|
|
#1
6th Sep 2008, 00:54
|
|||
|
|||
|
hi . My computer is definitely infect by trojan, malware or spyware . whenever I open my computer, a balloon pops up from the taskbar saying that my computer is infected and suddenly all these ads pop up and keep on opening new ones . and i believe theses processes that i see in the task manager are respnsible
something like lssmon.exe , lssmgr.exe (may not exactly be the same) cuz when i close them the balloon disappears . anyways, here is my hijack log, so Plz help me out . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:52:14 PM, on 9/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\SYSTEM32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\slserv.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Opera\opera.exe E:\ALL THE SOFTWARES\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com F2 - REG:system.ini: Shell=explorer.exe ssvichosst.exe O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe O23 - Service: avast! Antivirus avast!SamSs (avast!SamSs) - Unknown owner - D:\WINDOWS\system32\dllcaches.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing) O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 4603 bytes |
|
#2
6th Sep 2008, 01:26
|
|||
|
|||
|
Hello Mohi212. Welcome to CJ.
Disable Counterspy so it does not block the fixes we make. Right click the tray icon and turn off Counterspy. ---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there)
Exit HijackThis. ---------- Go to Start > Run and type Notepad.exe then click OK. Copy and paste the following text within the code box into the new Notepad file. Code:
@ECHO OFF sc stop avast!SamSs sc delete avast!SamSs exit Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files. Next double click fixservice.bat to run it. A black box should open and close after a short time, this is normal. Do not continue until the black box has closed Delete fixservice.bat from the Desktop. ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Go to Start > Run and type notepad.exe then click OK Copy the text in the Code box below and paste it into Notepad. Code:
REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "Layersecurity Servicemonitor"=- Next to File name: type fixme.reg Use the dropdown box next to Save as type: and select All files. Save it to the Desktop. There should now be a file on the Desktop that looks like this  Double-click fixme.reg it and allow it to merge with the Registry. You may not see anything happen but give it a few seconds or so to finish. Now delete the fixme.reg file from the Desktop. Restart the Computer. ---------- Now run a new HijackThis scan and post the log. Important: When the log from HijackThis comes up in Notepad, before copying it, go to Format and click Word Wrap. Then copy and paste the log here.
__________________
 |
|
#3
6th Sep 2008, 04:08
|
|||
|
|||
|
hey thanks for your help . but when i restarted the pc, the pop up are still opening and that balloon saying spyware detected . click here to install anti-virus is still appearing
 Anyways, here is the hijack log after the restart . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:03:35 PM, on 9/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\SYSTEM32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\system32\slserv.exe D:\WINDOWS\system32\wscntfy.exe E:\ALL THE SOFTWARES\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com F2 - REG:system.ini: Shell=explorer.exe ssvichosst.exe O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing) O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 4384 bytes |
|
#4
6th Sep 2008, 08:41
|
|||
|
|||
|
Download Malwarebytes' Anti-Malware (MBAM)
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
__________________
|
|
#5
6th Sep 2008, 13:29
|
|||
|
|||
|
this result is of full scan . when i did the the quick scan it detect the an adware which i removed .
Malwarebytes' Anti-Malware 1.26 Database version: 1120 Windows 5.1.2600 Service Pack 2 9/7/2008 2:21:54 AM mbam-log-2008-09-07 (02-21-54).txt Scan type: Full Scan (D:\|) Objects scanned: 92811 Time elapsed: 38 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) |
|
#6
6th Sep 2008, 13:44
|
|||
|
|||
|
Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
__________________
|
|
#7
7th Sep 2008, 02:17
|
|||
|
|||
|
here is the combo fix log . When after restarting, it was making the log, the those pop-ups and balloon appeared again .
here it is . ComboFix 08-09-05.02 - Burhan 2008-09-07 13:40:43.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.24 [GMT 5:00]Running from: D:\Documents and Settings\Burhan\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Documents and Settings\Burhan\Cookies\burhan@ad.yieldmanager[1].txt D:\Documents and Settings\Burhan\Cookies\burhan@antispywaremaster[2].txt D:\Documents and Settings\Burhan\Local Settings\Temporary Internet Files\descript.ion D:\setup.exe D:\WINDOWS\system32\autorun.ini D:\WINDOWS\system32\avpo0.dll D:\WINDOWS\system32\SCVHSOT.exe D:\WINDOWS\system32\setting.ini D:\WINDOWS\system32\spool.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CSNETMANAGERXP -------\Legacy_SYSREST.SYS ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-09-07 13:47 . 2008-09-07 13:47 <DIR> d--hs---- D:\FOUND.145 2008-09-06 13:10 . 2008-09-06 13:10 <DIR> d-------- D:\Program Files\XoftSpySE 2008-09-06 00:19 . 2008-09-06 00:19 <DIR> d--hs---- D:\FOUND.144 2008-09-05 23:07 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\system32\msupd32.exe 2008-09-05 22:29 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\system32\LSSMON.EXE 2008-09-05 22:29 . 2008-09-04 17:49 17,920 --a------ D:\WINDOWS\system32\LSASSMGR.EXE 2008-09-05 17:04 . 2008-09-05 22:41 54,156 --ah----- D:\WINDOWS\QTFont.qfn 2008-09-05 17:04 . 2008-09-05 17:04 1,409 --a------ D:\WINDOWS\QTFont.for 2008-09-05 15:15 . 2008-09-07 13:48 0 --a------ D:\WINDOWS\system32\bsc32.dll 2008-09-05 15:14 . 2008-09-05 15:14 <DIR> d--hs---- D:\FOUND.143 2008-09-05 13:25 . 2008-09-05 13:25 <DIR> d--hs---- D:\FOUND.142 2008-09-05 00:39 . 2008-09-05 00:39 <DIR> d--hs---- D:\FOUND.141 2008-09-04 18:19 . 2008-09-04 18:19 <DIR> d-------- D:\Documents and Settings\LocalService\Application Data\Yahoo! 2008-09-04 17:49 . 2008-09-05 23:37 741,376 --a------ D:\WINDOWS\divx32.dll 2008-09-04 17:49 . 2008-09-04 17:49 17,920 --a------ D:\WINDOWS\system32\srtsrv32.exe 2008-09-04 17:48 . 2008-09-05 12:40 741,376 --a------ D:\WINDOWS\system32\upd01.exe 2008-09-04 17:45 . 2008-09-04 17:45 <DIR> d--hs---- D:\FOUND.140 2008-09-04 07:11 . 2008-09-04 07:11 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\Yahoo! 2008-09-03 12:21 . 2008-09-03 12:21 <DIR> d--hs---- D:\FOUND.139 2008-09-01 20:51 . 2008-09-01 20:51 <DIR> d--hs---- D:\FOUND.138 2008-08-31 13:53 . 2008-08-31 13:53 <DIR> d--hs---- D:\FOUND.137 2008-08-28 23:04 . 2008-08-28 23:04 <DIR> d--hs---- D:\FOUND.136 2008-08-27 08:13 . 2008-08-27 08:13 <DIR> d--hs---- D:\FOUND.135 2008-08-27 00:54 . 2008-08-27 00:54 4,096 --a------ D:\WINDOWS\d3dx.dat 2008-08-26 10:33 . 2008-08-26 10:33 <DIR> d--hs---- D:\FOUND.134 2008-08-26 02:27 . 2008-08-26 02:27 <DIR> d--hs---- D:\FOUND.133 2008-08-26 01:07 . 2008-08-26 01:07 <DIR> d--hs---- D:\FOUND.132 2008-08-26 00:15 . 2008-08-26 00:15 <DIR> d--hs---- D:\FOUND.131 2008-08-25 23:13 . 2008-08-25 23:13 <DIR> d-------- D:\Program Files\Microsoft Encarta 2008-08-25 18:41 . 2008-08-25 18:41 <DIR> d--hs---- D:\FOUND.130 2008-08-25 17:09 . 2008-08-25 17:09 <DIR> d--hs---- D:\FOUND.129 2008-08-25 08:14 . 2008-08-25 08:14 <DIR> d--hs---- D:\FOUND.128 2008-08-25 06:09 . 2008-08-25 06:09 23,552 --a------ D:\Documents and Settings\Burhan\S87ekhV.exe 2008-08-25 06:00 . 2008-08-25 06:00 <DIR> d--hs---- D:\FOUND.127 2008-08-25 05:36 . 2008-08-25 05:36 <DIR> d--hs---- D:\FOUND.126 2008-08-24 23:36 . 2008-08-24 23:36 <DIR> d--hs---- D:\FOUND.125 2008-08-24 03:11 . 2008-08-24 03:11 <DIR> d--hs---- D:\FOUND.124 2008-08-23 12:06 . 2008-08-23 12:06 <DIR> d--hs---- D:\FOUND.123 2008-08-23 10:55 . 2008-08-23 10:55 <DIR> d--hs---- D:\FOUND.122 2008-08-23 08:38 . 2008-08-23 08:38 <DIR> d--hs---- D:\FOUND.121 2008-08-23 01:49 . 2008-08-23 01:49 <DIR> d--hs---- D:\FOUND.120 2008-08-22 18:20 . 2008-08-22 18:20 <DIR> d--hs---- D:\FOUND.119 2008-08-20 21:05 . 2008-08-20 21:05 <DIR> d-------- D:\spoolerlogs 2008-08-19 22:32 . 2008-08-19 22:32 <DIR> d--hs---- D:\FOUND.118 2008-08-19 22:12 . 2008-08-19 22:12 <DIR> d--hs---- D:\FOUND.117 2008-08-19 16:13 . 2008-08-19 16:13 <DIR> d--hs---- D:\FOUND.116 2008-08-18 03:50 . 2008-08-18 03:51 108 --a------ D:\Documents and Settings\Burhan\Application Data\netstat.bat 2008-08-17 09:54 . 2008-08-17 09:54 <DIR> d--hs---- D:\FOUND.115 2008-08-13 02:42 . 2008-08-13 02:42 <DIR> d--hs---- D:\FOUND.114 2008-08-12 16:17 . 2008-08-12 16:17 <DIR> d--hs---- D:\FOUND.113 2008-08-11 13:37 . 2008-09-05 22:31 0 --a------ D:\WINDOWS\system32\sc02.sc 2008-08-11 13:33 . 2008-08-11 13:33 <DIR> d--hs---- D:\FOUND.112 2008-08-11 10:55 . 2008-08-11 10:55 857,037 --a------ D:\WINDOWS\system32\CSRLT.EXE 2008-08-11 10:55 . 2008-08-11 10:55 857,037 --a------ D:\WINDOWS\MSBLT.EXE 2008-08-09 02:36 . 2008-08-09 02:36 <DIR> d--hs---- D:\FOUND.111 2008-08-08 21:17 . 2008-08-08 21:17 <DIR> d--hs---- D:\FOUND.110 2008-08-08 16:54 . 2008-08-08 16:54 <DIR> d--hs---- D:\FOUND.109 2008-08-08 02:35 . 2008-08-08 02:35 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\GlarySoft 2008-08-08 02:20 . 2008-08-08 02:20 <DIR> d-------- D:\Program Files\Glary Registry Repair 2008-08-08 00:18 . 2008-08-08 00:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-07 20:27 . 2008-08-07 20:27 <DIR> d-------- D:\Program Files\Internet Download Manager 2008-08-07 20:27 . 2008-08-07 20:27 <DIR> d-------- D:\Documents and Settings\Burhan\Application Data\IDM 2008-08-07 14:01 . 2008-08-07 14:01 <DIR> d--hs---- D:\FOUND.108 2008-08-07 01:26 . 2008-08-07 01:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\TEMP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-09-01 19:16 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-01 19:16 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys 2008-08-04 22:08 109,150 ----a-w D:\WINDOWS\system32\drivers\b88b9e8e.sys 2008-08-04 16:05 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware 2008-08-04 16:05 --------- d-----w D:\Documents and Settings\Burhan\Application Data\Malwarebytes 2008-08-04 16:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-30 16:24 499,712 ----a-w D:\WINDOWS\system32\msvcp71.dll 2008-07-30 16:24 348,160 ----a-w D:\WINDOWS\system32\msvcr71.dll 2008-07-29 22:43 --------- d-----w D:\Documents and Settings\All Users\Application Data\ACD Systems 2008-07-29 22:42 --------- d-----w D:\Program Files\Common Files\ACD Systems 2008-07-29 22:42 --------- d-----w D:\Program Files\ACD Systems 2008-07-21 16:50 --------- d-----w D:\Documents and Settings\Burhan\Application Data\uTorrent 2008-07-21 11:05 --------- d-----w D:\Program Files\uTorrent 2008-07-19 19:28 --------- d-----w D:\Documents and Settings\Burhan\Application Data\DMCache 2008-07-19 10:00 --------- d-----w D:\Program Files\Common Files\L&H 2008-07-17 13:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-07-17 01:11 --------- d-----w D:\Program Files\Ares 2008-07-16 23:15 --------- d-----w D:\Program Files\AdVantage 2008-07-09 22:08 41,984 --sh--r D:\WINDOWS\system32\dllcaches.exe 2008-06-27 21:05 33,576 ----a-w D:\Documents and Settings\Burhan\Application Data\GDIPFONTCACHEV1.DAT 2008-06-22 15:33 7,680 ----a-w D:\WINDOWS\system32\ff_vfw.dll 2008-06-22 15:33 60,273 ----a-w D:\WINDOWS\system32\pthreadGC2.dll . ------- Sigcheck ------- 2004-08-03 21:14 359040 1745b00fc1141404b28f4b94f69a8871 D:\WINDOWS\system32\drivers\tcpip.sys 2004-08-03 21:14 359040 1745b00fc1141404b28f4b94f69a8871 D:\WINDOWS\system32\dllcache\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624] "PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360] "googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648] "Layersecurity Servicemonitor"="D:\WINDOWS\system32\LSSMON.EXE" [2008-09-05 741376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088] D:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.D263"= xl_x263dec.dll "VIDC.YV12"= xl_yv12.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\firefox.exe] "Debugger"=D:\Program Files\Mozilla Firefox\firefoxe.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe] "Debugger"=D:\Program Files\Internet Explorer\iexplor.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spoolsv.exe] "Debugger"=D:\WINDOWS\system32\spool.exe [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "D:\\Program Files\\Ares\\Ares.exe"= "D:\\Program Files\\AIM\\aim.exe"= "D:\\Program Files\\Messenger\\MSMSGS.EXE"= "D:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "D:\\Program Files\\MSN Messenger\\livecall.exe"= "D:\\Program Files\\NetMeeting\\conf.exe"= "D:\\Program Files\\Opera\\Opera.exe"= "D:\\Program Files\\uTorrent\\uTorrent.exe"= "D:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "D:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "5000:TCP"= 5000:TCP:AresChatServer R2 dmsmbios;dmsmbios;D:\WINDOWS\system32\dmsmbios.sys [2001-05-31 16480] R3 XIRLINK;IBM PC Camera;D:\WINDOWS\system32\DRIVERS\C-itnt.sys [1999-10-19 435655] S0 SBHR;SBHR;D:\WINDOWS\system32\drivers\sbhr.sys [ ] S1 b88b9e8e;b88b9e8e;D:\WINDOWS\system32\drivers\b88b 9e8e.sys [2008-08-05 109150] S3 AvFlt;Antivirus Filter Driver;D:\WINDOWS\system32\drivers\av5flt.sys [ ] S3 SBRE;SBRE;D:\WINDOWS\system32\drivers\SBREdrv.sys [ ] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7bd71c60-e76a-11dc-a790-00065b298742}] \Shell\AutoRun\command - ntde1ect.com \Shell\explore\Command - ntde1ect.com \Shell\open\Command - ntde1ect.com [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dd929e0-69d0-11dd-a9b5-00065b298742}] \Shell\AutoRun\command - H:\ntde1ect.com \Shell\explore\Command - H:\ntde1ect.com \Shell\open\Command - H:\ntde1ect.com [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{def7f600-a9a1-11dc-a733-00065b298742}] \Shell\AutoRun\command - H:\ntde1ect.com \Shell\explore\Command - H:\ntde1ect.com \Shell\open\Command - H:\ntde1ect.com . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - D:\Documents and Settings\Burhan\Application Data\Mozilla\Firefox\Profiles\419o3i2e.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank FF -: plugin - D:\Program Files\Yahoo!\Shared\npYState.dll . . ------- File Associations (Beta) ------- . . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 13:48:19 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... D:\Program Files\Internet Explorer\iexplor.exe [492] 0xFF7A8620 D:\WINDOWS\system32\LSASSMGR.EXE [1872] 0xFF832D60 D:\WINDOWS\system32\LSASSMGR.EXE [524] 0xFF8FD600 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . ------------------------ Other Running Processes ------------------------ . D:\WINDOWS\system32\wdfmgr.exe D:\Program Files\PC Connectivity Solution\ServiceLayer.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\Internet Explorer\iexplore.exe . ************************************************** ************************ . Completion time: 2008-09-07 13:52:17 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-07 08:51:54 Pre-Run: 253,583,360 bytes free Post-Run: 537,141,248 bytes free 216 here is the hijack log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:59:52 PM, on 9/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\taskmgr.exe E:\ALL THE SOFTWARES\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Layersecurity Servicemonitor] D:\WINDOWS\system32\LSSMON.EXE O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing) O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 4350 bytes |
|
#8
7th Sep 2008, 11:16
|
|||
|
|||
|
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code:
KillAll::
File::
D:\FOUND.145
D:\FOUND.144
D:\WINDOWS\system32\msupd32.exe
D:\WINDOWS\system32\LSSMON.EXE
D:\WINDOWS\system32\LSASSMGR.EXE
D:\WINDOWS\system32\bsc32.dll
D:\FOUND.143
D:\FOUND.142
D:\FOUND.141
D:\WINDOWS\system32\srtsrv32.exe
D:\WINDOWS\system32\upd01.exe
D:\FOUND.140D:\FOUND.139
D:\FOUND.138
D:\FOUND.137
D:\FOUND.136
D:\FOUND.135
D:\FOUND.134
D:\FOUND.133
D:\FOUND.132
D:\FOUND.131
D:\FOUND.130
D:\FOUND.129
D:\FOUND.128
D:\Documents and Settings\Burhan\S87ekhV.exe
D:\FOUND.127
D:\FOUND.126
D:\FOUND.125
D:\FOUND.124
D:\FOUND.123
D:\FOUND.122
D:\FOUND.121
D:\FOUND.120
D:\FOUND.119
D:\spoolerlogs
D:\FOUND.118
D:\FOUND.117
D:\FOUND.116
D:\Documents and Settings\Burhan\Application Data\netstat.bat
D:\FOUND.115
D:\FOUND.114
D:\FOUND.113
D:\WINDOWS\system32\sc02.sc
D:\FOUND.112
D:\WINDOWS\system32\CSRLT.EXE
D:\WINDOWS\MSBLT.EXE
D:\FOUND.111
D:\FOUND.110
D:\FOUND.109
D:\FOUND.108
D:\Program Files\Internet Explorer\iexplor.exe
D:\WINDOWS\system32\LSASSMGR.EXE
D:\WINDOWS\system32\LSASSMGR.EXE
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Layersecurity Servicemonitor"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spoolsv.exe]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bd71c60-e76a-11dc-a790-00065b298742}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dd929e0-69d0-11dd-a9b5-00065b298742}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def7f600-a9a1-11dc-a733-00065b298742}]
4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!  ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
|
|
#9
8th Sep 2008, 06:45
|
|||
|
|||
|
I am sorry man but the Combofix result file was 725 kb so wasnt able to paste it over here and so had to upload it in .zip . hope thats okay .
|
|
#10
8th Sep 2008, 07:14
|
|||
|
|||
|
Download OTMoveIt2 by OldTimer
Code:
[kill explorer] D:\FOUND.145 D:\FOUND.144 D:\FOUND.143 D:\FOUND.142 D:\FOUND.141 D:\FOUND.140 D:\FOUND.139 D:\FOUND.138 D:\FOUND.137 D:\FOUND.136 D:\FOUND.135 D:\FOUND.134 D:\FOUND.133 D:\FOUND.132 D:\FOUND.131 D:\FOUND.130 D:\FOUND.129 D:\FOUND.128 D:\FOUND.127 D:\FOUND.126 D:\FOUND.125 D:\FOUND.124 D:\FOUND.123 D:\FOUND.122 D:\FOUND.121 D:\FOUND.120 D:\FOUND.119 D:\spoolerlogs D:\FOUND.118 D:\FOUND.117 D:\FOUND.116 D:\FOUND.115 D:\FOUND.114 D:\FOUND.113 D:\FOUND.112 D:\FOUND.111 D:\FOUND.110 D:\FOUND.109 D:\FOUND.108 EmptyTemp [start explorer]
Also let me know how things are now.
__________________
|
