it's baaaack. Downloader.exe back with friends.

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 7:03 pm

PMP1 (1st computer) So I was running along excellent this am, as fast as ever. I got a pop up from Norton that it had found things needing attention. When I looked it was 2 downloader.exe's and a trojan horse. The computer is back to non-functioning!

Here is my Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:46 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe" Z
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Network Drive Mapping Utility] "C:\Program Files\Linksys\Network Storage\Network Drive Mapping Utility.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - [You must be registered and logged in to see this link.]
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {84C81EF3-B20B-4773-8A86-DB90589B0F54} (webconference.Encoder) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12866 bytes

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 7:15 pm

Hello again.
Tinyproxy is a facebook/myspace worm. HJT tells me your a facebook user. Goofy

Also, this log was taken in safe mode, many malware is disabled in safe mode, so we won't get detail we need. Do you have combofix on this machine?

Choose not to install the recovery console if you can't get it.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 7:26 pm

can conbo fix be run in safe mode or must it be normal? It's running suuuuuper slow and locking in normal mode...

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 7:27 pm

I think it can be run in safe mode too.
Give it a shot.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 8:02 pm

Who me? Never been on the thing Smile Actually, I got a video from Facebook, from someone I know saying I was in a video and the genius in me clicked it. I knew him so didnt think much. Then got an email saying his account had been hacked, etc..Here is the combo log

[You must be registered and logged in to see this link.]

after running this, I tried to restart in normal mode and it locked up

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 8:29 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\f49f4d98.dat
c:\windows\_detmp.1
c:\windows\_detmp.2

Driver::
Viewpoint Manager Service

Folder::
c:\windows\system32\890166
c:\program files\Viewpoint

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 8:34 pm

After your back from the CFScript run, do this.

I see you have viewpoint installed, viewpoint is considered adware, see [You must be registered and logged in to see this link.]
Uninstall all this via Add/remove programs. You can open Add/remove programs by doing the following.

Press Start > Control Panel > Add/remove programs
Uninstall any viewpoint product, as seen in the list below. You can remove them by pressing the Remove button on the right after selecting each one.

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 9:42 pm

here it is

[You must be registered and logged in to see this link.]

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 9:44 pm

Looks good.
How's everything now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 9:48 pm

it doesn't seem to like normal mode yet...im trying

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 9:54 pm

Before you said you could access normal mode, but locks up?

Could be the stuff you having running, taking heavy hits on your processor.
If normal mode still refuses to run, lets do this.

While in safe mode,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:12 pm

accidentally responded to wrong post. I did that and rebooted and i'm frozen at the login screen

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 10:14 pm

Crud.
Do you have your XP CD?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:15 pm

i dont think so

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 10:18 pm

Darn.
Well we might be able to do it without the CD.
Boot back to safe mode and do this.

Start > Run
type this in: sfc /scannow
Note the space after the c and before the /
Press enter.

It will now check your files incase their damaged.
Allow it to do it's run.
See if you can boot in normal mode now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:18 pm

I believe that one came pre-installed. I have it for the other one

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 10:21 pm

Ah.
Well do the instructions I left on the first page of this topic.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:29 pm

not looking so good. everything taking a long time.

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:33 pm

nothing will open. I noticed you locked the other chain. We got PMP 2 working again but you said the first log I sent looked clean. It ran after ATF.

PMP2, this chain, has nothing working in normal mode

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:46 pm

And of course now, neither computer is working. PMP2 has stopped now and I'm on the wireless UPDATE: I got PMP2 back up by renewing the IP address...somehow it was lost

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 10:52 pm

Internet stopped working on that too?
Tried winsock fix?

Can you do this? Follow this path:
C:\WINDOWS\erdnt\Hiv-backup\ERDNT.exe <-- run that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 10:55 pm

I was able to get PMP2 on by going to the LAN and hitting repair. It said there was no IP address assigned...(again, PMP2 never showed a virus today, just been acting weird)

Was the last command for the one we've been working on , PMP1?

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:00 pm

I'm not hopeful on this, but worth a shot.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 11:07 pm

will this work in safe mode? I can't even get 'my computer' open in normal mode

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:08 pm

Yeah, MBAM will work in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 11:17 pm

While that is running, now PMP2 has stopped again. I ran combo fix and it says it 'detected root kit activity'...what is that? My LAn says connected and I've run WinsockFix

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:25 pm

Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 11:32 pm

ok, i'm downloading it now. CF did reboot and finish after saying that and the log is here [You must be registered and logged in to see this link.]

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:37 pm

Okay, will wait for gmer's log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 11:47 pm

PMP1 - malware detected no problems. O's across the board. I"m tryng now to restart it in normal mode and it's basically frozen still.

PMP2 - has just come back up and online after running combo fix again and winsockfix with a reboot.

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:52 pm

Did GMER run?

I'm sick of this rootkit now, this should blow it away. Run this on PMP2.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\f49f4daa.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 10th November 2008, 11:53 pm

PMP1 - the internet loads fine in safe mode freezes in normal

PMP2 -gmer running now but it's working and online

Which do you want the new instructions run on?

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 10th November 2008, 11:54 pm

On PMP2 please, that's what CF is showing it on.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:05 am

PMP1 - still running fine, online, in safe mode. Stalling in normal.

PMP2- getting ready to run avenger. gmer log:

[You must be registered and logged in to see this link.]

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:12 am

PMP1 - same

PMP2 - rootkit scan is active, no rootkits found! (do you want me to still send everything for that?...I wasn't sure what a new HJT log was)

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 12:14 am

Sigh. Yes, I need a new Hijack This log and the avengers log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:14 am

PMP2 - was working fine and now will no longer connect to the internet. LAN says connected, I"ll get the logs.

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:16 am

PMP1 says HP Boot OPtimizer has encountered a problem and needs to close - in normal mode

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:21 am

PMP2 avenger log :

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\TEMP\logishrd\LVPrcInj01.dll" deleted successfully.

Error: file "c:\windows\f49f4daa.dat" not found!
Deletion of file "c:\windows\f49f4daa.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:22 am

PMP2 HIjack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:46 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 6490 bytes

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 12:24 am

Yay, the file CF couldn't delete is gone.
Can't see anything wrong with the new Hijack This log.

RUN THIS NEXT FIX ON PMP1.
This will stop the HP boot error.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPBootOp"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:29 am

PMP2 back up and online fast!

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 12:30 am

OMG. Holy crap.
Run the reg fix on machine PMP1.


How's machine 1 and 2 now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:34 am

PMP1 - ran reg fix in safe mode. Still barely starting in normal mode...should I try avenger on PMP1 or something?

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:40 am

PMP1 won't get past the login screen in normal mode after reg fix but will open internet in safe mode


Last edited by raif on 11th November 2008, 12:47 am; edited 1 time in total

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 12:42 am

No. Don't run the avenger on PMP1.
I'm looking through a CF log of PMP1.
Don't touch PMP2 for now, we've fixed that.

Can you submit this file below
c:\windows\system32\spmsg2.dll
to here for a scan.
[You must be registered and logged in to see this link.]

Press the browse button to find the file, then double click it and hit the submit button to upload it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 12:59 am

PMP1

Scanner Malware name
A-Squared Trojan-Spy.Win32.Banker.JU!IK
AntiVir SPR/Tool.HideProc.O.1
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus Trojan-Spy.Win32.Banker.JU
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 1:00 am

Okay, it's come back as showing malware.

Delete this file.
c:\windows\system32\spmsg2.dll

Any better?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by raif on 11th November 2008, 1:09 am

sorry, hung up for a sec personally, i'll know soon!

raif
Intermediate
Intermediate

Posts Posts : 88
Joined Joined : 2008-11-09
OS OS : Windows XP
Points Points : 29500
# Likes # Likes : 0

View user profile

Back to top Go down

Re: it's baaaack. Downloader.exe back with friends.

Post by Belahzur on 11th November 2008, 1:14 am

I'll hope for the best.
Going offline, won't be back till tomorrow night, so we can continue this then. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum