trojan..ect..ect...ect

View previous topic View next topic Go down

Solved trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 7:24 pm

HELP!! My computer is infected with adware,malware, and a ton of virus's. I made the mistake of downloading a anti virus program that I think ended up being a virus itself.

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 7:26 pm

Please read here and post a Hijack This log.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 7:51 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:03 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\MPK\MPK.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Documents and Settings\The Lincecum's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Downloads\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\MPK.exe
O2 - BHO: (no name) - {1C4D119D-B9DA-4112-B446-A1D3A6CF2055} - C:\WINDOWS\system32\rqRJDspn.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\tuvSkHBq.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [0c3fff69] rundll32.exe "C:\WINDOWS\system32\icnmsyjf.dll",b
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\The Lincecum's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D78E836-6D56-4E72-B457-F2A07BB3734D}: NameServer = 85.255.116.38;85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\..\{C79A7F4C-B515-44C0-AC49-7E4FC6A3AE59}: NameServer = 85.255.116.38;85.255.112.95
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.38;85.255.112.95
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.38;85.255.112.95
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: tuvSkHBq - tuvSkHBq.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8645 bytes

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 7:54 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\MPK.exe
    O2 - BHO: (no name) - {1C4D119D-B9DA-4112-B446-A1D3A6CF2055} - C:\WINDOWS\system32\rqRJDspn.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\tuvSkHBq.dll (file missing)
    O4 - HKLM\..\Run: [0c3fff69] rundll32.exe "C:\WINDOWS\system32\icnmsyjf.dll",b
    O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D78E836-6D56-4E72-B457-F2A07BB3734D}: NameServer = 85.255.116.38;85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C79A7F4C-B515-44C0-AC49-7E4FC6A3AE59}: NameServer = 85.255.116.38;85.255.112.95
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.38;85.255.112.95
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.38;85.255.112.95
    O20 - Winlogon Notify: tuvSkHBq - tuvSkHBq.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\rqRJDspn.dll
C:\WINDOWS\system32\icnmsyjf.dll
C:\WINDOWS\system32\frmwrk32.exe

Folders to delete:
C:\WINDOWS\system32\MPK

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 8:48 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\rqRJDspn.dll" deleted successfully.
File "C:\WINDOWS\system32\icnmsyjf.dll" deleted successfully.
File "C:\WINDOWS\system32\frmwrk32.exe" deleted successfully.
Folder "C:\WINDOWS\system32\MPK" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 9:39 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 9:43 pm

DDS (Ver_09-01-07.01) - NTFSx86
Run by The Lincecum's at 15:43:11.28 on Wed 01/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1553 [GMT -6:00]

AV: avast! antivirus 4.8.1296 [VPS 090114-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Documents and Settings\The Lincecum's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Lincecum's\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: {1c4d119d-b9da-4112-b446-a1d3a6cf2055} - c:\windows\system32\rqRJDspn.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\documents and settings\the lincecum's\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\rqRJDspn

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-16 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-16 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-16 155160]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-16 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-16 352920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 9:44 pm

=============== Created Last 30 ================

2009-01-14 02:50 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-14 02:50 4,785 a------- c:\windows\system32\warning.gif
2009-01-14 02:50 1 a------- c:\windows\system32\uniq.tll
2009-01-14 02:50 1 a------- c:\windows\system32\test.ttt
2009-01-14 02:50 31,232 a------- c:\windows\system32\pcload.exe
2009-01-13 18:44 123,904 a------- c:\windows\system32\jwywkacx.dll
2009-01-13 18:41 1,354,217 ---sh--- c:\windows\system32\fjysmnci.ini
2009-01-13 05:01 587 a------- c:\windows\system32\runkgb.lnk
2009-01-13 05:01 587 a------- c:\windows\system32\runrefog.lnk
2009-01-12 18:40 1,268,985 ---sh--- c:\windows\system32\avsejvxp.ini
2009-01-11 18:38 1,268,985 ---sh--- c:\windows\system32\vyutlkcr.ini
2009-01-10 18:38 1,256,329 ---sh--- c:\windows\system32\ubwsoeap.ini
2009-01-09 18:38 1,336,324 ---sh--- c:\windows\system32\rxbeltft.ini
2009-01-08 18:35 1,336,324 ---sh--- c:\windows\system32\lbkhoykx.ini
2009-01-08 05:01 --dsh--- c:\docume~1\alluse~1\applic~1\MPK
2009-01-05 18:43 1,322,965 ---sh--- c:\windows\system32\ijtnqlmk.ini
2009-01-04 18:43 1,307,356 ---sh--- c:\windows\system32\wwahewhq.ini
2009-01-03 18:46 1,307,365 ---sh--- c:\windows\system32\cmrgdttu.ini
2009-01-02 18:43 1,307,356 ---sh--- c:\windows\system32\hehdmsty.ini
2009-01-02 11:16 143 a------- c:\windows\system32\mcrh.tmp
2009-01-01 18:36 1,665,876 a--sh--- c:\windows\system32\npsDJRqr.ini2
2009-01-01 18:36 1,665,876 a--sh--- c:\windows\system32\npsDJRqr.ini
2009-01-01 18:28 14,336 a------- c:\windows\system32\senekapxyoedlj.dll
2009-01-01 18:28 3 a------- c:\windows\system32\senekadf.dat
2009-01-01 18:28 59 a------- c:\windows\system32\seneka.dat
2009-01-01 18:23 172,319 a------- c:\windows\system32\senekalog.dat
2008-12-31 05:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-28 21:05 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-28 21:05 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-25 21:49 18,560 a------- c:\windows\system32\drivers\FlyUsb.sys
2008-12-25 21:48 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-25 21:48 --d----- c:\program files\common files\Wise Installation Wizard
2008-12-25 21:46 --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-25 21:46 --d----- c:\program files\LeapFrog
2008-12-17 22:35 --dshr-- C:\resycled

==================== Find3M ====================

2008-12-14 19:25 2,710 a------- c:\windows\system32\TDSSxekj.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-08-15 13:55 0 a---h--- c:\documents and settings\the lincecum's\hpothb07.dat
2008-08-02 18:29 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-02 18:29 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-02 18:29 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:43:21.18 ===============

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 9:50 pm

Hello.
Lets use the avenger again.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
c:\windows\system32\rqRJDspn.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\warning.gif
c:\windows\system32\uniq.tll
c:\windows\system32\test.ttt
c:\windows\system32\pcload.exe
c:\windows\system32\jwywkacx.dll
c:\windows\system32\fjysmnci.ini
c:\windows\system32\runkgb.lnk
c:\windows\system32\runrefog.lnk
c:\windows\system32\avsejvxp.ini
c:\windows\system32\vyutlkcr.ini
c:\windows\system32\ubwsoeap.ini
c:\windows\system32\rxbeltft.ini
c:\windows\system32\lbkhoykx.ini
c:\windows\system32\ijtnqlmk.ini
c:\windows\system32\wwahewhq.ini
c:\windows\system32\cmrgdttu.ini
c:\windows\system32\hehdmsty.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\npsDJRqr.ini2
c:\windows\system32\npsDJRqr.ini
c:\windows\system32\senekapxyoedlj.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\seneka.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\TDSSxekj.dll

Folders to delete:
C:\Documents and Settings\All Users\Application Data\MPK
C:\resycled


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

Please run DDS again to make sure we got it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 10:18 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\rqRJDspn.dll" not found!
Deletion of file "c:\windows\system32\rqRJDspn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\ahtn.htm" deleted successfully.
File "c:\windows\system32\warning.gif" deleted successfully.
File "c:\windows\system32\uniq.tll" deleted successfully.
File "c:\windows\system32\test.ttt" deleted successfully.
File "c:\windows\system32\pcload.exe" deleted successfully.
File "c:\windows\system32\jwywkacx.dll" deleted successfully.
File "c:\windows\system32\fjysmnci.ini" deleted successfully.
File "c:\windows\system32\runkgb.lnk" deleted successfully.
File "c:\windows\system32\runrefog.lnk" deleted successfully.
File "c:\windows\system32\avsejvxp.ini" deleted successfully.
File "c:\windows\system32\vyutlkcr.ini" deleted successfully.
File "c:\windows\system32\ubwsoeap.ini" deleted successfully.
File "c:\windows\system32\rxbeltft.ini" deleted successfully.
File "c:\windows\system32\lbkhoykx.ini" deleted successfully.
File "c:\windows\system32\ijtnqlmk.ini" deleted successfully.
File "c:\windows\system32\wwahewhq.ini" deleted successfully.
File "c:\windows\system32\cmrgdttu.ini" deleted successfully.
File "c:\windows\system32\hehdmsty.ini" deleted successfully.
File "c:\windows\system32\mcrh.tmp" deleted successfully.
File "c:\windows\system32\npsDJRqr.ini2" deleted successfully.
File "c:\windows\system32\npsDJRqr.ini" deleted successfully.
File "c:\windows\system32\senekapxyoedlj.dll" deleted successfully.
File "c:\windows\system32\senekadf.dat" deleted successfully.
File "c:\windows\system32\seneka.dat" deleted successfully.
File "c:\windows\system32\senekalog.dat" deleted successfully.
File "c:\windows\system32\TDSSxekj.dll" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\MPK" deleted successfully.
Folder "C:\resycled" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 10:29 pm

Hello.
Please post a new DDS log to make sure we got it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 10:40 pm

DDS (Ver_09-01-07.01) - NTFSx86
Run by The Lincecum's at 16:38:50.59 on Wed 01/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1603 [GMT -6:00]

AV: avast! antivirus 4.8.1296 [VPS 090114-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Documents and Settings\The Lincecum's\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Lincecum's\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: {1c4d119d-b9da-4112-b446-a1d3a6cf2055} - c:\windows\system32\rqRJDspn.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\documents and settings\the lincecum's\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\rqRJDspn

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-16 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-16 352920]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-16 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-16 155160]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 10:40 pm

=============== Created Last 30 ================

2008-12-31 05:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-28 21:05 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-28 21:05 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-25 21:49 18,560 a------- c:\windows\system32\drivers\FlyUsb.sys
2008-12-25 21:48 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-25 21:48 --d----- c:\program files\common files\Wise Installation Wizard
2008-12-25 21:46 --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-25 21:46 --d----- c:\program files\LeapFrog

==================== Find3M ====================

2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-08-15 13:55 0 a---h--- c:\documents and settings\the lincecum's\hpothb07.dat
2008-08-02 18:29 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-02 18:29 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-02 18:29 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:39:14.40 ===============

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 10:48 pm

Yep, the vundo is gone.
We need to remove the registry restrictions now.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects\{1c4d119d-b9da-4112-b446-a1d3a6cf2055}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


  • Now open another new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies"
    regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
    regedit /e peek3.txt "HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    type peek3.txt >> look.txt
    del peek*.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by trev13 on 14th January 2009, 11:01 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,\
00,53,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,\
54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,\
00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,00,6d,00,73,00,73,00,74,00,\
79,00,6c,00,65,00,73,00,00,00
"InstallTheme"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,54,00,\
68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,\
00,74,00,68,00,65,00,6d,00,65,00,00,00
"DisableTaskMgr"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001

trev13
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-01-14
OS OS : dell
Points Points : 28840
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Belahzur on 14th January 2009, 11:12 pm

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
    "NoChangingWallpaper"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
    "NoChangingWallpaper"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoSetActiveDesktop"=-
    "NoActiveDesktopChanges"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    "DisableTaskMgr"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


What problems remain now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan..ect..ect...ect

Post by Doctor Inferno on 18th April 2009, 10:32 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum