I deleted the email msgs.
Here is the link:
http://www.virustotal.com/analisis/5...9d7-1247394400
I deleted the email msgs.
Here is the link:
http://www.virustotal.com/analisis/5...9d7-1247394400
Hmmm, let's have a closer look at that file, and then see if we can find a replacement.
Upload a File
Download suspicious file packer from here
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\WINDOWS\system32\jdbgmgr.exe
Go to spykiller
Please start a new thread Titled File/s for Katana and give the following information
- Name:-- Your name
- E-mail:-- Your E-mail (this is confidential and will not be displayed)
- Subject:-- File for Katana
In the main text window please put the following link
you may also add any comments you wishCode:http://forums.spybot.info/showthread.php?p=327836#post327836
then press attach and upload the zip/cab file that was created.
Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files
You can now delete SFP (exe and Zip) along with the .cab file that was created
----------------------------------------------------------------------------------------
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code::dir c:\Program Files\Windows Antivirus Pro c:\windows\system32\images c:\Program Files\creytd :file C:\WINDOWS\system32\jdbgmgr.exe :reg HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop /s :filefind jdbgmgr.exe :comment- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Hi Katana.
Below is the log. Just an fyi, I had the real-time debugger launch a couple times this morning, which concerned me. As such I ran Spybot S&D just to check if something new had started running on the sys. It found the remnants of Windows AntiVirus Pro. The directory and two reg keys. I went ahead and let SS&D remove those items.
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 07:51 on 11/08/2009 by Owner (Administrator - Elevation successful)
========== dir ==========
c:\Program Files\Windows Antivirus Pro - Unable to find folder.
c:\windows\system32\images - Parameters: "(none)"
---Files---
i1.gif --a--- 1744 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i2.gif --a--- 1663 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i3.gif --a--- 1689 bytes [23:27 03/08/2009] [22:17 21/11/2008]
j1.gif --a--- 3957 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j2.gif --a--- 47 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j3.gif --a--- 3857 bytes [23:27 03/08/2009] [23:33 27/11/2008]
jj1.gif --a--- 114 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj2.gif --a--- 48 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj3.gif --a--- 105 bytes [23:27 03/08/2009] [22:40 21/11/2008]
l1.gif --a--- 3749 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l2.gif --a--- 92 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l3.gif --a--- 468 bytes [23:27 03/08/2009] [21:40 21/11/2008]
pix.gif --a--- 70 bytes [23:27 03/08/2009] [22:44 21/11/2008]
t1.gif --a--- 621 bytes [23:27 03/08/2009] [21:47 21/11/2008]
t2.gif --a--- 1015 bytes [23:27 03/08/2009] [22:17 21/11/2008]
up1.gif --a--- 5568 bytes [23:27 03/08/2009] [21:28 21/11/2008]
up2.gif --a--- 696 bytes [23:27 03/08/2009] [21:29 21/11/2008]
w1.gif --a--- 3028 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w11.gif --a--- 3431 bytes [23:27 03/08/2009] [22:08 21/11/2008]
w2.gif --a--- 47 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w3.gif --a--- 3430 bytes [23:27 03/08/2009] [23:30 27/11/2008]
w3.jpg --a--- 1912 bytes [23:27 03/08/2009] [23:34 27/11/2008]
wt1.gif --a--- 176 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt2.gif --a--- 51 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt3.gif --a--- 119 bytes [23:27 03/08/2009] [21:57 21/11/2008]
---Folders---
None found.
c:\Program Files\creytd - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
========== file ==========
C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
MD5: 9A717FC17EA205785094CAA96C30945C
Created at 06:24 on 24/01/2009
Modified at 18:29 on 02/06/1998
Size: 14848 bytes
Attributes: --a---
FileDescription: Microsoft® Debugger Registrar for Java
FileVersion: 5.00.2752
ProductVersion: 5.00.2752
OriginalFilename: JDBGMGR.EXE
InternalName: JDbgMgr
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: Copyright © Microsoft Corp. 1996-1998
========== reg ==========
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop]
(No values found)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components]
"DeskHtmlMinorVersion"= 0x0000000005 (5)
"DeskHtmlVersion"= 0x0000000110 (272)
"GeneralFlags"= 0000000000 (0)
"Settings"= 0x0000000001 (1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\0]
"CurrentState"=02 00 00 40 (REG_BINARY)
"Flags"= 0x0000002000 (8192)
"FriendlyName"="tets"
"OriginalStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 (REG_BINARY)
"Position"=2c 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
"RestoredStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 (REG_BINARY)
"Source"="C:\WINDOWS\system32\onhelp.htm"
"SubscribedURL"="C:\WINDOWS\system32\onhelp.htm"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\General]
"BackupWallpaper"=""
"ComponentsPositioned"= 0x0000000001 (1)
"TileWallpaper"="0"
"Wallpaper"=""
"WallpaperFileTime"=00 00 00 00 00 00 00 00 (REG_BINARY)
"WallpaperLocalFileTime"=00 f8 29 17 d6 ff ff ff (REG_BINARY)
"WallpaperStyle"="2"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Old WorkAreas]
"NoOfOldWorkAreas"= 0x0000000001 (1)
"OldWorkAreaRects"=00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 (REG_BINARY)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode]
(No values found)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\Components]
"DeskHtmlVersion"= 0000000000 (0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\General]
"VisitGallery"= 0000000000 (0)
"Wallpaper"="%SystemRoot%\Web\SafeMode.htt"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Scheme]
"Display"=""
"Edit"=""
========== filefind ==========
Searching for "jdbgmgr.exe "
No files found.
-=End Of File=-
Now that doesn't make any sense ?========== file ==========
C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
========== filefind ==========
Searching for "jdbgmgr.exe "
No files found.
How can it not find the file if it has already opened it once ?????
Let me have a think, I'll be back shortly
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
----------------------------------------------------------------------------------------
Step 1
OTMoveIt
Please download OTM by OldTimer and save it to your desktop
- Double-click OTM.exe to run it.
- Copy the lines in the codebox below. ( Make sure you include :Processes )
Code::Processes :Reg [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components] :Files C:\WINDOWS\system32\onhelp.htm c:\windows\system32\images c:\Program Files\creytd :Commands [Purity] [EmptyTemp]
- Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- - Close ALL open windows (especially Internet Explorer!)-
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
----------------------------------------------------------------------------------------
Step 2
Download and Run Registry Search
Download (LINK >>>) Registry Search (<<< LINK) to your desktop.
- Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
- Open the new folder, and double click on regsearch.exe
- In the top window copy/paste the following line
- jdbgmgr
- Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
- Please save the text file at you desktop and call it found-entries.
Paste the results in your reply
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
- OTMoveIt Log
- RegSearch Log
- A fresh HJT log (C:\Program Files\trend micro\Owner.exe)
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Logs as requested:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\ deleted successfully.
========== FILES ==========
C:\WINDOWS\system32\onhelp.htm moved successfully.
c:\windows\system32\images moved successfully.
c:\Program Files\creytd moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 98438 bytes
->Java cache emptied: 13681514 bytes
->FireFox cache emptied: 36879139 bytes
->Google Chrome cache emptied: 5928795 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5310 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 54.00 mb
OTM by OldTimer - Version 3.0.0.6 log created on 08112009_083623
Files moved on Reboot...
Registry entries deleted on Reboot...
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 8/11/2009 8:43:33 AM for strings:
; 'jdbgmgr
* jdbgmgr
jdbgmgr'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:28 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\pmta\gmsmux\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\pmta\jre\bin\java.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\trend micro\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229973284213
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
--
End of file
After a bit more research, you don't actually need the jdbgmgr.exe file unless you develop Java programs.
OTMoveIt
- Double-click OTM.exe to run it.
- Copy the lines in the codebox below. ( Make sure you include :Processes )
Code::Processes :Files C:\WINDOWS\system32\jdbgmgr.exe :Commands
- Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- - Close ALL open windows (especially Internet Explorer!)-
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar), and paste it in your next reply.
- Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
How are things running now, any problems still ?
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY