|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
10-21-2007, 10:58 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 9
OS: xp
|
HJT report for trojan-spy.win32@mx & TJ/BX
Hello,
I'd really appreciate any help for these bubble pop-ups I've been getting on my pc. They are as follows: System Alert: Trojan-Spy.Win32@mx SpyWorm.Win32 Install new security window for Virus Ranger, AntiSpyware Gold, and Virus Locker System Security Caution for Trojan TJ/BZ ******************************* Below is the HJT report: StartupList report, 10/22/2007, 12:24:47 AM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Mat DiMond\Desktop\HiJackThis_v2.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.6000.16544) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\My Documents\Downloads, Installers\KABE3E.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Video Add-on\icthis.exe C:\Program Files\Video Add-on\isfmntr.exe C:\Program Files\Video Add-on\isfmm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Desktop\HiJackThis_v2.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Mat DiMond\Start Menu\Programs\Startup] KABE-Calendar.lnk = C:\Documents and Settings\Mat DiMond\My Documents\Downloads, Installers\KABE3E.exe Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" vptray = C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe igfxtray = C:\WINDOWS\system32\igfxtray.exe igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe igfxpers = C:\WINDOWS\system32\igfxpers.exe QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" LogitechCommunicationsManager = "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" LogitechQuickCamRibbon = "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide LVCOMSX = "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Aim6 = DW4 = "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] = -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing) - {1C3C4699-B285-475F-BE47-0B26088CE876} (no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045} (no name) - C:\Program Files\Video Add-on\isfmdl.dll - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} -------------------------------------------------- Enumerating Task Scheduler jobs: AppleSoftwareUpdate.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [SysProWmi Class] InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB [Office Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL CODEBASE = http://download.microsoft.com/downlo...OGAControl.cab [Facebook Photo Uploader Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx CODEBASE = http://upload.facebook.com/controls/...toUploader.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx CODEBASE = http://fpdownload2.macromedia.com/ge...sh/swflash.cab -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\nsq2A3.tmp\DivXComponentInstaller.exe||C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\nsq2A3.tmp\||C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\~nsu.tmp||C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\MATDIM~1\LOCALS~1\Temp\~nsu.tmp -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run some = C:\Program Files\Video Add-on\icthis.exe start = C:\Program Files\Video Add-on\isfmntr.exe -------------------------------------------------- End of report, 9,072 bytes Report generated in 0.093 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only ****************************** I'm not really sure what to do about this... I have SpywareBlaster and I've run a scan with my AVG Anti-Spyware and cleaned up those threats... any help would be greatly appreciated! ~Thanks |
|
     |
|
10-23-2007, 04:47 PM
|
#2 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 9
OS: xp
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Over the last 48 hours, my computer has become slower, I cannot open more that 3 windows at a time.
Some new developments are: 1) a new pop-up is telling me that I am: unprotected from the new version of SpyBot@MXt Trojan. 2) There is also some pornographic page that is trying to load.\ 3) Recommended installation of WinSecureAv to scan my pc for malware. Trying to keep the post updated... and again, any help would be very appreciated. Last edited by matdc : 10-23-2007 at 04:49 PM. |
|
|
|
|
10-24-2007, 06:23 AM
|
#3 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,247
OS: XP
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Hello and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. =============================================================== Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. ================================================================ Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
====================================================== Logs Required C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<-----Attached
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
10-24-2007, 10:26 AM
|
#4 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 9
OS: xp
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Here is what you've asked for. Hope this helps!
...and thanks again. Deckard's System Scanner v20071014.68 Run by Admin on 2007-10-24 12:15:45 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 85: 2007-10-24 16:16:00 UTC - RP85 - Deckard's System Scanner Restore Point 84: 2007-10-24 01:48:01 UTC - RP84 - System Checkpoint 83: 2007-10-23 01:04:46 UTC - RP83 - System Checkpoint 82: 2007-10-21 23:37:43 UTC - RP82 - Installed Java(TM) 6 Update 3 81: 2007-10-21 21:36:01 UTC - RP81 - System Checkpoint -- First Restore Point -- 1: 2007-08-09 00:30:15 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2007-10-24 12:17:59 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Video Add-on\icthis.exe C:\Program Files\Video Add-on\isfmntr.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Video Add-on\isfmm.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Common Files\logishrd\LComMgr\LVComSX.exe C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Admin\My Documents\Downloads, Installers\KABE3E.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe C:\Documents and Settings\Admin\Desktop\dss.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe O4 - Startup: KABE-Calendar.lnk = C:\Documents and Settings\Admin\My Documents\Downloads, Installers\KABE3E.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...OGAControl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O22 - SharedTaskScheduler: disenfranchising - {e2b8cea1-c8a7-48e2-b2fd-89ae5c608fb8} - (no file) O22 - SharedTaskScheduler: barysilite - {c74f7434-a6e7-46c3-bf60-62a005074fe5} - C:\WINDOWS\system32\fwzozx.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\logishrd\SrvLnch\SrvLnch.exe O23 - Service: SavRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 10453 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3> R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-10-18 14:33:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2007-08-09 13:38:50 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job -- Files created between 2007-09-24 and 2007-10-24 ----------------------------- 2007-10-21 19:25:31 0 d-------- C:\Program Files\AntiVirGear 3.8 2007-10-21 19:25:10 0 d-------- C:\Program Files\Video Add-on 2007-10-12 12:00:00 0 d-------- C:\Program Files\DivX 2007-09-29 13:31:36 19552 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT 2007-09-26 07:31:21 0 d-------- C:\Program Files\The Weather Channel FW -- Find3M Report --------------------------------------------------------------- 2007-10-24 12:13:02 40 --a------ C:\WINDOWS\system32\profile.dat 2007-10-21 21:33:35 0 d-------- C:\Program Files\SpywareBlaster 2007-10-21 19:39:21 0 d-------- C:\Program Files\Java 2007-10-15 13:04:18 0 d-------- C:\Documents and Settings\Mat DiMond\Application Data\Macromedia 2007-10-15 13:03:53 12800 --a-s---- C:\WINDOWS\system32\fwzozx.dll 2007-10-12 20:00:34 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-10-12 12:00:15 1480 --a------ C:\WINDOWS\mozver.dat 2007-09-11 06:27:17 0 d-------- C:\Program Files\Video ActiveX Access 2007-09-04 19:04:58 0 d-------- C:\Program Files\Common Files\logishrd 2007-09-04 18:57:31 0 d-------- C:\Program Files\Logitech 2007-09-04 15:18:58 0 d-------- C:\Documents and Settings\Admin\Application Data\Grisoft 2007-08-31 12:07:33 0 d-------- C:\Documents and Settings\Admin\Application Data\LimeWire 2007-08-30 17:19:20 0 d-------- C:\Documents and Settings\Admin\Application Data\Talkback 2007-08-30 17:18:55 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla 2007-08-30 16:02:29 0 d-------- C:\Documents and Settings\Admin\Application Data\Viewpoint 2007-08-30 15:41:29 0 d-------- C:\Program Files\iTunes 2007-08-30 15:41:21 0 d-------- C:\Program Files\iPod 2007-08-30 15:40:43 0 d-------- C:\Program Files\Common Files 2007-08-30 15:40:43 0 d-------- C:\Program Files\Common Files\Apple 2007-08-28 11:19:51 0 d-------- C:\Program Files\Virtual ChemLab 2.5 2007-08-26 17:44:48 0 d-------- C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster 2007-08-26 17:44:45 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-08-26 17:44:40 0 d-------- C:\Program Files\Common Files\InstallShield 2007-08-18 15:30:27 335 --a------ C:\WINDOWS\nsreg.dat 2007-08-08 20:24:47 0 -rahs---- C:\MSDOS.SYS 2007-08-08 20:24:47 0 -rahs---- C:\IO.SYS 2007-08-08 20:24:47 0 --a------ C:\CONFIG.SYS 2007-08-08 20:24:47 0 --a------ C:\AUTOEXEC.BAT 2007-08-08 20:21:10 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-08-08 19:13:40 62 --ahs---- C:\Documents and Settings\Admin\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876}] C:\Program Files\Video ActiveX Access\iesplg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}] 10/24/2007 12:14 PM 11264 --a------ C:\Program Files\Video Add-on\isfmdl.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"= C:\Program Files\Video Add-on\ictmdl.dll [10/21/2007 07:25 PM 77824] [-HKEY_CLASSES_ROOT\CLSID\{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [04/17/2005 12:30 PM] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 02:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 02:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 02:50 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [07/25/2007 04:02 PM] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [07/25/2007 04:06 PM] "LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [02/06/2007 05:43 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [03/16/2007 07:51 AM] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM] C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ KABE-Calendar.lnk - C:\Documents and Settings\Mat DiMond\My Documents\Downloads, Installers\KABE3E.exe [10/8/2007 10:37:43 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "some"=C:\Program Files\Video Add-on\icthis.exe "start"=C:\Program Files\Video Add-on\isfmntr.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{c74f7434-a6e7-46c3-bf60-62a005074fe5}"= C:\WINDOWS\system32\fwzozx.dll [10/15/2007 01:03 PM 12800] *Newly Created Service* - GTNDIS5 -- End of Deckard's System Scanner: finished at 2007-10-24 12:18:35 ------------ |
|
|
|
|
10-24-2007, 01:27 PM
|
#5 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,247
OS: XP
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Hello again
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. --------------------------------------------------------------- Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone. ====================================================== Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions,as you will be unable to connect to the internet during this fix. ======================================================= P2P P2P - I see you have P2P software LimeWire 4.14.8 installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. ===================================================== Downloads Please download SmitfraudFix (by S!Ri) to your Desktop.Do not run just yet,we will shortly. ---------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your DesktopDo not run just yet,we will shortly. ====================================================== Disconnect from the internet ======================================================= Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): IE Custom Tools IE Safety Features Information Center Windows Safety Alert Those four above are are rogue programs. Viewpoint Media Player Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 J2SE Runtime Environment 5.0 Update 12 Java(TM) 6 Update 2 Leave Java(TM) 6 Update 3 installed =================================================== Safe Mode Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ==================================================== Safe Mode Scan Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ==================================================== The following instructions to be run in normal mode ==================================================== Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ==================================================== Run ComboFix  Go to  → Run → paste in the single line command & click OK"%userprofile%\desktop\combofix.exe" /killallWhen finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ======================================================= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======================================================= Reconnect to the internet and post the required logs ====================================================== Logs Required C:rapport.txt C:\Combofix.txt Hijackthis log Also let me know how your system is behaving,thanks.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
10-24-2007, 03:40 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 9
OS: xp
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
The computer is currently working much better!!!
The pop-ups have stopped, i can open multiple windows again, and the speed is well... up to speed! Attached are all the files you requested. Much thanks!!!! btw-I did not realize limewire was on this computer. I will be removing it shortly =) *************************************** Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 5:03:17 PM, on 10/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Admin\Desktop\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: KABE-Calendar.lnk = C:\Documents and Settings\Mat DiMond\My Documents\Downloads, Installers\KABE3E.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 7711 bytes thanks! |
|
|
|
|
10-24-2007, 04:35 PM
|
#7 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 3,247
OS: XP
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Hello again
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. --------------------------------------------------------------- Please do not attached your logs unless instructed to do so. ======================================================== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ===================================================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======================================================= Logs Required C:\Combofix.txt Hijackthis log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
|
10-24-2007, 04:56 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 9
OS: xp
|
Re: HJT report for trojan-spy.win32@mx & TJ/BX
Here they are. ComboFix 07-10-25.1 - Admin 2007-10-25 18:41:43.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT -4:00] Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Admin\Application Data\Viewpoint C:\Documents and Settings\Admin\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini C:\Documents and Settings\Admin\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini C:\Documents and Settings\Admin\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini C:\Documents and Settings\Admin\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini C:\Program Files\Video Add-on C:\Program Files\Video Add-on\icthis.exe C:\Program Files\Video Add-on\ictmdl.dll C:\Program Files\Video Add-on\isfmdl.dll C:\Program Files\Video Add-on\isfmm.exe C:\Program Files\Video Add-on\isfmntr.exe C:\Program Files\Video Add-on\ot.ico C:\Program Files\Video Add-on\ts.ico C:\Program Files\Viewpoint . ((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 ))))))))))))))))))))))))))))))) . 2007-10-24 16:58 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-24 16:52 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-10-24 16:52 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-10-24 16:52 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-10-24 16:52 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-10-24 16:52 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-24 16:52 2,932 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-24 12:08 <DIR> d-------- C:\Deckard 2007-10-12 12:00 <DIR> d-------- C:\Program Files\DivX 2007-09-29 13:31 19,552 --a------ C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT 2007-09-26 07:31 <DIR> d-------- C:\Program Files\The Weather Channel FW . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-24 20:47 --------- d-----w C:\Program Files\Java 2007-10-22 01:33 --------- d-----w C:\Program Files\SpywareBlaster 2007-10-21 23:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-10-13 00:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-09-04 23:04 --------- d-----w C:\Program Files\Common Files\logishrd 2007-09-04 22:57 --------- d-----w C:\Program Files\Logitech 2007-09-04 19:18 --------- d-----w C:\Documents and Settings\Admin\Application Data\Grisoft 2007-09-04 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-08-31 16:07 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire 2007-08-30 21:19 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback 2007-08-30 19:41 --------- d-----w C:\Program Files\iTunes 2007-08-30 19:41 --------- d-----w C:\Program Files\iPod 2007-08-30 19:40 --------- d-----w C:\Program Files\Common Files\Apple 2007-08-28 15:19 --------- d-----w C:\Program Files\Virtual ChemLab 2.5 2007-08-26 21:44 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys 2007-08-26 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-08-26 21:44 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster 2007-08-26 21:44 --------- d-----w C:\Program Files\Common Files\InstallShield . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06] "LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 17:43] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="" [] "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ KABE-Calendar.lnk - C:\Documents and Settings\Admin\My Documents\Downloads, Installers\KABE3E.exe [2007-10-08 22:37:43] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04] . Contents of the 'Scheduled Tasks' folder "2007-10-18 18:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-08-09 17:38:50 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-25 18:45:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-25 18:46:46 - machine was rebooted C:\ComboFix2.txt ... 2007-10-25 17:01 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 6:52:57 PM, on 10/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Admin\My Documents\Downloads, Installers\KABE3E.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Admin\Desktop\Trojan\HiJackThis_v2.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files |
