8 replies to this topic

[martlet]

I have got a ton of spyware and viruses from being greedy and trying to download software to watch football online, I am normally good with safety but i was silly this time.

I cant even run hijack this, i open it and within about 3 seconds it just closes its self down! any ideas? and if i can get it to work i would love to post my results from the hijack this log.

I cant run system restore either as it doesnt work

Ive got IE-BAR and some chinese thing in my add/remove programmes when I remove them and restart they are back again

I was told my someone to run "combofix"? this is what that did:

Ben Pritchard - 06-08-24 8:46:08.57
ComboFix 06.08.24 - Running from: C:\Program Files\Mozilla Firefox

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\regedit.com


((((((((((((((((((((((((((((((( Files Created from 2006-07-24 to 2006-08-24 ))))))))))))))))))))))))))))))))))


2006-08-24 08:44 55,808 --a------ C:\WINDOWS\SYSTEM32\myrx.dll
2006-08-23 21:27 50,939 -r-hs---- C:\WINDOWS\WINLOGON.EXE
2006-08-23 21:27 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\regedit.com
2006-08-23 20:09 147,456 --a------ C:\WINDOWS\SYSTEM32\Vbzip11.dll
2006-08-23 20:09 143,360 --a------ C:\WINDOWS\SYSTEM32\vbuzip10.dll
2006-08-23 20:09 10,752 --a------ C:\WINDOWS\SYSTEM32\aamd532.dll
2006-08-23 17:47 15,872 -r-hs---- C:\WINDOWS\SYSTEM32\Downdll.dll
2006-08-23 17:33 31,232 ---hs---- C:\WINDOWS\SYSTEM32\Realplayer.exe
2006-08-23 17:33 16,384 --------- C:\WINDOWS\SYSTEM32\brlmon.dll
2006-08-23 08:18 65,536 --a------ C:\WINDOWS\SYSTEM32\100setup.exe
2006-08-23 08:18 62,464 --a------ C:\WINDOWS\SYSTEM32\wsetup.exe
2006-08-23 08:18 61,440 --a------ C:\WINDOWS\SYSTEM32\mnt32.exe
2006-08-23 08:18 118,784 --a------ C:\WINDOWS\SYSTEM32\arpa.exe
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\rundll32.com
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\MSCONFIG.COM
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\finder.com
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\dxdiag.com
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\SYSTEM32\command.pif
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\finder.com
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\explorer.com
2006-08-22 20:37 50,939 -r-hs---- C:\WINDOWS\ExERoute.exe
2006-08-22 20:37 50,939 --------- C:\WINDOWS\1.com
2006-08-22 20:37 37,428 --a------ C:\WINDOWS\SYSTEM32\internst.exe
2006-08-22 20:37 13,905 --a------ C:\WINDOWS\SYSTEM32\intranet.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-08-24 08:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-24 08:44 -------- d-------- C:\Program Files\DeskAdTop
2006-08-24 08:44 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-23 21:28 -------- d-------- C:\Program Files\Common Files
2006-08-23 20:42 -------- d-------- C:\Program Files\Free Spyware Scanner
2006-08-23 18:00 -------- d-------- C:\Documents and Settings\Ben Pritchard\Application Data\ppstream
2006-08-23 17:59 -------- d-------- C:\Program Files\IrfanView
2006-08-23 17:33 -------- d-------- C:\Program Files\Tencent
2006-08-22 21:09 -------- d-------- C:\Documents and Settings\Ben Pritchard\Application Data\PPLive
2006-08-22 21:08 -------- d-------- C:\Program Files\Common Files\Synacast
2006-08-22 20:37 50939 -r-hs---- C:\Program Files\Common Files\iexplore.pif
2006-08-22 20:37 -------- d-------- C:\Program Files\Internet Explorer
2006-08-22 16:54 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-20 16:38 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-08-20 16:02 -------- d-------- C:\Documents and Settings\Ben Pritchard\Application Data\SopCast
2006-08-20 16:01 -------- d-------- C:\Program Files\SopCast
2006-08-11 09:05 777472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-08-11 09:05 27904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-08-07 08:27 -------- d-------- C:\Program Files\Windows Media Player
2006-08-05 08:27 -------- d-------- C:\Program Files\Messenger
2006-08-05 08:25 -------- d-------- C:\Program Files\Windows NT
2006-08-05 08:25 -------- d-------- C:\Program Files\Outlook Express
2006-08-05 08:25 -------- d-------- C:\Program Files\NetMeeting
2006-08-05 08:25 -------- d-------- C:\Program Files\Movie Maker
2006-08-05 08:25 -------- d-------- C:\Program Files\Common Files\System
2006-08-04 14:40 -------- d---s---- C:\Documents and Settings\Ben Pritchard\Application Data\Microsoft
2006-07-24 09:15 -------- d-------- C:\Program Files\MSN Messenger
2006-07-24 09:15 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-23 15:29 -------- d-------- C:\Program Files\Yahoo!
2006-07-14 17:14 -------- d-------- C:\Program Files\RAM Def
2006-07-14 17:09 -------- d-------- C:\Program Files\Bazooka Scanner
2006-07-14 17:09 -------- d-------- C:\Program Files\Advanced Spyware Remover
2006-06-23 09:28 761344 --a------ C:\WINDOWS\SYSTEM32\wininet(2).dll
2006-06-16 14:34 48936 --a------ C:\WINDOWS\SYSTEM32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.ex e"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.ex e"
"BCMSMMSG"="BCMSMMSG.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.ex e"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"CloneCDTray"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe\""
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"MOUSE"="C:\\WINDOWS\\System32\\Mousexp.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"intranet"="C:\\WINDOWS\\System32\\intranet.ex e"
"Realplayer.exe"="C:\\WINDOWS\\System32\\Realplaye r.exe"
"Spy Watcher"="\"C:\\PROGRA~1\\FREESP~1\\SpyWatcher.exe \" -S"
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Realplayer.exe"="C:\\WINDOWS\\System32\\Realplaye r.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices]
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00 ,9a,03,00,00,20,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00 ,00,00,00,9a,03,00,00,20,03,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00 ,00,00,00,9a,03,00,00,20,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Messenger"=dword:00000002



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 24/08/2006 8:48:09.17
ComboFix.txt


Not sure if that helps, AVG is fiunding trojans all the time and adaware etc keeps finding numerous spyware, winampe.exe etc - please help!!!

[AndyManchesta]

Hi martlet

Please see this topic

http://forum.ccleane...?showtopic=6382

You have the same trojan as he does, it causes far too much damage to be able to repair with antimalware scanners so your best backing up your important data to disk and formatting the machine then reinstalling windows, if that isnt a option then please follow the part on my first reply at the above link about submitting samples to me so I can help reverse the damage , I tested a variant of this trojan afew weeks ago and no matter what you do on the machine it will reinstall the infection, open IE, Regedit, MSConfig, Control Panel, exe files, inf files etc.. it will fully reinstall the infection so Id need samples to monitor all its registry changes to be able to help you remove it, its probably going to be alot quicker to just backup your data and format the machine.

Andy

[Lord Draconis II]

Unless you have more than 1 trojan I think you can pinpoint the problem to REALPLAYER.EXE and BRLMON.DLL.

Yes. It's caused by the spyware realplayer.exe and brlmon.dll. It ends HijackThis's process when HijackThis is loaded. It also kills things like killbox and others. Pretty prevalent right now. I'm guessing that your IE home page has been changed to something like 7939.com too?

The spyware has two parts: Realplayer.exe and brlmon.dll and they are both in C:\WINDOWS\system32\. They observe each other every so often so you cannot just delete one of them. It'll be back.

To get rid of this spyware, follow these instructions very carefully and don't skip any.

1. CTRL+ALT+DEL to bring up task manager. In the Processes list, find Realplayer.exe and end it.
2. Now, end explorer.exe. [Important!] Your desktop will disappear.
3. Goto File->New Task(Run) and enter explorer.exe again. Your desktop is back.

[Steps 2 and 3 are needed to get rid of brlmon.dll. brlmon.dll automatically runs when your computer boots up and runs explorer.exe. Ending explorer.exe ends brlmon.dll and running explorer.exe again won't bring brlmon.dll back, as the computer didn't reboot. If you don't end brlmon.dll, then you cannot delete Realplayer.exe.]

4. NOW, go to C:\WINDOWS\system32 and find Realplayer.exe and brlmon.dll. SHIFT+DELETE them. If you just sent them to the recycle bin remember to delete them immediately afterwards.
5. Go to the registry. (Click Start->Run and type in regedit. Enter) Find these entries and delete them:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Realplayer.exe"="%System%\Realplayer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realplayer.exe"="%System%\Realplayer.exe"

6. Now, go to the keys below and delete them.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft NT] <-NOT THE WHOLE THING! Just the Microsoft NT key.

The Microsoft NT Key should have these subkeys: Windows\CurrentVersion\Winlogon\"Shell"="Explorer.exe %System%\Realplayer.exe". Delete the Microsoft NT key (just right click on the folder looking thing and choose delete. Again, DON'T DELETE THE WRONG THING. JUST THE MICROSOFT NT KEY.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RunDown] <- NOT THE WHOLE THING! Just the RunDown key.
The RunDown Key should have these subkeys: info\"vvad"="0". Delete the RunDown Key.

7. That's it. The spyware's hopefully gone. Now change IE's homepage back to something you like. Either do it in the registry or do it by right clicking the IE icon and choose properties. But DON'T run IE until you've changed the homepage! Because chances are you'll be taken to that page again and have that spyware downloaded onto your machine all over again! So changing it in the registry seems best. Change the entry:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.7939.com/"

. The Start Page entry is what determines IE's homepage. Change it to something like google.

Then just run IE, and delete the temporary files and cookies.

Well that should do the trick =).

[AndyManchesta]

Hey Lord Draconis II

Im abit late to reply but havent been able to get on the pc for the last week, the solution you gave will not help with the issue they are having which is why I suggested they format the pc, I wouldnt suggest that unless I thought it was the quickest solution for them, your solution may solve one of the problems but the main issue there is Password stealer Wowcraft [Torjan Program] and the amount of changes it makes to the registry to change file associations. Without a sample of the variant they have it would be very difficult to repair the damage so a format is the best solution.

Here's some of the reg keys the trojan creates/modifies when it runs which might help justify the format option

[HKEY_CLASSES_ROOT\Applications\iexplore.exe]

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell]

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open]

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif]

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell]
@="opennew"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew]
@="&Open"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew\command]
@="\"C:\\Program Files\\common~1\\iexplore.pif\" %1"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew\ddeexec]
@="\"%1\",,-1,0,,,,"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew\ddeexec\Application]
@="IExplore"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew\ddeexec\IfExec]
@="*"

[HKEY_CLASSES_ROOT\Applications\iexplore.pif\shell\opennew\ddeexec\Topic]
@="WWW_OpenURLNewWindow"

[HKEY_CLASSES_ROOT\winfiles]

[HKEY_CLASSES_ROOT\winfiles\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\winfiles\Shell]

[HKEY_CLASSES_ROOT\winfiles\Shell\Open]

[HKEY_CLASSES_ROOT\winfiles\Shell\Open\Command]
@="C:\\WINDOWS\\ExERoute.exe \"%1\" %*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]
@="iexplore.pif"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE]
@="Internet Explorer"
"LocalizedString"="@C:\\Program Files\\Internet Explorer\\iexplore.exe,-702"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]
@="C:\Program Files\Internet Explorer\iexplore.com" %1

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]
@="SystemRoot%\explorer.com"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"command" = "rundll32.com appwiz.cpl %1"

[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.com shell32.dll,Control_RunDLL %1,%*"

[HKEY_CLASSES_ROOT\file\shell\open\command]
@="rundll32.com url.dll,FileProtocolHandler %l"

[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="finder.com shdocvw.dll,OpenURL %l" 

[HKEY_CLASSES_ROOT\Unknown\shell\openas\command]
@="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command]
@="finder.com shdocvw.dll,OpenURL %l"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\ToolSets\MSInfo\hdwwiz\]
"command" = "%SystemRoot%\System32\command.pif"

[HKEY_CLASSES_ROOT\.bfc\shellnew]
"command" = "%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif]
"LocalizedString"="iexplore"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command]
@="\"C:\\Program Files\\common~1\\iexplore.pif\""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithList]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids]
"winfiles"=hex(0):

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Check_Associations"="No"

[HKEY_CLASSES_ROOT\.exe]
@="winfiles"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell]
@="OpenHomePage"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\""

[HKEY_CLASSES_ROOT\cplfile]
@="Control Panel extension"

[HKEY_CLASSES_ROOT\cplfile\shell]

[HKEY_CLASSES_ROOT\cplfile\shell\cplopen]
@="Open with Control Panel"

[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.com shell32.dll,Control_RunDLL \"%1\",%*"

[HKEY_CLASSES_ROOT\Drive\shell\find\command]
@="%SystemRoot%\\explorer.com"

[HKEY_CLASSES_ROOT\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

[HKEY_CLASSES_ROOT\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.com\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"C:\\Program Files\\common~1\\iexplore.pif\" %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec]
@="\"%1\",,-1,0,,,,"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\ddeexec\Application]
@="IExplore"

[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
@="rundll32.com %SystemRoot%\\system32\\mshtml.dll,PrintHTML \"%1\""

[HKEY_CLASSES_ROOT\inffile\shell\Install\command]
@="%SystemRoot%\\System32\\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="finder.com desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command]
@="\"C:\\WINDOWS\\system32\\rundll32.com\" C:\\WINDOWS\\system32\\scrobj.dll,GenerateTypeLib \"%1\""

[HKEY_CLASSES_ROOT\telnet\shell\open\command]
@="finder.com url.dll,TelnetProtocolHandler %l"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe 1"

Andy

[TonyKlein]

I'm even LATER than Andy, but this appears to be your baddie:

http://uk.trendmicro-europe.com/enterprise...e=TROJ_DELF.CNV

Incidentally, in such a case temporarily renaming hijackthis.exe, say, to nothijackthis.exe ought to allow you to launch and run the application again.

[AndyManchesta]

Hi Tony

This is the Trojan I noticed in the log

ComboFix 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices]
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Torjan Program"="C:\\WINDOWS\\WINLOGON.EXE"

C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\SYSTEM32\rundll32.com
C:\WINDOWS\SYSTEM32\MSCONFIG.COM
C:\WINDOWS\SYSTEM32\finder.com
C:\WINDOWS\SYSTEM32\dxdiag.com
C:\WINDOWS\SYSTEM32\command.pif
C:\WINDOWS\finder.com
C:\WINDOWS\explorer.com
C:\WINDOWS\ExERoute.exe
C:\WINDOWS\1.com
C:\Program Files\Common Files\iexplore.pif

Its not a nice one to fix even when we have access to the machine so I think it would be very difficult to repair its damage on a forum, I do have a sample of this trojan if you want to test it but I cannot be sure its the same variant this user has as I didnt receive any files from them,

Cheers

Andy

[TonyKlein]

He certainly has that one, but he's got the one I linked to as well. It redirects your search page to 7939.com, and restricts a number of applications from running, among them HijackThis.

I was able to obtain a sample of that one, which is why this post attracted my attention...

II will certainly admit that this IS a heavily infected machine, and it might not be a bad idea to start from scratch, as you already suggested...

[AndyManchesta]

Cheers Tony

I did see the symantec write up when I was testing that trojan but it seems to have alot of variants as the one I have makes more changes that what they list, It totally destroyed by test machine and I couldnt run any .exe files because of the changes made to file associations, It took me a couple of hours to get things up and running again and was then able to get the monitoring tools working to find out where it dropped all its files and which registry entries it changed but I wouldnt attempt to fix it on a forum without a sample of the one they have as installing inf or running .exe files, opening IE, control panel etc.. can make it fully reinstall until all its reg entries are fixed.

Im not familiar with the delf variant but I had alot of problems with fixing the Wowcraft trojan on my own machine to know its probably quicker to just start again.

Thanks

Andy

[TonyKlein]

That does sound demoralizing... I agree that it might be best to start afresh...