Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: unknown malware

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default unknown malware

    Hi all

    I have been very careful all year with the security of my two pcs. Four days ago I downloaded a torrent using bitcomet and inside the zipped download, along with the expected files there was a file called "setup.exe". Stupidly, I executed the file. I don't know why I did! :( Since then I have been getting advertising popups, and the pc has been running slower. I think the malware has found its way into my other pc over the network as well as I got a pop up on it too. Neither Adaware, Spybot, Webroot Spy Sweeper or Trend Micro (online) can pick anything up. I still have the file - I submitted it to Adaware for analysis. Would it be of any use to attach this file to the post?

    Please inform me if there is anything inappropriate about the way I have posted this thread.

    I would so appreciate any help. Thankyou all



    Here is the log from HijackThis:


    Logfile of HijackThis v1.99.1
    Scan saved at 11:58:16 PM, on 3/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\mgabg.exe
    C:\Program Files\virus\Eset\nod32krn.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\virus\Eset\nod32kui.exe
    C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
    C:\WINDOWS\system32\PDesk\PDesk.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\image\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\spyware\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\image\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
    C:\Program Files\image\IrfanView\i_view32.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
    C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
    C:\Program Files\spyware\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\MISC\WINZIP\winzip32.exe
    B:\downloads\apps\virus and spyware\Hijack this\HijackThis v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\image\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\net\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\virus\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\image\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200512323750_mcinfo.exe /insfin
    O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200512323750_mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\image\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\net\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\net\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\docs\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\docs\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1114619398625
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avid SDM Service (AvidSDMService) - Unknown owner - C:\WINDOWS\system32\AvidSDMService.exe (file missing)
    O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\sound\iPod\bin\iPodService.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\virus\Eset\nod32krn.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\spyware\Webroot\Spy Sweeper\WRSSSDK.exe

  2. #2
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Here is the hijackthis log for PC#2 (the other pc which I think may be affected):

    Logfile of HijackThis v1.99.1
    Scan saved at 12:33:36 AM, on 4/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\AvidSDMService.exe
    C:\WINDOWS\system32\mgabg.exe
    C:\Program Files\virus\nod32\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ltmsg.exe
    C:\WINDOWS\system32\PDesk\PDesk.exe
    C:\Program Files\virus\nod32\nod32kui.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\image\adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\misc\D-Link\DGE-530T\dlnetst.exe
    B:\downloads\apps\virus and spyware\Hijack this\HijackThis v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\image\adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\spyware\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\net\FlashGet\jccatch.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\virus\nod32\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [WpsRePsw] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\image\adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DLink Control Panel Silent] rundll32 dlnetcp.cpl,SilentCall
    O4 - HKLM\..\Run: [DLink System Tray] C:\Program Files\misc\D-Link\DGE-530T\dlnetst.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\image\adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\net\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\net\FlashGet\jc_link.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\words\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117985940140
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
    O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\virus\nod32\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

  3. #3
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    Can you zip up and send setup.exe to me ?
    Send to lonnyATsubratam.org
    Replace AT with @ and include a link back to this thread.

    Post a silent runners log from the first pc
    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it.
    Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

  4. #4
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default silent runners log

    Here is the silent runners log for PC#1 attached as a text file.

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default silent runners log

    Here is the silent runners log for PC#1 attached as a text file.

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi, thanks

    Please download AproposFix from here:
    http://swandog46.geekstogo.com/aproposfix.exe
    Save it to your desktop but do NOT run it yet.
    Then please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
    When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

  7. #7
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi, here is the entire Aproposfix log followed by the hijackthis log:


    Log of AproposFix v1

    ************

    Running from directory:
    C:\Documents and Settings\Administrator\Desktop\aproposfix

    ************

    Registry entries found:


    ************

    No service found!

    Removing hidden folder:
    No folder found!

    Deleting files:


    Backing up files:
    Done!

    Removing registry entries:

    REGEDIT4


    Done!

    Finished!








    Logfile of HijackThis v1.99.1
    Scan saved at 2:05:27 AM, on 5/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\mgabg.exe
    C:\Program Files\virus\Eset\nod32krn.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\spyware\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\virus\Eset\nod32kui.exe
    C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
    C:\WINDOWS\system32\PDesk\PDesk.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\image\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\misc\ZoneAlarm\zlclient.exe
    C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\image\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    B:\downloads\apps\virus and spyware\Hijack this\HijackThis v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\image\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\spyware\SPYBOT~1\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\net\FlashGet\jccatch.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\fgiebar.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\virus\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\image\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\misc\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spyware\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\image\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\net\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\net\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\docs\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\docs\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\net\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1114619398625
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avid SDM Service (AvidSDMService) - Unknown owner - C:\WINDOWS\system32\AvidSDMService.exe (file missing)
    O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\sound\iPod\bin\iPodService.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\virus\Eset\nod32krn.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\spyware\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Thats Odd

    Describe the symtoms again please, where are the popups from ?

    Download and run blacklite
    F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
    click > scan then > next, next again then exit
    there will be a new txt near blacklite. post it please.
    Here is what i suspect http://www.f-secure.com/sw-desc/apropos.shtml
    there are at times lagitamat files shown by that app, so just post its log for now

  9. #9
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default Blacklight log and Rootkit Revealer log

    here is the log from the Blacklight scan, and beneath that, I have pasted the log from Rootkit Revealer:


    12/05/05 12:31:55 [Info]: BlackLight Engine 1.0.25 initialized
    12/05/05 12:31:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    12/05/05 12:31:55 [Note]: 4019 4
    12/05/05 12:31:55 [Note]: 4005 0
    12/05/05 12:32:09 [Note]: 4006 0
    12/05/05 12:32:09 [Note]: 4011 1488
    12/05/05 12:32:09 [Note]: FSRAW library version 1.7.1013
    12/05/05 12:51:11 [Note]: 4007 0




    HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 28/11/2005 8:00 PM 0 bytes Hidden from Windows API.
    HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41 17/08/2005 2:15 AM 0 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7UK77H89\File[1].htm 5/12/2005 2:19 AM 46.66 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7UK77H89\FREEBURSTyell28[1].gif 5/12/2005 2:19 AM 1.58 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7UK77H89\js[79] 5/12/2005 2:19 AM 1.33 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7UK77H89\styles[1].css 5/12/2005 2:19 AM 14.57 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A95UZYT0\0[1] 5/12/2005 2:19 AM 3.84 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A95UZYT0\alogosmallone[1].gif 5/12/2005 2:19 AM 3.66 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A95UZYT0\box[1].gif 5/12/2005 2:19 AM 4.77 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A95UZYT0\CA49I7CX.htm 5/12/2005 2:19 AM 9.75 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A95UZYT0\download[1].gif 5/12/2005 2:19 AM 1.58 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O903S7G3\fk_200-ok2[1].gif 5/12/2005 2:19 AM 534 bytes Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O903S7G3\js[81] 5/12/2005 2:18 AM 1.33 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O903S7G3\js[82] 5/12/2005 2:18 AM 1.33 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O903S7G3\search[10].htm 5/12/2005 2:18 AM 21.49 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O903S7G3\winxp[1].ico 5/12/2005 2:19 AM 2.49 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\bluetab_800[1].jpg 5/12/2005 2:19 AM 6.24 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\google.com[1].htm 5/12/2005 2:18 AM 3.50 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\google.com[2].htm 5/12/2005 2:10 AM 3.50 KB Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\js[79] 5/12/2005 2:18 AM 1.33 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\js[80] 5/12/2005 2:19 AM 1.33 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\navbar2[1].css 5/12/2005 2:19 AM 1.64 KB Hidden from Windows API.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVRN9P8E\navbar2_sub[1].css 5/12/2005 2:19 AM 716 bytes Hidden from Windows API.

  10. #10
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default the symptoms

    The symptoms are:

    1. popups with advertisements which open in internet explorer windows around the centre of the screen.

    2. very small internet explorer windows which open in the top left of the screen with no content in them - just white windows.

    3. slower performance during general use of the pc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •