flash drive

View previous topic View next topic Go down

Solved A variant of win32/kryptik.GH trojan

Post by tinkerman on Wed Feb 11, 2009 12:16 pm

ı have scanned with nod32 antivirus and has found a number of those recyler viruses cant delete it, ı cant enter my harddisks with double click.. here is OTVİEWıT text. any help will be appreciated..

OTViewIt logfile created on: 11.02.2009 14:05:16 - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 0000041F | Country: Türkiye | Language: TRK | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,52 Gb Available Physical Memory | 75,95% Memory free
2,60 Gb Paging File | 2,27 Gb Available in Paging File | 87,14% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55,88 Gb Total Space | 45,70 Gb Free Space | 81,77% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 149,03 Gb Total Space | 81,42 Gb Free Space | 54,63% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 798B864D68EC4C5
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2009.02.08 21:06:33 | 00,552,064 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32krn.exe
[2007.12.05 03:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2008.05.26 22:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe
[2008.04.14 08:00:52 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2008.04.14 08:00:52 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2006.07.21 16:14:36 | 00,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
[2004.10.21 17:19:00 | 00,585,728 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
[2006.06.21 19:14:50 | 00,035,328 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
[2008.12.18 18:31:27 | 03,551,456 | ---- | M] (Babylon Ltd.) -- C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[2009.02.08 21:06:33 | 00,949,376 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32kui.exe
[2008.02.26 03:23:34 | 00,443,968 | ---- | M] (Google Inc.) -- C:\Program Files\Picasa2\PicasaMediaDetector.exe
[2008.05.26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
[2008.04.14 08:00:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2007.10.18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe
[2009.02.06 12:50:44 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008.05.26 22:18:18 | 00,184,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchprotocolhost.exe
[2008.05.26 22:17:56 | 00,087,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchfilterhost.exe
[2009.02.11 14:05:03 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005.09.23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005.09.23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2007.01.04 03:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2009.02.08 21:06:33 | 00,552,064 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32krn.exe -- (NOD32krn [Auto | Running])
[2007.12.05 03:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2007.08.24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006.10.26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007.10.18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Running])
[2007.01.05 20:24:32 | 00,913,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
[2008.05.26 22:18:44 | 00,439,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\searchindexer.exe -- (WSearch [Auto | Running])

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Wed Feb 11, 2009 12:17 pm

========== Driver Services ==========

[2001.08.17 19:11:18 | 00,020,160 | ---- | M] (ADMtek Incorporated) -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511 [On_Demand | Stopped])
[2009.02.08 21:06:34 | 00,512,096 | ---- | M] (Eset ) -- C:\WINDOWS\system32\drivers\amon.sys -- (AMON [Auto | Running])
[2008.04.13 08:36:06 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2008.04.17 16:33:26 | 04,707,328 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2009.02.08 21:06:33 | 00,015,424 | ---- | M] () -- C:\WINDOWS\system32\drivers\nod32drv.sys -- (nod32drv [System | Running])
[2007.12.05 03:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2004.08.04 16:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008.02.23 04:38:33 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2007.11.21 01:09:22 | 00,104,320 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
[2008.04.13 08:39:18 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001.11.21 23:03:24 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA [On_Demand | Running])
[2004.10.21 17:20:00 | 00,836,338 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial [On_Demand | Running])
[2005.03.17 13:21:18 | 00,157,056 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
[2008.04.13 11:45:14 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2008.01.07 14:36:16 | 02,216,064 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51 [On_Demand | Running])
[2008.04.13 13:36:40 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi [System | Running])
[2004.08.04 16:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [System | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.google.com.tr/
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com.tr/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=ALCMTR.EXE (Realtek Semiconductor Corp.)
"AlcWzrd"=ALCWZRD.EXE (RealTek Semicoductor Corp.)
"Babylon Client"=C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart (Babylon Ltd.)
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE (Eset )
"NodLogin"=C:\Program Files\Eset\nodlogin.exe ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install ()
"SMSERIAL"=sm56hlpr.exe (Motorola Inc.)
"SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
"WinampAgent"=C:\Program Files\Winamp\winampa.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)

========== (O4) Startup Folders ==========

[2008.05.26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
Microsoft Excel'e &Ver: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2007.10.05 20:37:38 | 17,927,192 | ---- | M] (Microsoft Corporation)
Translate with &Babylon: C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll [2008.03.06 13:10:36 | 00,121,856 | ---- | M] (Babylon Ltd.)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_04\bin\npjpi160_04.dll [2007.12.14 03:42:37 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006.10.26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2008.04.13 10:53:34 | 00,558,080 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_04\bin\npjpi160_04.dll [Sun Java Console] -> [2007.12.14 03:42:37 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006.10.26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008.04.13 10:53:34 | 00,558,080 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Galerisi

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Wed Feb 11, 2009 12:21 pm

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04

========== (O17) DNS Name Servers ==========

{01846545-659E-4130-B63C-79FE341A9414} (Servers: | Description: ADMtek ADM8511 USB To Fast Ethernet Dönüştürücüsü)
{1E9EC0E6-BCF2-4A58-97A2-5BC9923B1ED3} (Servers: 85.255.112.39,85.255.112.40 | Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC)
{5A84086E-1803-4048-B099-CFEDF317E7E5} (Servers: 85.255.112.39,85.255.112.40 | Description: Intel(R) PRO/Wireless 2915ABG Network Connection)
{EE83451F-2A1F-4C73-9E57-469B61A74318} (Servers: | Description: 1394 Ağ Bağdaştırıcısı)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}" (HKLM) -- C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008.11.10 20:35:04 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [[autorun] | ;dvnlykqjlapjiiobhaixgqhxxtyytmniycfdvuhjacdo | shellexecute="RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com c:\" | ;pjvnwnauuaqp | shell\Open\command="RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com c:\" | ;zzxuoaqxizhuhoiutblioxpwcwfyfwkcxapsasmvoeracjedfqjtngcksfonoxb | shell=Open | ]
[2009.02.11 14:04:52 | 00,000,311 | RHS- | M] () -- C:\autorun.inf -- [ NTFS ]

autorun.inf [[autorun] | ;rqqkzlkqmfouavlcvffilveaboldtfwmhsydmsvodxevojyqqaztdtjwjlrpiknbbhadnevrqcthstxwencxdgnkcyuroapcsbixgjcr | shellexecute="RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com e:\" | ;qcwsofuodvizaezftregnthswpyzmtczmtfdjktmmstm | shell\Open\command="RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com e:\" | ;pwuttvpviztpttmhhjecnttqlcsuhhimkzborsniknnhfxrwzjagbcmtpvevuaofotcnisobiqasawp | shell=Open | ]
[2009.02.11 14:04:54 | 00,000,419 | RHS- | M] () -- E:\autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a80213b-b001-11dd-a843-00c09f95095a}\Shell]
""=Autorun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a80213b-b001-11dd-a843-00c09f95095a}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2008.04.14 08:00:26 | 08,466,432 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a80213b-b001-11dd-a843-00c09f95095a}\Shell\Open\command]
""=RECYCLER\S-3-2-89-100017939-100018341-100028216-8342.com e:\

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9681357e-af63-11dd-802f-806d6172696f}\Shell]
""=Autorun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9681357e-af63-11dd-802f-806d6172696f}\Shell\AutoRun\command]
""=C:\WINDOWS\system32\shell32.dll -- [2008.04.14 08:00:26 | 08,466,432 | ---- | M] (Microsoft Corporation)


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9681357e-af63-11dd-802f-806d6172696f}\Shell\Open\command]
""=C:\RECYCLER\S-3-2-89-100017939-100018341-100028216-8342.com -- File not found

========== Files/Folders - Created Within 30 Days ==========

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Wed Feb 11, 2009 12:22 pm

[3 C:\WINDOWS\*.tmp files]
[2009.02.11 14:04:54 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009.02.11 11:53:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2009.02.11 11:43:46 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009.02.11 11:43:01 | 01,234,120 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\wrar380.exe
[2009.02.08 22:01:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\nod32
[2009.02.08 21:09:28 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009.02.08 21:07:21 | 00,512,096 | ---- | C] (Eset ) -- C:\WINDOWS\System32\drivers\amon.sys
[2009.02.08 21:07:21 | 00,298,104 | ---- | C] (Eset ) -- C:\WINDOWS\System32\imon.dll
[2009.02.08 21:07:21 | 00,015,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\nod32drv.sys
[2009.02.08 21:03:06 | 00,905,216 | ---- | C] (ForumW.org) -- C:\Documents and Settings\Owner\Desktop\Eset Login Viewer v1.3.exe
[2009.02.07 18:47:27 | 00,000,268 | -H-- | C] () -- C:\sqmdata07.sqm
[2009.02.07 18:47:27 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt07.sqm
[2009.02.02 20:45:22 | 00,000,230 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.02.02 01:25:48 | 00,000,268 | -H-- | C] () -- C:\sqmdata06.sqm
[2009.02.02 01:25:48 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt06.sqm
[2009.01.31 22:38:51 | 00,000,268 | -H-- | C] () -- C:\sqmdata05.sqm
[2009.01.31 22:38:51 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt05.sqm
[2009.01.31 21:50:48 | 00,000,268 | -H-- | C] () -- C:\sqmdata04.sqm
[2009.01.31 21:50:48 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt04.sqm
[2009.01.29 02:14:09 | 00,000,268 | -H-- | C] () -- C:\sqmdata03.sqm
[2009.01.29 02:14:09 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt03.sqm
[2009.01.29 01:08:26 | 00,000,311 | RHS- | C] () -- C:\autorun.inf
[2009.01.25 21:17:33 | 00,000,268 | -H-- | C] () -- C:\sqmdata02.sqm
[2009.01.25 21:17:33 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt02.sqm
[2009.01.24 21:27:56 | 00,000,268 | -H-- | C] () -- C:\sqmdata01.sqm
[2009.01.24 21:27:56 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt01.sqm
[2009.01.24 02:45:13 | 00,000,268 | -H-- | C] () -- C:\sqmdata00.sqm
[2009.01.24 02:45:13 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt00.sqm
[2009.01.21 13:18:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009.01.20 12:40:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
[2009.01.20 12:40:32 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009.01.20 12:16:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009.01.19 17:52:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\qs
[2009.01.19 17:51:54 | 00,000,000 | ---D | C] -- C:\Program Files\QuickSnooker
[2009.01.16 19:43:15 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009.01.13 19:27:09 | 00,000,000 | R--- | C] () -- C:\WINDOWS\file.bat
[2009.01.13 19:25:01 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009.02.11 14:05:03 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTViewIt.exe
[2009.02.11 14:04:52 | 00,000,311 | RHS- | M] () -- C:\autorun.inf
[2009.02.11 11:43:18 | 01,234,120 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\wrar380.exe
[2009.02.11 11:22:35 | 00,000,574 | ---- | M] () -- C:\Documents and Settings\Owner\Belgelerim\Paylaşım Klasörlerim.lnk
[2009.02.11 10:32:24 | 00,976,038 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.02.11 10:32:24 | 00,413,744 | ---- | M] () -- C:\WINDOWS\System32\perfh01F.dat
[2009.02.11 10:32:24 | 00,404,302 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.02.11 10:32:24 | 00,082,292 | ---- | M] () -- C:\WINDOWS\System32\perfc01F.dat
[2009.02.11 10:32:24 | 00,063,522 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009.02.11 10:28:36 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009.02.11 10:28:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.02.11 10:28:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.02.08 21:06:34 | 00,512,096 | ---- | M] (Eset ) -- C:\WINDOWS\System32\drivers\amon.sys
[2009.02.08 21:06:34 | 00,298,104 | ---- | M] (Eset ) -- C:\WINDOWS\System32\imon.dll
[2009.02.08 21:06:33 | 00,015,424 | ---- | M] () -- C:\WINDOWS\System32\drivers\nod32drv.sys
[2009.02.08 13:54:25 | 00,169,472 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.07 18:47:27 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009.02.07 18:47:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009.02.02 20:45:22 | 00,000,230 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.02.02 01:25:48 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009.02.02 01:25:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009.01.31 22:38:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009.01.31 22:38:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009.01.31 21:50:48 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009.01.31 21:50:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009.01.29 02:14:09 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009.01.29 02:14:09 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009.01.25 21:17:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009.01.25 21:17:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009.01.24 21:27:56 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009.01.24 21:27:56 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009.01.24 02:45:13 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009.01.24 02:45:13 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009.01.18 13:28:09 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.01.17 12:12:36 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009.01.13 19:29:07 | 00,000,000 | R--- | M] () -- C:\WINDOWS\file.bat
< End of report >

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Wed Feb 11, 2009 12:23 pm

pls help what shoud ı do?

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Wed Feb 11, 2009 2:48 pm

Split from 11pms topic.

I asked that 11PM run OTViewIt because the other tools I prefer to use do not work on Vista, where as this is XP.

Please do not follow instructions created for other members.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com
    E:\RECYCLER\S-0-9-84-100017252-100030136-100026886-3338.com
    E:\autorun.inf
    C:\autorun.inf
    C:\sqmdata*.sqm
    C:\sqmnoopt*.sqm
    C:\WINDOWS\file.bat

    :reg
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a80213b-b001-11dd-a843-00c09f95095a}]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9681357e-af63-11dd-802f-806d6172696f}]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Fri Feb 13, 2009 10:46 am

File/Folder C:\autorun.inf not found.
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmdata04.sqm moved successfully.
C:\sqmdata05.sqm moved successfully.
C:\sqmdata06.sqm moved successfully.
C:\sqmdata07.sqm moved successfully.
C:\sqmdata08.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\sqmnoopt04.sqm moved successfully.
C:\sqmnoopt05.sqm moved successfully.
C:\sqmnoopt06.sqm moved successfully.
C:\sqmnoopt07.sqm moved successfully.
C:\sqmnoopt08.sqm moved successfully.
C:\WINDOWS\file.bat moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a80213b-b001-11dd-a843-00c09f95095a}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9681357e-af63-11dd-802f-806d6172696f}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02132009_124430

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Fri Feb 13, 2009 10:48 am

ı really appreciate your help, this is the best forum ı've ever seen on the web.. am i safe now?

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Fri Feb 13, 2009 5:10 pm

Not sure.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sat Feb 14, 2009 10:13 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 12:08:44,37 on 14.02.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1529 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {1E9EC0E6-BCF2-4A58-97A2-5BC9923B1ED3} = 85.255.112.39,85.255.112.40
TCP: {5A84086E-1803-4048-B099-CFEDF317E7E5} = 85.255.112.39,85.255.112.40
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\dk994s4c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-02-13 12:44 --d----- C:\_OTMoveIt
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-21 13:18 --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-01-20 12:16 --d----- c:\program files\Trend Micro
2009-01-19 17:52 --d----- c:\docume~1\alluse~1\applic~1\qs
2009-01-19 17:51 --d----- c:\program files\QuickSnooker
2009-01-16 19:43 --d----- c:\program files\ESET

==================== Find3M ====================

2009-02-14 12:03 413,744 a------- c:\windows\system32\perfh01F.dat
2009-02-14 12:03 82,292 a------- c:\windows\system32\perfc01F.dat
2008-12-29 00:00 90,624 a------- c:\windows\system32\a.exe

============= FINISH: 12:09:01,90 ===============

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sat Feb 14, 2009 2:33 pm

Hello.
Just need to clean up a DNS hijack.

Post a new Hijack This log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 11:11 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:51, on 15.02.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NodLogin] C:\Program Files\Eset\nodlogin.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Translate with &Babylon - [You must be registered and logged in to see this link.] Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.tr/
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E9EC0E6-BCF2-4A58-97A2-5BC9923B1ED3}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A84086E-1803-4048-B099-CFEDF317E7E5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4769 bytes

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 11:18 am

hello again, ı am grateful for your continuing assist, after we're done can i get assured that i am not infected by the same variant of viruses? also do you know for what purpose this malware was infected? an also how can i guard myself from this type of threats.. a thousand time thanks to you again:) waiting for final commands from you..

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 2:56 pm

Hello.
1. Open Hijack This.
2. Select "Do a system scan only"
3. Check the boxes next to these lines.

O17 - HKLM\System\CCS\Services\Tcpip\..\{1E9EC0E6-BCF2-4A58-97A2-5BC9923B1ED3}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A84086E-1803-4048-B099-CFEDF317E7E5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40

4. Press "Fix Checked"
5. Close Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 3:23 pm

hi i followed your instructions is it all i've to do? am i safe now?

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 3:27 pm

It looks okay to me.
Press Start > Run, type in cmd and press enter.
When the command prompt opens, type in ipconfig /flushdns <== note the space between the g and / and press enter.
Close the command prompt.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 3:35 pm

it had already started to heal starting from your first help and now i think it runs fully healty, you are fantastic:)

now i'm just curious about how did i get infected, becouse i think my father got infected with this when i was not at home:) and for what purpose this virus had worked? if you have time please post me an information so that i get guard myself for future infections..

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 3:37 pm

It was a USB infection, you or someone else (not blaming anyone) plugged an infected USB stick into this machine.

The virus hijacks the machines DNS from your ISP's IP, to a custom IP in Ukraine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 3:41 pm

it looks very dangerous , someone can make crime in Ukraine and blame me for that? am i understood well?

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 3:48 pm

Meh, we know better, we know who's to blame and it's not you.
Run this to protect against this infection.

Please download Flash_Disinfector from [You must be registered and logged in to see this link.]

  • First, download it to your desktop.
  • Now double click it to run it and will tell it you what to do when you open it.
  • It will temporarily kill explorer.exe and your desktop will go blank.
  • Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  • It will make a dummy autorun.inf in the root of every drive.
  • You can now delete Flash_Disinfector.exe.
[/code]

Note:
Anytime you plug in a USB stick that isn't yours and you don't trust it, DO NOT open it by double clicking.
Double clicking a USB drive in My Computer will activate the autorun, instead open the drive by doing this:
RIGHT CLICK the drive > Explore.
That by passes the autorun and won't activate it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 3:54 pm

i think the link is dead it says page not found..

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 3:57 pm

Sorry, link here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 4:15 pm

i did within a minute; and prefer to keep the Flash_Disinfector.exe unless it only holds 129 kb in my external hard disk i think that wouldn't be a problem would it?

also i would like to say that iam really grateful to meet someone like you i didn't like and couldn't get such help in any forum or people before, and i was glancing an eye over your helps to other people and realised that you're helping everyone by your self alone and i'm really impressed.. i don't know much about computers expect gaming and superficial surfing but i'm really supporting you, and will continue to visit GP and partucalrly your posts and actions.. you're always welcome and i'll be pleased to keep in touch with you.. thanks..

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Belahzur on Sun Feb 15, 2009 4:20 pm

Heh, feel free to visit anytime you want to and watch over me. LMBO or ROFL But seriously, just don't run tools I ask other users to run, such tools are made just for that one machine and running them on another machine may cause serious damage.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: flash drive

Post by tinkerman on Sun Feb 15, 2009 4:25 pm

yes i am lucky not to get damaged before, i did it once becouse i was too unexperianced an in alarm mood:)) but now i am getting used to it and gained patience:) and of course will always listen my doctor:))
see you soon..

tinkerman
Intermediate
Intermediate

Posts Posts : 109
Joined Joined : 2009-02-11
Gender Gender : Male
OS OS : windows xp with sp3
Points Points : 29209
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: flash drive

Post by Doctor Inferno on Mon Jul 06, 2009 3:31 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum