a-trojan 2.0 and anti-spy

View previous topic View next topic Go down

Solved a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 5:05 am

Hi, I hope I'm doing this right, I apologize if I'm not...Anyhow, I was trying to view a movie online and wham! my computer shut itself down and restarted to tell me that I'd been infected with spyware, and apparently a few trojans. It disabled my mcafee virus scan, it will not preform a scan at all...and it installed an antispy something in my tray that kept popping up and wouldn't let me search the web unsecured or something, the antispy icon and popup disappeared after 2 restarts, but they're still lurking...please help me Sad tearing thank you...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:51 AM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Calorie Count Plus Toolbar - {A057A204-BACC-4D26-DFC4-6BAE8BAD3DC9} - C:\PROGRA~1\ccptb\ccptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe
O4 - HKLM\..\RunOnce: [ScanNClnPostRbt] C:\Program Files\Norton Security Scan\Nss.exe /OnReboot
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &AOL Toolbar search - [You must be registered and logged in to see this link.] Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: McAfee Application Installer Cleanup (0243301224982131) (0243301224982131mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Owner\LOCALS~1\Temp\024330~1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 11150 bytes

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 1:07 pm

Hello ajinat.
I'm willing to bet you have tdssserv rootkit.

1. Please download combofix from [You must be registered and logged in to see this link.]
2. Follow the prompts and select yes to install the Recovery Console when it asks.
It.
3. After scanning, it might reboot your PC, this is normal.
4. When finished, it shall produce a log for you. Post that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 2:45 pm

Hey, thanks for replying so quick! I tried that link, but it downloaded it with a wack name like c0mb0f!x, and it said i couldn't change the name or something, so i downloaded it from a link on bleepingcomputer with the normal name, it says it didn't find any infected stuff and it never gave me the option for recovery or restarted...i think my computer gets worse every time it restarts, i can only open in safemode now...do you still want the report if it didn't find anything? it's too big to post all at once it says...

Start Time= Sun 10/26/2008 10:26:16.56

QuickScan did not find any signs of infected files


2008-10-26 10:21:06 389120 ( A.... ) "C:\WINDOWS\system32\CF19642.exe"
2008-10-26 10:18:54 389120 ( A.... ) "C:\WINDOWS\system32\CF19207.exe"
2008-10-26 10:18:32 389120 ( A.... ) "C:\WINDOWS\system32\CF19139.exe"
2008-10-26 01:45:52 30720 ( A.... ) "C:\WINDOWS\system32\TDSSnmxh.dll"
2008-10-26 01:45:48 2748 ( A.... ) "C:\WINDOWS\system32\TDSSliqp.dll"
2008-10-26 01:45:32 36864 ( A.... ) "C:\WINDOWS\system32\TDSSoiqh.dll"
2008-10-26 00:20:44 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2008-10-26 00:20:36 ( .D... ) "C:\Program Files\Norton Security Scan"
2008-10-26 00:08:00 ( .D... ) "C:\Program Files\Windows Live Safety Center"
2008-10-25 20:48:58 ( .D... ) "C:\Program Files\STOPzilla!"
2008-10-25 20:48:56 ( .D... ) "C:\Program Files\Common Files\iS3"
2008-10-25 19:46:00 ( .D... ) "C:\Program Files\Common Files\PC Tools"
2008-10-25 19:45:56 ( .D... ) "C:\Program Files\Spyware Doctor"
2008-10-25 19:07:54 ( .D... ) "C:\Documents and Settings\Owner\Application Data\McAfee"
2008-10-25 18:57:36 19766 ( A.... ) "C:\Documents and Settings\Owner\Application Data\zycen.dat"
2008-10-25 18:57:36 14790 ( A.... ) "C:\WINDOWS\system32\efex.reg"
2008-10-25 18:57:36 13725 ( A.... ) "C:\Program Files\Common Files\dypynin.vbs"
2008-10-25 18:57:36 13040 ( A.... ) "C:\Documents and Settings\Owner\Application Data\yquper.dll"
2008-10-25 18:57:36 11429 ( A.... ) "C:\Program Files\Common Files\ucogomi._sy"
2008-10-25 18:57:36 10410 ( A.... ) "C:\Documents and Settings\Owner\Application Data\mulo.exe"
2008-10-25 18:57:04 ( .D... ) "C:\Program Files\AntiSpywareXP2009"
2008-10-25 18:56:08 60578 ( A.... ) "C:\WINDOWS\system32\wini10801.exe"
2008-10-25 18:52:26 114 ( A.... ) "C:\WINDOWS\system32\delself.bat"
2008-10-25 18:47:20 2760 ( A.... ) "C:\WINDOWS\system32\TDSSdxcp.dll"
2008-10-25 18:47:16 30720 ( A.... ) "C:\WINDOWS\system32\TDSSxhyf.dll"
2008-10-25 18:47:10 77824 ( A.... ) "C:\WINDOWS\system32\TDSScfbv.dll"
2008-10-25 18:47:04 31232 ( A.... ) "C:\WINDOWS\system32\TDSSvoql.dll"
2008-10-25 18:47:00 29696 ( A.... ) "C:\WINDOWS\system32\TDSSarxx.dll"
2008-10-25 18:46:56 26112 ( A.... ) "C:\WINDOWS\system32\TDSSoity.dll"
2008-10-25 18:23:56 ( .D... ) "C:\Program Files\Mozilla Firefox"
2008-10-25 09:35:14 21654 ( A.... ) "C:\Documents and Settings\Owner\Application Data\wklnhst.dat"
2008-10-23 11:01:54 17408 ( A...R ) "C:\WINDOWS\system32\SZIO5.dll"
2008-10-23 11:00:54 278528 ( A...R ) "C:\WINDOWS\system32\SZBase5.dll"
2008-10-23 11:00:30 536576 ( A...R ) "C:\WINDOWS\system32\SZComp5.dll"
2008-10-15 12:34:24 337408 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2008-10-09 21:05:44 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2008-10-09 20:33:34 ( .D... ) "C:\Program Files\Warcraft III"
2008-10-07 12:19:42 16721856 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2008-10-05 14:39:20 ( .D... ) "C:\Program Files\SiteAdvisor"
2008-10-05 14:36:18 ( .D... ) "C:\Program Files\Common Files\McAfee"
2008-10-05 14:36:16 ( .D... ) "C:\Program Files\McAfee.com"
2008-10-05 14:35:54 ( .D... ) "C:\Program Files\McAfee"
2008-10-04 23:36:18 ( .D... ) "C:\Program Files\Windows Installer Clean Up"
2008-10-04 23:36:06 ( .D... ) "C:\Program Files\MSECACHE"
2008-10-03 13:41:16 6066176 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
2008-09-29 14:08:36 126976 ( A...R ) "C:\WINDOWS\system32\IS3HTUI5.dll"
2008-09-29 14:08:28 364544 ( A...R ) "C:\WINDOWS\system32\IS3DBA5.dll"
2008-09-29 14:07:44 372736 ( A...R ) "C:\WINDOWS\system32\IS3UI5.dll"
2008-09-29 14:07:28 61440 ( A...R ) "C:\WINDOWS\system32\IS3Hks5.dll"
2008-09-29 14:07:08 23040 ( A...R ) "C:\WINDOWS\system32\IS3XDat5.dll"
2008-09-29 14:06:52 212992 ( A...R ) "C:\WINDOWS\system32\IS3Win325.dll"
2008-09-29 14:06:30 94208 ( A...R ) "C:\WINDOWS\system32\IS3Inet5.dll"
2008-09-29 14:06:18 90112 ( A...R ) "C:\WINDOWS\system32\IS3Svc5.dll"
2008-09-29 14:03:14 708608 ( A...R ) "C:\WINDOWS\system32\IS3Base5.dll"
2008-09-19 17:55:58 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2008-09-19 17:55:58 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2008-09-17 23:55:00 13574144 ( A.... ) "C:\WINDOWS\system32\nvcpl.dll"
2008-09-17 23:55:00 8826880 ( A.... ) "C:\WINDOWS\system32\nvoglnt.dll"
2008-09-17 23:55:00 6057472 ( A.... ) "C:\WINDOWS\system32\nv4_disp.dll"
2008-09-17 23:55:00 5799936 ( A.... ) "C:\WINDOWS\system32\nvdispsr.dll"
2008-09-17 23:55:00 4149248 ( A.... ) "C:\WINDOWS\system32\nvvitvsr.dll"
2008-09-17 23:55:00 3989504 ( A.... ) "C:\WINDOWS\system32\nvdisps.dll"
2008-09-17 23:55:00 3764224 ( A.... ) "C:\WINDOWS\system32\nvvitvs.dll"
2008-09-17 23:55:00 3457024 ( A.... ) "C:\WINDOWS\system32\nvgamesr.dll"
2008-09-17 23:55:00 3444736 ( A.... ) "C:\WINDOWS\system32\nvgames.dll"
2008-09-17 23:55:00 2981888 ( A.... ) "C:\WINDOWS\system32\nvwssr.dll"
2008-09-17 23:55:00 2854912 ( A.... ) "C:\WINDOWS\system32\nvmoblsr.dll"
2008-09-17 23:55:00 2686976 ( A.... ) "C:\WINDOWS\system32\nvwss.dll"
2008-09-17 23:55:00 1724416 ( A.... ) "C:\WINDOWS\system32\nvwdmcpl.dll"
2008-09-17 23:55:00 1657376 ( A.... ) "C:\WINDOWS\system32\nwiz.exe"
2008-09-17 23:55:00 1503232 ( A.... ) "C:\WINDOWS\system32\nview.dll"
2008-09-17 23:55:00 1368064 ( A.... ) "C:\WINDOWS\system32\nvcuda.dll"
2008-09-17 23:55:00 1346080 ( A.... ) "C:\WINDOWS\system32\nvdspsch.exe"
2008-09-17 23:55:00 1257472 ( A.... ) "C:\WINDOWS\system32\nvmobls.dll"
2008-09-17 23:55:00 1108512 ( A.... ) "C:\WINDOWS\system32\nvcpluir.dll"
2008-09-17 23:55:00 1101824 ( A.... ) "C:\WINDOWS\system32\nvwimg.dll"
2008-09-17 23:55:00 797216 ( A.... ) "C:\WINDOWS\system32\nvcplui.exe"
2008-09-17 23:55:00 475136 ( A.... ) "C:\WINDOWS\system32\nvapi.dll"
2008-09-17 23:55:00 466944 ( A.... ) "C:\WINDOWS\system32\nvshell.dll"
2008-09-17 23:55:00 458752 ( A.... ) "C:\WINDOWS\system32\nvmccssr.dll"
2008-09-17 23:55:00 453152 ( A.... ) "C:\WINDOWS\system32\NVUNINST.EXE"
2008-09-17 23:55:00 453152 ( A.... ) "C:\WINDOWS\system32\nvudisp.exe"
2008-09-17 23:55:00 449056 ( A.... ) "C:\WINDOWS\system32\nvappbar.exe"
2008-09-17 23:55:00 436768 ( A.... ) "C:\WINDOWS\system32\keystone.exe"
2008-09-17 23:55:00 335872 ( A.... ) "C:\WINDOWS\system32\nvwrses.dll"
2008-09-17 23:55:00 335872 ( A.... ) "C:\WINDOWS\system32\nvwrsel.dll"
2008-09-17 23:55:00 331776 ( A.... ) "C:\WINDOWS\system32\nvrshe.dll"
2008-09-17 23:55:00 331776 ( A.... ) "C:\WINDOWS\system32\nvrsar.dll"
2008-09-17 23:55:00 327680 ( A.... ) "C:\WINDOWS\system32\nvwrsfr.dll"
2008-09-17 23:55:00 327680 ( A.... ) "C:\WINDOWS\system32\nvwrsesm.dll"
2008-09-17 23:55:00 323584 ( A.... ) "C:\WINDOWS\system32\nvwrspt.dll"
2008-09-17 23:55:00 323584 ( A.... ) "C:\WINDOWS\system32\nvwrsit.dll"
2008-09-17 23:55:00 319488 ( A.... ) "C:\WINDOWS\system32\nvwrsptb.dll"
2008-09-17 23:55:00 319488 ( A.... ) "C:\WINDOWS\system32\nvwrsnl.dll"
2008-09-17 23:55:00 315392 ( A.... ) "C:\WINDOWS\system32\nvwrsru.dll"
2008-09-17 23:55:00 315392 ( A.... ) "C:\WINDOWS\system32\nvwrshu.dll"
2008-09-17 23:55:00 311296 ( A.... ) "C:\WINDOWS\system32\nvwrsde.dll"
2008-09-17 23:55:00 303104 ( A.... ) "C:\WINDOWS\system32\nvwrstr.dll"
2008-09-17 23:55:00 303104 ( A.... ) "C:\WINDOWS\system32\nvwrssl.dll"
2008-09-17 23:55:00 303104 ( A.... ) "C:\WINDOWS\system32\nvwrsfi.dll"
2008-09-17 23:55:00 299008 ( A.... ) "C:\WINDOWS\system32\nvwrssk.dll"
2008-09-17 23:55:00 299008 ( A.... ) "C:\WINDOWS\system32\nvwrsno.dll"
2008-09-17 23:55:00 294912 ( A.... ) "C:\WINDOWS\system32\nvwrssv.dll"
2008-09-17 23:55:00 294912 ( A.... ) "C:\WINDOWS\system32\nvwrspl.dll"
2008-09-17 23:55:00 294912 ( A.... ) "C:\WINDOWS\system32\nvwrsda.dll"
2008-09-17 23:55:00 290816 ( A.... ) "C:\WINDOWS\system32\nvwrsth.dll"
2008-09-17 23:55:00 286720 ( A.... ) "C:\WINDOWS\system32\nvwrseng.dll"
2008-09-17 23:55:00 286720 ( A.... ) "C:\WINDOWS\system32\nvwrscs.dll"
2008-09-17 23:55:00 286720 ( A.... ) "C:\WINDOWS\system32\nvnt4cpl.dll"
2008-09-17 23:55:00 282624 ( A.... ) "C:\WINDOWS\system32\nvwrsar.dll"
2008-09-17 23:55:00 282624 ( A.... ) "C:\WINDOWS\system32\nvrsfr.dll"
2008-09-17 23:55:00 282624 ( A.... ) "C:\WINDOWS\system32\nvrses.dll"
2008-09-17 23:55:00 282624 ( A.... ) "C:\WINDOWS\system32\nvrsel.dll"
2008-09-17 23:55:00 278528 ( A.... ) "C:\WINDOWS\system32\nvwrshe.dll"
2008-09-17 23:55:00 278528 ( A.... ) "C:\WINDOWS\system32\nvrsit.dll"
2008-09-17 23:55:00 278528 ( A.... ) "C:\WINDOWS\system32\nvrsde.dll"
2008-09-17 23:55:00 274432 ( A.... ) "C:\WINDOWS\system32\nvrsnl.dll"
2008-09-17 23:55:00 274432 ( A.... ) "C:\WINDOWS\system32\nvrsesm.dll"
2008-09-17 23:55:00 270336 ( A.... ) "C:\WINDOWS\system32\nvrspt.dll"
2008-09-17 23:55:00 270336 ( A.... ) "C:\WINDOWS\system32\nvrsja.dll"
2008-09-17 23:55:00 266240 ( A.... ) "C:\WINDOWS\system32\nvrsru.dll"
2008-09-17 23:55:00 266240 ( A.... ) "C:\WINDOWS\system32\nvrsptb.dll"
2008-09-17 23:55:00 262144 ( A.... ) "C:\WINDOWS\system32\nvrsko.dll"
2008-09-17 23:55:00 258048 ( A.... ) "C:\WINDOWS\system32\nvrssl.dll"
2008-09-17 23:55:00 258048 ( A.... ) "C:\WINDOWS\system32\nvrssk.dll"
2008-09-17 23:55:00 258048 ( A.... ) "C:\WINDOWS\system32\nvrshu.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrstr.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrsth.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrssv.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrspl.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrsno.dll"
2008-09-17 23:55:00 253952 ( A.... ) "C:\WINDOWS\system32\nvrsda.dll"

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 2:45 pm

2008-09-17 23:55:00 249856 ( A.... ) "C:\WINDOWS\system32\nvrsfi.dll"
2008-09-17 23:55:00 245760 ( A.... ) "C:\WINDOWS\system32\nvrseng.dll"
2008-09-17 23:55:00 245760 ( A.... ) "C:\WINDOWS\system32\nvrscs.dll"
2008-09-17 23:55:00 229376 ( A.... ) "C:\WINDOWS\system32\nvmccs.dll"
2008-09-17 23:55:00 225280 ( A.... ) "C:\WINDOWS\system32\nvrszhc.dll"
2008-09-17 23:55:00 212992 ( A.... ) "C:\WINDOWS\system32\nvwrsja.dll"
2008-09-17 23:55:00 196608 ( A.... ) "C:\WINDOWS\system32\nvwrsko.dll"
2008-09-17 23:55:00 188416 ( A.... ) "C:\WINDOWS\system32\nvmccss.dll"
2008-09-17 23:55:00 167936 ( A.... ) "C:\WINDOWS\system32\nvwrszht.dll"
2008-09-17 23:55:00 163908 ( A.... ) "C:\WINDOWS\system32\nvsvc32.exe"
2008-09-17 23:55:00 163840 ( A.... ) "C:\WINDOWS\system32\nvwrszhc.dll"
2008-09-17 23:55:00 143360 ( A.... ) "C:\WINDOWS\system32\nvcolor.exe"
2008-09-17 23:55:00 122880 ( A.... ) "C:\WINDOWS\system32\nvrszht.dll"
2008-09-17 23:55:00 122880 ( A.... ) "C:\WINDOWS\system32\nvcodins.dll"
2008-09-17 23:55:00 122880 ( A.... ) "C:\WINDOWS\system32\nvcod.dll"
2008-09-17 23:55:00 86016 ( A.... ) "C:\WINDOWS\system32\nvmctray.dll"
2008-09-17 23:55:00 81920 ( A.... ) "C:\WINDOWS\system32\nvwddi.dll"
2008-09-17 23:55:00 45056 ( A.... ) "C:\WINDOWS\system32\nvmccsrs.dll"
2008-09-15 08:12:56 1846400 ( A.... ) "C:\WINDOWS\system32\win32k.sys"
2008-09-15 08:12:56 1846400 ( A.... ) "C:\WINDOWS\system32\win32k.sys"
2008-09-13 18:30:06 ( .D... ) "C:\Documents and Settings\Owner\Application Data\U3"
2008-09-11 15:45:56 ( .D... ) "C:\Program Files\Hasbro Interactive"
2008-08-27 04:24:32 3593216 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2008-08-26 03:24:32 1159680 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2008-08-26 03:24:32 826368 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2008-08-26 03:24:32 233472 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2008-08-26 03:24:30 671232 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2008-08-26 03:24:30 477696 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2008-08-26 03:24:30 459264 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll"
2008-08-26 03:24:30 384512 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2008-08-26 03:24:30 267776 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
2008-08-26 03:24:30 193024 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2008-08-26 03:24:30 105984 ( A.... ) "C:\WINDOWS\system32\url.dll"
2008-08-26 03:24:30 102912 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2008-08-26 03:24:30 52224 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2008-08-26 03:24:30 44544 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2008-08-26 03:24:30 44544 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2008-08-26 03:24:30 27648 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2008-08-26 03:24:28 383488 ( A.... ) "C:\WINDOWS\system32\ieapfltr.dll"
2008-08-26 03:24:28 347136 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2008-08-26 03:24:28 230400 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2008-08-26 03:24:28 214528 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2008-08-26 03:24:28 153088 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2008-08-26 03:24:28 133120 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2008-08-26 03:24:28 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2008-08-26 03:24:28 63488 ( A.... ) "C:\WINDOWS\system32\icardie.dll"
2008-08-25 04:38:00 70656 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2008-08-25 04:38:00 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe"
2008-08-23 01:54:52 161792 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2008-08-14 06:11:02 2189184 ( A.... ) "C:\WINDOWS\system32\ntoskrnl.exe"
2008-08-14 05:33:16 2066048 ( A.... ) "C:\WINDOWS\system32\ntkrnlpa.exe"
2008-08-13 21:39:16 1283912 ( A.... ) "C:\Program Files\WoW-2.3.0.7561-enUS-downloader.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CHotkey"="zHotkey.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"readericon"="C:\\Program Files\\Digital Media Reader\\readericon45G.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
69,6e,64,5f,58,50,2e,65,78,65,00
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"VerizonServicepoint.exe"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"mcagent_exe"="\"C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\" /runkey"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"OOBEDDDemise"="cmd /x /c erase C:\\WINDOWS\\System32\\oobe\\msoobe.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=""
"McAfee QuickClean Imonitor"="C:\\Program Files\\McAfee\\McAfee QuickClean\\Plguni.exe /START"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"brastk"="C:\\WINDOWS\\system32\\brastk.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"brastk"="C:\\WINDOWS\\system32\\brastk.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\Norton Security Scan for Owner.job

Completion time: Sun 10/26/2008 10:28:20.90
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 3:17 pm

Hello.
I used the adrive link because some newer variant of tdssserv blocks websites like Bleepingcomputer, and stops programs like combofix.exe from running, so we have to rename it to get around this.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\system32\CF19642.exe
C:\WINDOWS\system32\CF19207.exe
C:\WINDOWS\system32\CF19139.exe
C:\WINDOWS\system32\efex.reg
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\TDSSnmxh.dll
C:\WINDOWS\system32\TDSSliqp.dll
C:\WINDOWS\system32\TDSSoiqh.dll
C:\Program Files\Common Files\dypynin.vbs
C:\Documents and Settings\Owner\Application Data\yquper.dll
C:\Program Files\Common Files\ucogomi._sy
C:\Documents and Settings\Owner\Application Data\mulo.exe
C:\WINDOWS\system32\wini10801.exe
C:\WINDOWS\system32\TDSSdxcp.dll
C:\WINDOWS\system32\TDSSxhyf.dll
C:\WINDOWS\system32\TDSScfbv.dll
C:\WINDOWS\system32\TDSSvoql.dll
C:\WINDOWS\system32\TDSSarxx.dll
C:\WINDOWS\system32\TDSSoity.dll

Folder::
C:\Program Files\AntiSpywareXP2009

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"brastk"=-
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"brastk"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 4:13 pm

Okay, so i finally got that to work, lol...after it was done, it recognized a PUP from the combofix file, i wasn't sure if i should delete it because it said combofix, but there were a couple extra letters before the exe, so i just closed the warning and made no decision?
here's the report...

ComboFix 08-10-25.01 - Owner 2008-10-26 11:42:47.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.658 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\kogy.dl
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\cupun.bin
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\hovecu.bat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\hywide.inf
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\ofakytyba.bin
C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpywareXP2009
C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpywareXP2009\Uninstall.lnk
C:\Program Files\AntiSpywareXP2009
C:\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.cfg
C:\Program Files\AntiSpywareXP2009\AVEngn.dll
C:\Program Files\AntiSpywareXP2009\data\daily.cvd
C:\Program Files\AntiSpywareXP2009\htmlayout.dll
C:\Program Files\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll
C:\Program Files\AntiSpywareXP2009\pthreadVC2.dll
C:\Program Files\AntiSpywareXP2009\Uninstall.exe
C:\Program Files\AntiSpywareXP2009\wscui.cpl
C:\WINDOWS\karna.dat
C:\WINDOWS\system32\_scui.cpl
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\Drivers\TDSSmqlt.sys
C:\WINDOWS\system32\SZComp5.dll
C:\WINDOWS\system32\TDSSarxx.dll
C:\WINDOWS\system32\TDSScfbv.dll
C:\WINDOWS\system32\TDSSciou.log
C:\WINDOWS\system32\TDSScuts.log
C:\WINDOWS\system32\TDSSdxcp.dll
C:\WINDOWS\system32\TDSSliqp.dll
C:\WINDOWS\system32\TDSSmtve.dat
C:\WINDOWS\system32\TDSSnmxh.dll
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSoity.dll
C:\WINDOWS\system32\TDSSpqxt.dat
C:\WINDOWS\system32\TDSSthym.log
C:\WINDOWS\system32\TDSSvoql.dll
C:\WINDOWS\system32\TDSSxhyf.dll
C:\WINDOWS\system32\wini10801.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS)
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-26 00:20 . 2008-10-26 01:45 d-------- C:\Program Files\Norton Security Scan
2008-10-26 00:20 . 2008-10-26 01:45 d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-26 00:07 . 2008-10-26 00:08 d-------- C:\Program Files\Windows Live Safety Center
2008-10-25 20:57 . 2008-10-25 20:57 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-10-25 20:48 . 2008-10-25 20:48 d-------- C:\Program Files\STOPzilla!
2008-10-25 20:48 . 2008-10-25 20:48 d-------- C:\Program Files\Common Files\iS3
2008-10-25 20:48 . 2008-10-26 11:49 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-10-25 19:46 . 2008-10-25 21:13 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-25 19:46 . 2008-07-28 12:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-10-25 19:45 . 2008-10-26 01:44 d-------- C:\Program Files\Spyware Doctor
2008-10-25 19:45 . 2008-10-25 21:13 d-------- C:\Program Files\Common Files\PC Tools
2008-10-25 19:07 . 2008-10-25 19:07 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-10-25 18:57 . 2008-10-25 18:57 19,766 --a------ C:\Documents and Settings\Owner\Application Data\zycen.dat
2008-10-25 18:57 . 2008-10-25 18:57 18,995 --a------ C:\WINDOWS\atatypo.dl
2008-10-25 18:57 . 2008-10-25 18:57 17,612 --a------ C:\WINDOWS\ozes.pif
2008-10-25 18:57 . 2008-10-25 18:57 14,790 --a------ C:\WINDOWS\system32\efex.reg
2008-10-25 18:57 . 2008-10-25 18:57 13,919 --a------ C:\WINDOWS\xuse._sy
2008-10-25 18:57 . 2008-10-25 18:57 13,725 --a------ C:\Program Files\Common Files\dypynin.vbs
2008-10-25 18:57 . 2008-10-25 18:57 13,040 --a------ C:\Documents and Settings\Owner\Application Data\yquper.dll
2008-10-25 18:57 . 2008-10-25 18:57 12,752 --a------ C:\WINDOWS\quzomyqoq._dl
2008-10-25 18:57 . 2008-10-25 18:57 12,564 --a------ C:\Documents and Settings\All Users\Application Data\xykirim.bin
2008-10-25 18:57 . 2008-10-25 18:57 12,346 --a------ C:\Documents and Settings\All Users\Application Data\ifuvo.dat
2008-10-25 18:57 . 2008-10-25 18:57 10,410 --a------ C:\Documents and Settings\Owner\Application Data\mulo.exe
2008-10-25 18:47 . 2008-10-25 18:47 44,544 --a------ C:\WINDOWS\system32\av.dat
2008-10-24 08:08 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 11:01 . 2008-10-23 11:01 17,408 -ra------ C:\WINDOWS\system32\SZIO5.dll
2008-10-23 11:00 . 2008-10-23 11:00 278,528 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-10-15 13:45 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 13:42 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 13:42 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 13:42 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 13:42 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 13:42 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 19:47 . 2008-10-14 19:47 d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-13 23:27 . 2008-10-16 19:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-13 23:27 . 2008-10-13 23:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-09 20:37 . 2008-10-09 21:05 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-10-09 20:37 . 2008-10-09 21:14 61,012 --a------ C:\WINDOWS\War3Unin.dat
2008-10-09 20:37 . 2008-10-09 21:05 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-10-09 20:33 . 2008-10-10 10:18 d-------- C:\Program Files\Warcraft III
2008-10-08 14:27 . 2008-10-08 14:27 49,664 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-10-05 14:40 . 2008-10-26 11:52 12,543 --a------ C:\WINDOWS\system32\Config.MPF
2008-10-05 14:39 . 2008-10-25 20:53 d-------- C:\Program Files\SiteAdvisor
2008-10-05 14:39 . 2008-10-05 14:39 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-10-05 14:37 . 2008-06-27 06:08 79,240 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-10-05 14:37 . 2008-06-27 06:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-10-05 14:37 . 2008-06-27 06:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-10-05 14:36 . 2008-10-05 14:36 d-------- C:\Program Files\McAfee.com
2008-10-05 14:36 . 2008-10-05 14:36 d-------- C:\Program Files\Common Files\McAfee
2008-10-05 14:36 . 2008-06-02 14:55 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-10-05 14:35 . 2008-10-26 01:45 d-------- C:\Program Files\McAfee
2008-10-05 14:35 . 2008-06-20 05:41 34,152 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-10-05 14:20 . 2008-10-25 19:08 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-05 00:08 . 2008-10-05 00:08 d-------- C:\Documents and Settings\LocalService\Application Data\CCPTB
2008-10-04 23:36 . 2008-10-04 23:36 d-------- C:\Program Files\Windows Installer Clean Up
2008-10-04 23:36 . 2008-10-04 23:36 d-------- C:\Program Files\MSECACHE
2008-10-04 23:19 . 2008-10-04 23:19 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-10-04 21:31 . 2008-10-04 21:31 61,224 --a------ C:\Documents and Settings\Owner\GoToAssistDownloadHelper.exe
2008-10-04 20:34 . 2008-10-25 18:48 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\CCPTB
2008-10-01 08:30 . 2008-10-25 23:48 d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-09-29 14:08 . 2008-09-29 14:08 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-09-29 14:08 . 2008-09-29 14:08 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-09-29 14:07 . 2008-09-29 14:07 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-09-29 14:07 . 2008-09-29 14:07 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-09-29 14:07 . 2008-09-29 14:07 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-09-29 14:06 . 2008-09-29 14:06 212,992 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-09-29 14:06 . 2008-09-29 14:06 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-09-29 14:06 . 2008-09-29 14:06 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-09-29 14:03 . 2008-09-29 14:03 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-25 22:57 11,429 ----a-w C:\Program Files\Common Files\ucogomi._sy
2008-10-25 22:49 --------- d-----w C:\Program Files\DivX
2008-10-25 13:35 21,654 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-10-25 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-10-22 12:01 --------- d-----w C:\Program Files\World of Warcraft
2008-10-20 19:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-11 01:52 --------- d-----w C:\Program Files\Guild Wars
2008-09-24 03:32 --------- d-----w C:\Program Files\Google
2008-09-18 03:55 6,132,576 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-09-13 22:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-09-11 19:45 --------- d-----w C:\Program Files\Hasbro Interactive
2008-09-11 03:44 --------- d-----w C:\Program Files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-14 01:39 1,283,912 ----a-w C:\Program Files\WoW-2.3.0.7561-enUS-downloader.exe
2008-08-08 22:01 0 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2006-12-20 19:24 80 --sh--r C:\WINDOWS\system32\4367E797A1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 4:14 pm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-09-17 13574144]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 385024]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-15 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-02-15 2168360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 szkg5;szkg5;C:\WINDOWS\system32\drivers\szkg.sys [2008-10-08 49664]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-10-26 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-10-05 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-10-05 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-10-26 C:\WINDOWS\Tasks\Norton Security Scan for Owner.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-McAfee QuickClean Imonitor - C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
HKCU-Run-Power2GoExpress - (no file)
HKU-Default-Run-brastk - C:\WINDOWS\system32\brastk.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = [You must be registered and logged in to see this link.]
R0 -: HKCU-Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
R0 -: HKLM-Main,Start Page = [You must be registered and logged in to see this link.]
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: &Search - [You must be registered and logged in to see this link.]
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-10-26 11:47:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe??????5???????????????C?w?????????????????k???7???6??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-10-26 12:03:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 16:03:03
ComboFix2.txt 2008-10-26 15:33:43

Pre-Run: 107,826,720,768 bytes free
Post-Run: 106,847,997,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

308 --- E O F --- 2008-10-24 22:34:45

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 4:26 pm

Thanks for sticking with me. Smile
The rootkit is gone, but it has left a few marks, so we have to get rid of them too. One more CFScript should do.

Delete the old CFScript.txt.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\xuse._sy
C:\Program Files\Common Files\dypynin.vbs
C:\WINDOWS\quzomyqoq._dl
C:\WINDOWS\system32\av.dat
C:\Documents and Settings\All Users\Application Data\xykirim.bin
C:\Documents and Settings\All Users\Application Data\ifuvo.dat
C:\Program Files\Common Files\ucogomi._sy
C:\WINDOWS\system32\4367E797A1.dll
C:\Documents and Settings\Owner\Application Data\mulo.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here along with a fresh Hijack This log. Use seperate posts for the logs.


Last edited by Belahzur on 26th October 2008, 4:44 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 4:34 pm

No, thank YOU! It's already much better, it's running in normal mode, my mcafee quick scan worked and found nothing, whew! that was all really frightening for awhile...so i'm going to run this thing again, but i've got to leave before the report will finish, so i'll post it's report in a few hours...thanks again for being so fast! You are awesome...

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 4:36 pm

Okay, I'll be waiting.
And your welcome. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 4:51 pm

oh, that didn't take long, lol...another pup name came up RemAdm-ProcLaunch!171, do you know if i should delete that? it's location was c:\32788R22FW\psexec.cfexe , and here is the report, thanks again and see you later... Smile

ComboFix 08-10-25.01 - Owner 2008-10-26 12:37:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.287 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\All Users\Application Data\ifuvo.dat
C:\Documents and Settings\All Users\Application Data\xykirim.bin
C:\Program Files\Common Files\dypynin.vbs
C:\Program Files\Common Files\ucogomi._sy
C:\WINDOWS\quzomyqoq._dl
C:\WINDOWS\system32\av.dat
C:\WINDOWS\xuse._sy
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ifuvo.dat
C:\Documents and Settings\All Users\Application Data\xykirim.bin
C:\Program Files\Common Files\dypynin.vbs
C:\Program Files\Common Files\ucogomi._sy
C:\WINDOWS\quzomyqoq._dl
C:\WINDOWS\system32\av.dat
C:\WINDOWS\xuse._sy

.
((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-26 00:20 . 2008-10-26 01:45 d-------- C:\Program Files\Norton Security Scan
2008-10-26 00:20 . 2008-10-26 01:45 d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-26 00:07 . 2008-10-26 00:08 d-------- C:\Program Files\Windows Live Safety Center
2008-10-25 20:57 . 2008-10-25 20:57 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-10-25 20:48 . 2008-10-25 20:48 d-------- C:\Program Files\STOPzilla!
2008-10-25 20:48 . 2008-10-25 20:48 d-------- C:\Program Files\Common Files\iS3
2008-10-25 20:48 . 2008-10-26 12:34 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-10-25 19:46 . 2008-10-25 21:13 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-25 19:46 . 2008-07-28 12:29 160,792 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-10-25 19:45 . 2008-10-26 01:44 d-------- C:\Program Files\Spyware Doctor
2008-10-25 19:45 . 2008-10-25 21:13 d-------- C:\Program Files\Common Files\PC Tools
2008-10-25 19:07 . 2008-10-25 19:07 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-10-25 18:57 . 2008-10-25 18:57 19,766 --a------ C:\Documents and Settings\Owner\Application Data\zycen.dat
2008-10-25 18:57 . 2008-10-25 18:57 18,995 --a------ C:\WINDOWS\atatypo.dl
2008-10-25 18:57 . 2008-10-25 18:57 17,612 --a------ C:\WINDOWS\ozes.pif
2008-10-25 18:57 . 2008-10-25 18:57 14,790 --a------ C:\WINDOWS\system32\efex.reg
2008-10-25 18:57 . 2008-10-25 18:57 13,040 --a------ C:\Documents and Settings\Owner\Application Data\yquper.dll
2008-10-25 18:57 . 2008-10-25 18:57 10,410 --a------ C:\Documents and Settings\Owner\Application Data\mulo.exe
2008-10-24 08:08 . 2008-10-15 12:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-23 11:01 . 2008-10-23 11:01 17,408 -ra------ C:\WINDOWS\system32\SZIO5.dll
2008-10-23 11:00 . 2008-10-23 11:00 278,528 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-10-15 13:45 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 13:42 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 13:42 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 13:42 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 13:42 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 13:42 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-14 19:47 . 2008-10-14 19:47 d-------- C:\Documents and Settings\All Users\Application Data\Blizzard
2008-10-13 23:27 . 2008-10-16 19:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-13 23:27 . 2008-10-13 23:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-09 20:37 . 2008-10-09 21:05 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-10-09 20:37 . 2008-10-09 21:14 61,012 --a------ C:\WINDOWS\War3Unin.dat
2008-10-09 20:37 . 2008-10-09 21:05 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-10-09 20:33 . 2008-10-10 10:18 d-------- C:\Program Files\Warcraft III
2008-10-08 14:27 . 2008-10-08 14:27 49,664 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-10-05 14:40 . 2008-10-26 11:52 12,543 --a------ C:\WINDOWS\system32\Config.MPF
2008-10-05 14:39 . 2008-10-25 20:53 d-------- C:\Program Files\SiteAdvisor
2008-10-05 14:39 . 2008-10-05 14:39 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-10-05 14:37 . 2008-06-27 06:08 79,240 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-10-05 14:37 . 2008-06-27 06:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-10-05 14:37 . 2008-06-27 06:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-10-05 14:36 . 2008-10-05 14:36 d-------- C:\Program Files\McAfee.com
2008-10-05 14:36 . 2008-10-05 14:36 d-------- C:\Program Files\Common Files\McAfee
2008-10-05 14:36 . 2008-06-02 14:55 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-10-05 14:35 . 2008-10-26 01:45 d-------- C:\Program Files\McAfee
2008-10-05 14:35 . 2008-06-20 05:41 34,152 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-10-05 14:20 . 2008-10-25 19:08 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-10-05 00:08 . 2008-10-05 00:08 d-------- C:\Documents and Settings\LocalService\Application Data\CCPTB
2008-10-04 23:36 . 2008-10-04 23:36 d-------- C:\Program Files\Windows Installer Clean Up
2008-10-04 23:36 . 2008-10-04 23:36 d-------- C:\Program Files\MSECACHE
2008-10-04 23:19 . 2008-10-04 23:19 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-10-04 21:31 . 2008-10-04 21:31 61,224 --a------ C:\Documents and Settings\Owner\GoToAssistDownloadHelper.exe
2008-10-04 20:34 . 2008-10-25 18:48 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\CCPTB
2008-10-01 08:30 . 2008-10-26 12:05 d-------- C:\Documents and Settings\LocalService\Application Data\SACore
2008-09-29 14:08 . 2008-09-29 14:08 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-09-29 14:08 . 2008-09-29 14:08 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-09-29 14:07 . 2008-09-29 14:07 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-09-29 14:07 . 2008-09-29 14:07 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-09-29 14:07 . 2008-09-29 14:07 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-09-29 14:06 . 2008-09-29 14:06 212,992 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-09-29 14:06 . 2008-09-29 14:06 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-09-29 14:06 . 2008-09-29 14:06 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-09-29 14:03 . 2008-09-29 14:03 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 16:28 21,788 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-10-26 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-25 22:49 --------- d-----w C:\Program Files\DivX
2008-10-25 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-10-22 12:01 --------- d-----w C:\Program Files\World of Warcraft
2008-10-20 19:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-11 01:52 --------- d-----w C:\Program Files\Guild Wars
2008-09-24 03:32 --------- d-----w C:\Program Files\Google
2008-09-19 21:55 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-13 22:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-09-11 19:45 --------- d-----w C:\Program Files\Hasbro Interactive
2008-09-11 03:44 --------- d-----w C:\Program Files\Microsoft Works
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-14 01:39 1,283,912 ----a-w C:\Program Files\WoW-2.3.0.7561-enUS-downloader.exe
2008-08-08 22:01 0 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2006-12-20 19:24 80 --sh--r C:\WINDOWS\system32\4367E797A1.dll
.

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 4:52 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-26 15:52:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-26 15:58:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-26 15:52:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-26 15:58:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-26 15:52:35 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-26 15:58:16 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-09-17 13574144]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2005-05-23 50744]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2005-04-13 385024]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-15 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 C:\WINDOWS\zHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-02-15 2168360]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 szkg5;szkg5;C:\WINDOWS\system32\drivers\szkg.sys [2008-10-08 49664]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
.
Contents of the 'Scheduled Tasks' folder

2008-10-26 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-10-05 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-10-05 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-10-26 C:\WINDOWS\Tasks\Norton Security Scan for Owner.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-10-26 12:42:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe??????5???????????????C?w?????????????????k???7???6??????????????i?wis???????????H???????????????????????????*&?|l????&?|??-w????????????????????????????????????????????????????`??????????????|?&?|?????&?|B%?|???????????????????|?$?|??????-wC

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
Completion time: 2008-10-26 12:45:20
ComboFix-quarantined-files.txt 2008-10-26 16:45:04
ComboFix2.txt 2008-10-26 16:03:21
ComboFix3.txt 2008-10-26 15:33:43

Pre-Run: 106,803,216,384 bytes free
Post-Run: 106,786,590,720 bytes free

213 --- E O F --- 2008-10-24 22:34:45

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 4:58 pm

Looks alot better, time to do some tidying up.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OOBEDDDemise"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.



Delete these two files in bold.
C:\Documents and Settings\Owner\Application Data\yquper.dll
C:\Documents and Settings\Owner\Application Data\mulo.exe


Can you post a new Hijack This log please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 8:16 pm

Okay Smile Here you go...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:56 PM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Calorie Count Plus Toolbar - {A057A204-BACC-4D26-DFC4-6BAE8BAD3DC9} - C:\PROGRA~1\ccptb\ccptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &AOL Toolbar search - [You must be registered and logged in to see this link.] Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 11207 bytes

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 8:28 pm

Hello again ajinat. Smile
I see you have two AV's. Norton and McAfee, having two AV's is a bad idea. They conflict and waste space. I'd recommend uninstalling Norton. Norton is a big product and takes alot of your hardrive.
We have a few more things to do, just to clean up and getting you some better security.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:

    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.


======
Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
  • Close ATF-Cleaner.exe.

======

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.


Now you have the new version, lets get rid of any traces of old versions.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 9:10 pm

Okay, here's the report. Yeah, i don't like Norton anyways, it's completely killed my Windows a couple of times, I was just panicking yesterday and downloaded a bunch of stuff trying to start fixing things...Thank goodness I refound you...Here's the log, but i also wanted to know, the antispyware2009 thing is still in my left task, is it safe to delete it?


JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Oct 26 17:03:52 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_02

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510002

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 9:14 pm

XP Antispyware is still present? Combofix should of taken care of that?
But yeah, it's safe to delete it, maybe a leftover.
Kill the process in Task Manager.
Lets see what this finds.

Please download [You must be registered and logged in to see this link.] (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 9:28 pm

SmitFraudFix v2.367

Scan done at 17:26:46.87, Sun 10/26/2008
Run from C:\Documents and Settings\Owner\Desktop\smitfraudfix\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\ehome\ehtray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D7B650EF-8B89-405A-83D1-4D2A855A7C30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D7B650EF-8B89-405A-83D1-4D2A855A7C30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D7B650EF-8B89-405A-83D1-4D2A855A7C30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


Scanning for wininet.dll infection


End

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 9:31 pm

That came back clean.
Delete smitfraudfix.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 9:42 pm

hmmm, i restarted it and it seems okay...i *think* that's it! Hooray!

You are a wonderful person for helping, thank you sooo much!

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 9:43 pm

Everything looks great --- Glad I could help! Smile
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by ajinat on 26th October 2008, 10:05 pm

Will definitely take the advice...Thanks again... Smile

ajinat
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-10-26
Gender Gender : Female
OS OS : windows xp
Points Points : 29640
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: a-trojan 2.0 and anti-spy

Post by Belahzur on 26th October 2008, 10:06 pm

Your very welcome! Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum