Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: hijack wont start, spybot won't install.. i'm in big trouble, don't i?

  1. #1
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default hijack wont start, spybot won't install.. i'm in big trouble, don't i?

    I got a couple of "friends" in my wonderings. I eliminated a couple with the little PC doctor (some rootkits). Regular antivirus scans don't show anything (online with kaspersky and trend micro). Now i tried installing spybot. I download the exe file but it doesn't connect to the server.

    Following instructions in another tread i installed ERUNT and HIJACK this.. But now HIJACK this won't start.. Any advice? (i mean other that the gross "format dude" )

    Bruce

  2. #2
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hello and welcome to Safer Networking

    My name is peku006 and I will be helping you to remove any infection(s) that you may have.
    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    Please observe these rules while we work:

    • I f you don't know or understand something please don't hesitate to ask
    • Please DO NOT run any other tools or scans whilst I am helping you.
    • It is important that you reply to this thread. Do not start a new topic.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Absence of symptoms does not mean that everything is clear.


    Step 1


    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.


    Step 2

    Please download gmer.zip from Gmer and save it to your desktop.

    1. Right click on gmer.zip and select Extract All....
    2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
    3. Click on the Browse button. Click on Desktop. Then click OK.
    4. Click Next. It will start extracting.
    5. Once done, check (tick) the Show extracted files box and click Finish.


    Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

    • When done, you may receive another notice. Click OK.
    • Click on Save ... to save a log.
    • Copy and paste in Gmer.txt and click Save.
    • Close Gmer.


    If you receive no notice, click on the Scan button.

    • It will start scanning again.
    • When done, click on Save ... to save a log.
    • Copy and paste in Gmer.txt and click Save.
    • Close Gmer.


    Note: Do not run any programs while Gmer is running.

    In your next reply, please post:

    1. DDS.txt
    2. Attach.txt
    3. Gmer.txt


    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  3. #3
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default can't connect to security servers

    i got a couple of nasty rootkits; i believe now i eliminated most of them, after I used hostsman and renamed the exe files for a couple of antimalware programs. i did run a couple of scans now and everythings seems clean, except for one thing:

    i still can't connect to any security website. for instance i can download the spybot installation file but then it doesn't log to the server during the installation so I can't install it. same with trend micro, bitdefender etc.

    I attached the hijack notepad. I really appreciate any advice.

    Thanks,
    Bruce

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:44:56 AM, on 5/24/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\WebUpdateSvc4.exe
    C:\WINDOWS\TEMP\KB909D.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackRenamed.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\bcmwltry.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
    O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://reutersus.webex.com/client/T...ng/ieatgpc.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Logical Disk Manager dmserverNtmsSvc (dmserverNtmsSvc) - Unknown owner - C:\WINDOWS\system32\alrsvcq.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
    O23 - Service: Web Update Wizard Service V4 by PowerProgrammer (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc4.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8250 bytes
    Last edited by tashi; 2009-05-24 at 09:58. Reason: Merged two topics, copy pasted log into topic as per forum FAQ

  4. #4
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Bruce

    1 - Download and Run Malwarebytes' Anti-Malware
    1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
    2. Double click on mbam-setup.exe to install it.
    3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      • Update Malwarebytes' Anti-Malware
        Launch Malwarebytes' Anti-Malware
    4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
    5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
    6. Leave the default options as it is and click on Start Scan.
    7. When done, you will be prompted. Click OK, then click on Show Results.
    8. Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.


    9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


    2 - download and run RSIT

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)


    3 - Status Check
    Please reply with

    1.the logs from RSIT (log.txt ,info.txt)
    2. the Malwarebytes' Anti-Malware Log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  5. #5
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default Hi peku

    Thanks for helping me.

    1.I already installed Malwarebytes. However it won't update. I don't have access to a mirror, under the Update tab it is only one button: "Check for Updates". I clicked it and it doesn't connect. I renamed the exe file and scanned with it, but it won't find any problem. Same with Superantispyware.

    I did also run a scan with Superantispyware in Safe Mode. Clean again.
    I also run a scan from an external drive with ClamWinPortable. Clean again.

    Shall i rescan and attache Malwarebytes logs (un-updated)?

    2.Do you still need me to run DDS and GMER (sorry, i didn't see your post last night, before i posted the Hijack log).

    3.Please see attached the RSIT files.

    Thank you for your help. Now that I saw your reply i will follow your new indications step by step.

  6. #6
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default oops

    hi again peku,

    i did run one more scan with the un-updated malwarebytes after my post. to my surprise.. it found a bunch of staff. yesterday i did run superspyware and it was clean. trojan downloader maybe?

    after cleaning still can't log to spybot server.

    anyway, please see attached the malwarebytes log and the rsit log, after cleaning with malwarebytes.

    thanks,
    Bruce

  7. #7
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Bruce

    looks good........

    All logs should be copy/pasted into topic and not attached......

    1 - Clean temp files

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:
      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Prefetch
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.

      if you use Firefox:
      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      if you use Opera:
      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


      Click Exit on the Main menu to close the program


    2 - Kaspersky Online Scan

    Please go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.


    3 - Run Hijackthis
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

    4 - Status Check
    Please reply with

    1. the Kaspersky online scanner report
    2. a fresh HijackThis log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  8. #8
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default hi

    Hi peku,

    I cleaned with ATF, then scanned with Kaspersky, then run the rsit hijack. Kaspersky didn't find anything, but still Spybot won't connect to the server. Please see below the logs.

    Thanks,
    Bruce

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Tuesday, May 26, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Tuesday, May 26, 2009 17:16:36
    Records in database: 2251937
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Files scanned: 60993
    Threat name: 0
    Infected objects: 0
    Suspicious objects: 0
    Duration of the scan: 02:44:42

    No malware has been detected. The scan area is clean.

    The selected area was scanned.




    *******************************************
    *******************************************
    *******************************************

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Sorin at 2009-05-26 15:06:53
    Microsoft Windows XP Professional Service Pack 3
    System drive C: has 5 GB (13%) free of 38 GB
    Total RAM: 2039 MB (65% free)

    HijackThis download failed

    ======Scheduled tasks folder======

    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\User_Feed_Synchronization-{A08EB93D-5AC4-46BB-A03E-C1E654899581}.job
    C:\WINDOWS\tasks\User_Feed_Synchronization-{CC261B67-F22A-41AD-AF8F-D97758EAE6AA}.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
    Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-08-12 1437696]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-04 652784]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-07 35840]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
    JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-07 73728]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-07 148888]
    "OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2009-05-15 718120]
    "igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-06-06 118784]
    "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-06-06 77824]
    "igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-06-06 94208]
    "SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
    "Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2006-11-01 1392640]
    "ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-02-01 1103240]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
    "Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-30 4670704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-12 39792]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    C:\Program Files\Skype\Phone\Skype.exe [2008-08-12 21741864]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-07 68856]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysldtray]
    C:\windows\ld08.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2007-08-30 4670704]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]
    C:\PROGRA~1\D-Link\D-LINK~1\WIRELE~1.EXE [2006-12-06 13357056]

    C:\Documents and Settings\Sorin\Start Menu\Programs\Startup
    ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=" "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINDOWS\system32\igfxdev.dll [2006-06-06 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    WgaLogon.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\Program Files\SAS\SAS 9.1\sas.exe"="C:\Program Files\SAS\SAS 9.1\sas.exe:*:Enabled:SAS 9.1 for Windows"
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
    "C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
    "C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe"="C:\Program Files\FiSTiNG4FUN\Commview for Wifi\CommViewWiFi\WEPdecoder.exe:*:Enabled:WEP key recovery"
    "C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    shell\AutoRun\command - E:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32384982-8f10-11dd-8c7c-001422aa1205}]
    shell\AutoRun\command - E:\WD_Windows_Tools\Setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{624ecfa7-4ae5-11dd-8bd2-948bd94157b5}]
    shell\AutoRun\command - E:\LaunchU3.exe -a


    ======List of files/folders created in the last 1 months======

    2009-05-25 16:20:49 ----D---- C:\Documents and Settings\Sorin\Application Data\Move Networks
    2009-05-24 11:46:54 ----DC---- C:\rsit
    2009-05-22 23:11:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-05-22 23:11:04 ----D---- C:\Program Files\SUPERAntiSpyware
    2009-05-22 23:11:04 ----D---- C:\Documents and Settings\Sorin\Application Data\SUPERAntiSpyware.com
    2009-05-22 22:51:56 ----D---- C:\Documents and Settings\Sorin\Application Data\abelhadigital.com
    2009-05-22 22:51:56 ----D---- C:\Documents and Settings\All Users\Application Data\abelhadigital.com
    2009-05-22 22:51:30 ----D---- C:\Program Files\HostsMan
    2009-05-22 19:23:44 ----D---- C:\WINDOWS\ERDNT
    2009-05-22 19:23:01 ----D---- C:\Program Files\ERUNT
    2009-05-22 01:28:02 ----D---- C:\WINDOWS\Minidump
    2009-05-21 19:31:45 ----RSH---- C:\WINDOWS\system32\alrsvcq.exe
    2009-05-11 18:56:15 ----SHD---- C:\WINDOWS\CSC
    2009-05-11 18:40:27 ----D---- C:\Documents and Settings\Sorin\Application Data\Malwarebytes
    2009-05-11 18:40:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2009-05-11 18:40:17 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2009-05-11 18:29:04 ----DC---- C:\malware
    2009-05-11 18:00:20 ----DC---- C:\sasreg
    2009-05-11 17:25:43 ----D---- C:\Documents and Settings\All Users\Application Data\SAS
    2009-05-11 17:09:45 ----N---- C:\WINDOWS\system32\oc30.dll
    2009-05-11 17:09:43 ----N---- C:\WINDOWS\system32\sasperf.dll
    2009-05-11 16:58:02 ----D---- C:\Program Files\SAS
    2009-05-06 03:05:43 ----D---- C:\WINDOWS\system32\KB905474

    ======List of files/folders modified in the last 1 months======

    2009-05-26 15:06:55 ----D---- C:\WINDOWS\Prefetch
    2009-05-26 14:20:45 ----A---- C:\WINDOWS\cfgall.ini
    2009-05-26 11:49:55 ----D---- C:\Program Files\Spyware Doctor
    2009-05-26 11:49:44 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
    2009-05-26 11:49:42 ----D---- C:\WINDOWS\Temp
    2009-05-26 11:46:20 ----D---- C:\Program Files\Mozilla Firefox
    2009-05-26 11:35:19 ----D---- C:\WINDOWS
    2009-05-26 11:33:29 ----A---- C:\WINDOWS\SchedLgU.Txt
    2009-05-26 11:24:03 ----AD---- C:\WINDOWS\system32
    2009-05-26 02:07:03 ----D---- C:\WINDOWS\system32\CatRoot2
    2009-05-25 21:17:44 ----SD---- C:\WINDOWS\Tasks
    2009-05-25 21:16:08 ----SHD---- C:\WINDOWS\Installer
    2009-05-25 21:13:44 ----D---- C:\Documents and Settings
    2009-05-25 01:23:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2009-05-25 01:23:51 ----D---- C:\WINDOWS\system32\drivers
    2009-05-25 01:21:28 ----D---- C:\WINDOWS\Debug
    2009-05-24 12:35:12 ----D---- C:\Documents and Settings\Sorin\Application Data\U3
    2009-05-24 00:31:05 ----HD---- C:\WINDOWS\inf
    2009-05-24 00:08:04 ----D---- C:\Program Files\CCleaner
    2009-05-23 19:46:31 ----SD---- C:\WINDOWS\Downloaded Program Files
    2009-05-23 19:46:31 ----D---- C:\WINDOWS\BDOSCAN8
    2009-05-23 19:16:07 ----AHC---- C:\boot.ini
    2009-05-23 19:16:07 ----A---- C:\WINDOWS\win.ini
    2009-05-23 19:16:07 ----A---- C:\WINDOWS\system.ini
    2009-05-22 23:11:04 ----RD---- C:\Program Files
    2009-05-22 23:09:01 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
    2009-05-22 19:19:03 ----D---- C:\Program Files\Trend Micro
    2009-05-21 17:22:10 ----AC---- C:\tmuninst.ini
    2009-05-20 17:07:17 ----A---- C:\WINDOWS\pdf2word.INI
    2009-05-13 20:53:53 ----D---- C:\Documents and Settings\Sorin\Application Data\Skype
    2009-05-13 16:03:44 ----D---- C:\Documents and Settings\Sorin\Application Data\skypePM
    2009-05-12 18:27:52 ----D---- C:\WINDOWS\pss
    2009-05-11 19:17:47 ----SD---- C:\Documents and Settings\Sorin\Application Data\Microsoft
    2009-05-11 19:14:59 ----D---- C:\Program Files\Spybot - Search & Destroy
    2009-05-11 19:14:57 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2009-05-11 19:03:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2009-05-11 18:07:14 ----HD---- C:\Program Files\InstallShield Installation Information
    2009-05-07 03:16:29 ----A---- C:\WINDOWS\system32\MRT.exe

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [2009-03-20 110992]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [2009-03-20 24336]
    R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952]
    R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
    R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
    R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
    R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2009-05-15 76688]
    R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
    R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
    R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
    R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-12 604928]
    R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2005-08-05 45312]
    R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
    R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]
    R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]
    R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-06-06 1168860]
    R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
    R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
    R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]
    R3 WSIMD;wsimd Service; C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-10-31 55840]
    S3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5416.sys [2007-12-24 1313536]
    S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-01 5220]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 pgfilter;pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys []
    S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
    S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
    S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
    S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 ACS;Atheros Configuration Service; C:\Program Files\D-Link\D-Link DWA-643 Xtreme N ExpressCard Notebook Adapter\acs.exe [2006-11-03 360532]
    R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-07 152984]
    R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2009-05-15 963880]
    R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe [2005-04-29 69632]
    R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
    R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-02-01 948616]
    R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2009-05-15 996648]
    R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
    R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer; C:\WINDOWS\system32\WebUpdateSvc4.exe [2007-04-04 229856]
    R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-11-01 20480]
    S2 cmdAgent;COMODO Internet Security Helper Service; C:\Program Files\COMODO\Firewall\cmdagent.exe [2009-03-20 700152]
    S2 dmserverNtmsSvc;Logical Disk Manager dmserverNtmsSvc; C:\WINDOWS\system32\alrsvcq.exe [2009-05-21 50688]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-08-07 652552]
    S4 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-30 183280]

    -----------------EOF-----------------

  9. #9
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Bruce

    I'm afraid I have unpleasant news for you. There is evidence of several infections on your computer. One or more is a Password Stealer. It allows outsiders to monitor your Internet activity and private information. It then sends the stolen data to a hacker site.

    If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
    • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
    • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
    • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
    • Take any other steps you think appropriate for an attempted identity theft.


    I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection

    Please read this for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  10. #10
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    thanks peku. importantly now:what do I have to do to clean? can I clean or I have to format?

    Bruce

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •