Loss of privileges?

Started by scotiabahn, Sep 27 2007 09:35 PM

Next

You cannot reply to this topic

30 replies to this topic

#1 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 27 September 2007 - 09:35 PM

Something new going on here..

My last problem a month or so back I managed to sort simply following the Malware Removal guide, but no such luck this time round.

I can't bring up task manager and get an alert 'task manager has been disabled by your administrator' when I use ctrl/alt/del and no better when i try 'taskmgr' from the Run command box

Control Panel has vanished from my 'start' list (which is particularly scary) and I can't get into Program Access and Defaults

Not sure what's going on, but I got a few weird popups while I was surfing at one point this afternoon, including a voice telling me that they could help me make money on the property market... That was when I worked out I might have a problem :blink:

Anyhow... I've worked my way through the standard list and here are the logs:-

First off, Bitdefender

BitDefender Online Scanner - Real Time Virus Report

Generated at: Thu, Sep 27, 2007 - 19:27:00

--------------------------------------------------------------------------------

Scan Info

Scanned Files
290292

Infected Files
1

Virus Detected

Win32.Bagle.M@mm
1

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

Next is SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/27/2007 at 08:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3314
Trace Rules Database Version: 1316

Scan type : Complete Scan
Total Scan Time : 00:46:48

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5820
Registry threats detected : 0
File items scanned : 38356
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\family\Cookies\family@ads.techguy[2].txt

Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP191\A0049180.DLL

And now for AVG anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:02:23 27/09/2007

+ Scan result:

HKU\S-1-5-21-1343024091-838170752-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A82BE883-EE51-4FAB-85B4-9432C6056673} -> Adware.VipSearcher : Cleaned.
C:\WINDOWS\system32\Tools\Restart.exe -> Not-A-Virus.Tool.Win32.RestartCounter : Cleaned.
C:\Documents and Settings\family\Cookies\family@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.

::Report end

and the usual finish, HijackThis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21:14, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: KHENXBCNCVHMWZNN - Unknown owner - C:\DOCUME~1\family\LOCALS~1\Temp\KHENXBCNCVHMWZNN.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7521 bytes

Any suggestions on how I get out of this would be much appreciated...

Thanks.

Back to top

#2 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 28 September 2007 - 07:17 AM

Hi scotiabahn,

There's not really much showing there to explain the problems but we can start with afew scans to have a closer look, regarding TaskManager and the lack of Control Panel etc.. that will likely just be policy restrictions that have been added so that part should be simple enough to fix but its worth making sure there's no trojans first so the damage doesnt keep being done, BitDefenders detection of bagle is a concern as thats a particularly nasty worm that can add a rootkit to hide files and also cause damage to prevent you booting into safe mode as well as deleting files from Antivirus programs as soon as they open but as the scan report doesnt show where the file is its difficult to know for sure if it is bagle or not,

Run HijackThis and choose Do A System Scan then place a check next to these entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Goto Start > Run > then type or copy and paste

sc delete KHENXBCNCVHMWZNN

Press OK and you will just notice the cmd screen flash on then off again and the service will be removed

Open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box into Notepad

regedit.exe /e checkreg1.txt "HKEY_CURRENT_USER\Software\Policies\Microsoft"
regedit.exe /e checkreg2.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft"
regedit.exe /e checkreg3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit.exe /e checkreg4.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
TYPE checkreg*.txt >> Result.txt
del /q Checkreg*.txt

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Check.bat then save it to your desktop

Double click Check.bat and it will export the information from the registry and save it to a text file named Result.txt which will save to the desktop, please attach that text file into your next reply. To attach a file to a new post, click browse under the reply window and locate the Result.txt from your desktop then click Upload

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the Combofix log, the policy keys export and anew HijackThis log

Cheers

Back to top

#3 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 28 September 2007 - 08:28 AM

Hi Andy!

Thanks for your help... again... although I have managed to sort out a few things on my own from what I learnt the last time around...

Anyway... here's the next batch of scans...

Ran the HJT as requested, and it reset my home page to MSN.com... hardly a favourite but even I can change that once the rest is sorted :rolleyes:

Did the delete...

Did Check.bat and I've uploaded the file as described...

Here's the Combofix log...

ComboFix 07-09-21.2 - "family" 2007-09-28 9:04:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.522 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-28 09:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 17:47 2,660 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 17:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-27 17:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 17:46 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-27 17:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-27 16:11 1,536 --a------ C:\WINDOWS\system32\stdole32.dat
2007-09-07 14:08 <DIR> d-------- C:\Program Files\Paint.NET
2007-09-07 11:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-07 11:41 <DIR> d-------- C:\db6017ddf52684e072ba3754
2007-09-07 11:16 <DIR> d-------- C:\Program Files\MSBuild
2007-09-07 11:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-07 11:10 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-07 11:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-07 10:28 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-07 10:28 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-07 10:28 <DIR> d-------- C:\Program Files\Picasa2
2007-09-05 19:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 18:15 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-05 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-05 15:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 15:47 <DIR> d-------- C:\DOCUME~1\family\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 15:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 14:14 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-28 17:57 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-28 17:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-28 17:56 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 22:08 --------- d-------- C:\Program Files\SpywareBlaster
2007-09-25 20:47 --------- d-------- C:\Program Files\Microsoft Money
2007-09-07 14:02 --------- d-------- C:\Program Files\ZipCentral
2007-09-07 10:28 --------- d-------- C:\Program Files\Google
2007-08-28 17:58 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-28 17:57 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-28 17:54 --------- d-------- C:\Program Files\Avanquest update
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSTITL.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSTEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSTMP.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSPEC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSSCRP.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSREH_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSMET_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRSCHOR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\RPRS____.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSTEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSSE__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSS___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSROMC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSPC__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSP___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSO___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSNN__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSM___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSJAPC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFS__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFBE_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSFB__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSCSC_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSCS__.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUSC___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\OPUS____.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INKPEN2_.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2TEXT.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2SPEC.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2SCRI.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2METR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\INK2CHOR.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELST___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSS___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSM___.FOT
2007-06-28 20:52 1409 --a------ C:\WINDOWS\Fonts.\HELSINKI.FOT
2007-03-20 16:27 9232 --a------ C:\DOCUME~1\family\mqdmmdfl.sys
2007-03-20 16:27 92064 --a------ C:\DOCUME~1\family\mqdmmdm.sys
2007-03-20 16:27 79328 --a------ C:\DOCUME~1\family\mqdmserd.sys
2007-03-20 16:27 66656 --a------ C:\DOCUME~1\family\mqdmbus.sys
2007-03-20 16:27 6208 --a------ C:\DOCUME~1\family\mqdmcmnt.sys
2007-03-20 16:27 5936 --a------ C:\DOCUME~1\family\mqdmwhnt.sys
2007-03-20 16:27 4048 --a------ C:\DOCUME~1\family\mqdmcr.sys
2007-03-20 16:27 25600 --a------ C:\DOCUME~1\family\usbsermptxp.sys
2007-03-20 16:27 22768 --a------ C:\DOCUME~1\family\usbsermpt.sys
2007-01-28 11:54 557056 --a------ C:\DOCUME~1\family\GoToAssist_phone__319_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 18:35]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50]
"Cmaudio"="cmicnfg.cpl" []
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 11:51]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 09:02]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 11:00:00 C:\WINDOWS\Tasks\main backup.job"
- C:\WINDOWS\system32\ntbackup.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 09:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-28 9:14:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 09:14
C:\ComboFix2.txt ... 2007-09-05 13:16
.
--- E O F ---

And a new HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:19:33, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7286 bytes

And after that little lot, I have task manager and control panel back, and no nasty privilege messages anywhere that I had yesterday...

Has that sorted it?

:blink:

Steve

Attached Files

Result.txt 59.85K 4 downloads

Back to top

#4 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 October 2007 - 01:23 PM

Hi Steve, thanks for your patience

Im sorry I didnt reply sooner but my ISP has been having some problems so Ive not had any Internet connection at home since last Friday and Ive been too busy with work to look for any alternative ways of getting online, I now have just over 200 emails to work through but Im hoping most are spam to make it easier to catch up

Can you repeat the policy key export and upload it again, its still showing alot of restrictive entries present but with you saying you can now access the Control Panel I'm not sure if that export was taken then one of the tools removed the policy values or if they still exist so a fresh export would make it clearer and we can easily remove any that remain

Thanks

Andy

Back to top

#5 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 05 October 2007 - 02:15 PM

Ok, I've rerun the check.bat export again. I've renamed the new result.txt as result2 to avoid confusion on the log here...

Thanks.

Attached Files

Result2.txt 59.78K 1 downloads

Back to top

#6 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 October 2007 - 02:47 PM

Thanks Steve

That new export is fine so one of the tools you used earlier would of removed the restrictive policy values that were causing problems earlier, can you run a couple more scans when you have the time to make sure that Bagle worm detection from BitDefender wasn't accurate or if it was accurate to make sure it didnt run on your system as that worm can cause alot of problems, its not showing any signs in the Combofix log but its best to double check especially as BitDefender's results didn't show where it detected the file or what its name was

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows [dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the fsbl.exe file.

Assuming the Kaspersky scan shows clear and Blacklight doesn't find any hidden files then Id just suggest reading Tony Klein's excellent article below to help avoid futher infections:
So how did I get Infected in the First Place?

If Kaspersky does find infections though or if Blacklight finds any hidden files please post back the logs and we can take it from there.

Cheers

Andy

Back to top

#7 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 05 October 2007 - 05:07 PM

Kaspersky took a fair while and it found a few things so I'll post the log from that then go play with t'other one...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 05, 2007 6:03:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 5/10/2007
Kaspersky Anti-Virus database records: 427842
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93097
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:31:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\891104db49c388d99c18d9cb7b1ea7a0_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fe90735e35b8edaa78f7abc6fb860a01_9226631d-4f46-4a75-ba66-276481b58a62 Object is locked skipped
C:\Documents and Settings\family\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Identities\{66817EC6-B13A-41D7-A011-359FB3B8EE51}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\History\History.IE5\MSHist012007100520071006\index.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temp\Perflib_Perfdata_d94.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temp\~DF46E9.tmp Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Download\adaware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Download\adaware\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_family.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\A0052612.exe Object is locked skipped
C:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Motive\btbb\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe/WISE0004.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\WINDOWS\Motive\btbb\UninstallHelper.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B552B82B-8265-44B4-B218-6D08E7B955CA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{04DDD082-6064-4FF5-8FE3-6677C6AA6555}\RP200\change.log Object is locked skipped

Scan process completed.

Back to top

#8 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 05 October 2007 - 05:12 PM

having a problem with blacklight beta....

graphical user interface version tells me it's out of evaluation period...

command line version blinks and vanishes when run...

suggestions?

Back to top

#9 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 October 2007 - 11:32 PM

Thanks for letting me know about the Blacklight error, they had kept extending the beta when it expired but it looks like it may only be available in the Internet Security Suite now,

Use one of these below when you have the time but with Kaspersky not finding problems, the BitDefender detection for Bagle was possibly just for an email attachment as your logs look fine,

http://research.pandasecurity.com/archive/...rsion-1.07.aspx
http://www.grisoft.com/doc/products-avg-an...ootkit/us/crp/6
http://vil.nai.com/v.../rkstinger.aspx
http://www.trendmicr...oad/rbuster.asp
http://www.sophos.com/products/free-tools/...otkit/download/

Kaspersky detected a file that Smitfraudfix uses to restart the PC and detected a file from your ISP which is used if its uninstalling or updating so that's fine to ignore, let me know if there's any remaining problems though or if the rootkit scan find any hidden files

Cheers

Back to top

#10 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 07 October 2007 - 03:07 PM

I've used AVG Rootkit scanner and it's found one hidden file. Rather than just remove it, I thought I'd log the report here first - it looks innocent enough, but what do I know :blink:

As there didn't seem to be a save function, I've copied the screen to a jpg and uloaded it - hope that works...

Attached Files

rootkit.jpg 63.72K 8 downloads

Back to top

#11 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 10 October 2007 - 10:29 PM

Hi Steve,

Id agree it looks innocent enough as its a Microsoft file, can you check if you can locate the file or if it is hidden by going to Start > Run > then copy/paste

C:\WINDOWS\system32\drivers\

Press OK then right click an empty space in the drivers folder and click Arrange Icons By > Name and check for the sysaudio.sys file, if you find it right click the file and choose Properties then the Version tab and it should show System Audio WDM Filter as the description and Microsoft as the company.

Cheers

Back to top

#12 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 11 October 2007 - 08:09 AM

AndyManchesta, on Oct 10 2007, 11:29 PM, said:

Hi Steve,

Id agree it looks innocent enough as its a Microsoft file, can you check if you can locate the file or if it is hidden by going to Start > Run > then copy/paste

C:\WINDOWS\system32\drivers\

Press OK then right click an empty space in the drivers folder and click Arrange Icons By > Name and check for the sysaudio.sys file, if you find it right click the file and choose Properties then the Version tab and it should show System Audio WDM Filter as the description and Microsoft as the company.

Cheers

Yes, it is that version - looks like we're sorted.

Many thanks

Steve

Back to top

#13 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 17 October 2007 - 02:02 PM

Cheers Steve,

Let us know if you have more problems anytime

Happy Surfing

Andy

Back to top

#14 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 20 November 2007 - 10:02 AM

I would normally start a new topic, but I've basically got the same problem as before - loss of provileges and task manager. I've been trying to follow through with the previous guidance but I'm having a problem with CombiFix which I think was the big killer last time around. I've deleted the old version from my desktop and tried downloading it from various sources but every time I run it, it tells me I need a new version. Can anyone tell if there is a new version anywhere or what I should try instead?

Thanks.

Back to top

#15 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 20 November 2007 - 10:48 AM

Hi Steve,

Combofix cannot be used for the time being due to the expiry date that is written into the tool, the developer will have to release a newer version for it to run correctly so until that happens you will need to use other tools, if the restrictions have returned then its likely the system has been reinfected so its best to start by posting a HijackThis log so we can see if anything new is showing then we can clean things up either manually or by using other programs.

Cheers

Back to top

#16 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 20 November 2007 - 10:57 AM

AndyManchesta, on Nov 20 2007, 10:48 AM, said:

Hi Steve,

Combofix cannot be used for the time being due to the expiry date that is written into the tool, the developer will have to release a newer version for it to run correctly so until that happens you will need to use other tools, if the restrictions have returned then its likely the system has been reinfected so its best to start by posting a HijackThis log so we can see if anything new is showing then we can clean things up either manually or by using other programs.

Cheers

Bother...

That's a real shame, that was very useful...

OK, I'll get on to the HJT as soon as my current SuperAntiSpyware run is complete...

Thanks, Andy, I'll be back later...

Back to top

#17 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 20 November 2007 - 11:02 AM

Yeah it is a shame but hopefully it will not be for long, sUBs must be busy or unable to get online but Im sure he will get CF updated when he can, when you post the HJT log can you also post a Smitfraudfix report to see if that shows any problems. Im sure you've used it plenty of times but here's the setup instructions if needed

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks

Back to top

#18 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 20 November 2007 - 11:45 AM

Here's HijackThis... now I'll go play with SmitFraud...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:34, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.amazon.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://magnet.2020.net/virtualplanner/Core...yerAX_Win32.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7490 bytes

and here's the SMitFraudFix...

Scan done at 11:47:42.28, 20/11/2007
Run from C:\Documents and Settings\family\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\family

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\family\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\sol629.txt"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Back to top

#19 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 20 November 2007 - 02:43 PM

Thanks Steve,

You should print out these instructions, or copy them to a Notepad file and save it to your desktop for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download HostXpert from here

http://www.funkytoad.../HostsXpert.zip

Extract the folder but no need to use it yet as its likely the hosts file will be modified again while the trojans are still running.

Run HijackThis and choose Do A System Scan then place a check next to these entries

O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol629.txt

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Click Config... in the bottom right corner of hijackthis and click Misc Tools (Or reopen HijackThis and click Open the Misc tools section)

Then click Delete a file on reboot

In the File Name field, copy and paste this:

C:\WINDOWS\system32\sol629.txt

Then click Open

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

Your system should then reboot

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

Next Open the HostsXpert program and click Restore MS Hosts File and OK at the prompt, you can then exit the program (If you use any protective Hosts files such as HpHosts or MVPs Hosts then these will need to be reinstalled, HostsXpert does have an download Option though to allow either of those hosts files to be added)

Download Deckard's System Scanner (DSS) to your Desktop.

**Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back on here. Please also attach extra.txt to your post.

To attach a file to a new post, click browse under the reply window and copy and paste this into it C:\Deckard\System Scanner\extra.txt then click Upload

Let me know if you have any problems and if you still cannot access Task Manager or Control Panel etc.. after using SmitFraudfix then please also upload a policy key export which we used earlier in this topic

Thanks

Back to top

#20 OFFLINE scotiabahn

Advanced Member

Members
114 posts

Posted 20 November 2007 - 03:09 PM

that sounds a bit fiddly... probably worth giving it my undivided attention this evening rather than trying to do it piecemeal at the moment...

Thanks, Andy - I'll get back to you with the results in due course...

Back to top

Next

Back to Spyware Hell