LM:Run, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_LM:Run, E-nrgyPlus
command: C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
file: C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
size: 43272
MD5: dcf55340e6a6b455d1ea03bd4fa3ed8f
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 274432
MD5: e9766c6a4fd03c23607b064d0f5dcf3e
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 30208
MD5: aeed3f03a5869d0774bf8c75be4ba7a0
Located: HK_LM:Run, keyboard
command: C:\\keyboard.exe
file:
Located: HK_LM:Run, Microsoft Incroporate
command: mfs.exe
file: C:\WINDOWS\system32\mfs.exe
size: 90371
MD5: ffd351e80c24c4856556e9de198def66
Located: HK_LM:Run, Microsoft Machine Script
command: iexplorersis.exe
file:
Located: HK_LM:Run, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_LM:Run, Microsoft Update
command: wuamkop.exe
file: C:\WINDOWS\system32\wuamkop.exe
size: 249344
MD5: 96081f4b97efc9e4b084850f1f26a893
Located: HK_LM:Run, mousepad
command: C:\\mousepad.exe
file:
Located: HK_LM:Run, ms036489891182
command: C:\WINDOWS\ms036489891182.exe
file: C:\WINDOWS\ms036489891182.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, ms044898911826
command: C:\WINDOWS\ms044898911826.exe
file:
Located: HK_LM:Run, NeroCheck
command: C:\WINDOWS\System32\\NeroCheck.exe
file: C:\WINDOWS\System32\\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 917504
MD5: 79bc2731c22df0a02f8cb9a79dd208e1
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: 3e7d91f24d28c968b92c85c7e2882eed
Located: HK_LM:Run, SECRETSERVICE
command: C:\WINDOWS\System32\Ghost.exe
file:
Located: HK_LM:Run, sys022648989118
command: C:\WINDOWS\sys022648989118.exe
file: C:\WINDOWS\sys022648989118.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, sys036489891182
command: C:\WINDOWS\sys036489891182.exe
file: C:\WINDOWS\sys036489891182.exe
size: 135168
MD5: 73dc1b46c65d717084069461627e9e46
Located: HK_LM:Run, TheMonitor
command: C:\WINDOWS\SYSC00.exe
file: C:\WINDOWS\SYSC00.exe
size: 98304
MD5: dda0e48b94a163ab6ce6fc0705b27f2c
Located: HK_LM:Run, win32078911826489
command: C:\WINDOWS\win32078911826489.exe
file:
Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\winampa.exe
file: C:\Program Files\Winamp\winampa.exe
size: 33792
MD5: 11aa6662a1be30375afd1a8407811e7e
Located: HK_LM:Run, Windows pad
command: qpad.exe
file:
Located: HK_LM:Run, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_LM:Run, Winsock2 driver
command: SAXVFMVXD.EXE
file: C:\WINDOWS\system32\SAXVFMVXD.EXE
size: 31744
MD5: 7a01a77fea58c3d7dacc4871a2a9fc9a
Located: HK_LM:Run, YeppStudioAgent
command: C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
file:
Located: HK_LM:RunServices, AdobeReader
command: msni.exe
file: C:\WINDOWS\system32\msni.exe
size: 90624
MD5: 75690fb6b0fe3d2ea7406b71bfb9321f
Located: HK_LM:RunServices, AdobeReaderPro
command: svxhost.exe
file:
Located: HK_LM:RunServices, AdobeReaderPros
command: sysmsn.exe
file: C:\WINDOWS\system32\sysmsn.exe
size: 93184
MD5: 5f6c8c40c21588eb4b90521d9b5658a0
Located: HK_LM:RunServices, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_LM:RunServices, Microsoft Incroporate
command: mfs.exe
file: C:\WINDOWS\system32\mfs.exe
size: 90371
MD5: ffd351e80c24c4856556e9de198def66
Located: HK_LM:RunServices, Microsoft Machine Script
command: iexplorersis.exe
file:
Located: HK_LM:RunServices, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_LM:RunServices, Microsoft Update
command: wuamkop.exe
file: C:\WINDOWS\system32\wuamkop.exe
size: 249344
MD5: 96081f4b97efc9e4b084850f1f26a893
Located: HK_LM:RunServices, Windows pad
command: qpad.exe
file:
Located: HK_LM:RunServices, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:Run, AIM
command: C:\Program Files\AIM\aim.exe -cnetwait.odl
file:
Located: HK_CU:Run, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_CU:Run, CTFMON.EXE
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: f95275cf5e7c30cea58b0b1b7b40210f
Located: HK_CU:Run, irssyncd
command: C:\WINDOWS\System32\irssyncd.exe
file:
Located: HK_CU:Run, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1077277
MD5: 10a98fa310d1b6664f999378efd031ba
Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 7094272
MD5: b83e12b5341c5dcecc5c217a824ffeb1
Located: HK_CU:Run, services32
command: C:\Program Files\Fichiers communs\Windows\mc-110-12-0000228.exe
file:
Located: HK_CU:Run, Shell
command: "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00001.exe"
file:
Located: HK_CU:Run, taskdir
command: C:\WINDOWS\System32\taskdir.exe
file: C:\WINDOWS\System32\taskdir.exe
size: 47136
MD5: 3c3317f0c6941fe0b4d56046d39d92a1
Located: HK_CU:Run, Windows pad
command: qpad.exe
file:
Located: HK_CU:Run, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:RunServices, Compaq Service Drivers
command: sxrose.exe
file: C:\WINDOWS\sxrose.exe
size: 183808
MD5: d8687c10a680b9bd953ee879fcc6b211
Located: HK_CU:RunServices, Microsoft Spng
command: stfnplug.exe
file:
Located: HK_CU:RunServices, Windows pad
command: qpad.exe
file:
Located: HK_CU:RunServices, Windows Update
command: iexproler.exe
file: C:\WINDOWS\system32\iexproler.exe
size: 83499
MD5: 103b1fb8cec4c09122c14ab676e98032
Located: HK_CU:RunOnce, Winsock2 driver
command: SAXVFMVXD.EXE
file: C:\WINDOWS\system32\SAXVFMVXD.EXE
size: 31744
MD5: 7a01a77fea58c3d7dacc4871a2a9fc9a
Located: WinLogon, RunOnce
command: C:\WINDOWS\system32\dn4s01h7e.dll
file: C:\WINDOWS\system32\dn4s01h7e.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???