Full Version: Malware Problems
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
My PC got infected a couple of weeks ago with spyware, adware and viruses. I bought Kaspersky internet security to address the problem. When the software runs, it is able to disinfect the majority of the malware except Rootkit.Win32.Agent.jp and backdoor.win32.agent.bxx. Each time I restart my computer the problems start over again. I called Kaspersky and they suggested that I use Ad-Aware from lavasoft. I downloaded ad-aware pro 2007 earlier today and ran a scan. It found 156 infected items and proceeded to remove the majority except for 8 items that were described as critical. These items fall into two broad categories - 1. Win32.trojan. agent - categorized as malware with a TAI of 10 (don't kmow what that means) and 2 - Winantispyware with a TAI of 10. I believe my problems started when I erroneously clicked on an ad for this WinAntiSpyware and believe the sellers of this product (if it really exists) infected my computer. Can anyone help me please? Thank you.
Thanks for posting your logs, pairednote
I'm going to copy and paste these into this post for easier reading and review. I'll be back with some steps to take as soon as I have had a chance to analyze these.
I'm now subscribed to this topic, so I will receive a notice from the board when you reply here and can respond much quicker. I'll be handling your malware removal problems for the duration of this topic.
Pasting in the logs attached above:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:06 PM, on 10/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\Common Files\AOL\1101073791\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Sigmatel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\System32\wuauclt.exe
C:\Internet Security\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe -invisible
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101073791\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmwzd.exe] C:\WINNT\System32\dmwzd.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\System32\nouqgory.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ubaa] "C:\DOCUME~1\ADMINI~1\APPLIC~1\PPPATC~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [autoload] C:\WINNT\System32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
O4 - Startup: LBRP Auto-Select Default.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {521D3212-021E-4212-B5DA-26B25A954DC2} (VLLoadEdit.Edit) - https://live.lehman.com/GIS/Portal/SPT/CABs/VLLoadEdit.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190334175640
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static.../weblaunch2.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\Sigmatel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\System32\dmker.exe (file missing)
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtepre.html
--
End of file - 9333 bytes
...........................
Web Anti-Virus : running
------------------------
Total scanned: 50
Detected: 2
Start time: 10/6/2007 1:33:07 PM
Duration: 00:31:29
Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Win32.Agent.bck URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B
detected: Trojan program Trojan.Win32.BHO.hj URL: http://82.98.235.78/jaun/jaun_20070726.dll...370CD9CB742F44B
Events
------
Time Name Status Reason
---- ---- ------ ------
10/6/2007 1:36:27 PM URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B detected Trojan program 'Trojan.Win32.Agent.bck'
10/6/2007 1:36:27 PM URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B access denied
10/6/2007 1:36:31 PM URL: http://89.188.16.57/dw/aaafff/gepj.dll?uid...p;data=rollback ok iChecker
10/6/2007 1:36:50 PM URL: http://tamotua.com/ ok scanned
10/6/2007 1:37:16 PM URL: http://k8l.info/83122.html ok iChecker
10/6/2007 1:37:18 PM URL: http://ads.k8l.info/media/servlet/view/dyn...d=44&pid=67 ok scanned
10/6/2007 1:37:23 PM URL: http://www.top-banners.com/tmc/to.php?id=z44u ok iChecker
10/6/2007 1:37:26 PM URL: http://www.fun-photo.com/BanCon720.html ok scanned
10/6/2007 1:37:30 PM Script: <unknown> ok scanned
10/6/2007 1:37:30 PM Script: <unknown> ok scanned
10/6/2007 1:37:32 PM URL: http://ad.bannerconnect.net/imp?z=0&Z=...w=720&h=300 ok iChecker
10/6/2007 1:37:32 PM URL: http://ad.yieldmanager.com/imp?z=0&Z=0...w=720&h=300 ok scanned
10/6/2007 1:37:34 PM Script: <unknown> ok scanned
10/6/2007 1:40:12 PM URL: http://82.98.235.78/jaun/jaun_20070726.dll...370CD9CB742F44B detected Trojan program 'Trojan.Win32.BHO.hj'
10/6/2007 1:40:12 PM URL: http://82.98.235.78/jaun/jaun_20070726.dll...d=6615B0E0CDB64
I'm going to copy and paste these into this post for easier reading and review. I'll be back with some steps to take as soon as I have had a chance to analyze these.
I'm now subscribed to this topic, so I will receive a notice from the board when you reply here and can respond much quicker. I'll be handling your malware removal problems for the duration of this topic.
Pasting in the logs attached above:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:06 PM, on 10/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\Common Files\AOL\1101073791\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Sigmatel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINNT\ehome\ehSched.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\System32\wuauclt.exe
C:\Internet Security\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe -invisible
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101073791\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmwzd.exe] C:\WINNT\System32\dmwzd.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINNT\System32\nouqgory.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ubaa] "C:\DOCUME~1\ADMINI~1\APPLIC~1\PPPATC~1\chkdsk.exe" -vt ndrv
O4 - HKCU\..\Run: [autoload] C:\WINNT\System32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\smss.exe
O4 - Startup: LBRP Auto-Select Default.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {521D3212-021E-4212-B5DA-26B25A954DC2} (VLLoadEdit.Edit) - https://live.lehman.com/GIS/Portal/SPT/CABs/VLLoadEdit.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190334175640
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static.../weblaunch2.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.195 85.255.112.139
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\Sigmatel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\System32\dmker.exe (file missing)
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtepre.html
--
End of file - 9333 bytes
...........................
Web Anti-Virus : running
------------------------
Total scanned: 50
Detected: 2
Start time: 10/6/2007 1:33:07 PM
Duration: 00:31:29
Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Win32.Agent.bck URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B
detected: Trojan program Trojan.Win32.BHO.hj URL: http://82.98.235.78/jaun/jaun_20070726.dll...370CD9CB742F44B
Events
------
Time Name Status Reason
---- ---- ------ ------
10/6/2007 1:36:27 PM URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B detected Trojan program 'Trojan.Win32.Agent.bck'
10/6/2007 1:36:27 PM URL: http://82.98.235.78/netob/valera.exe?uid=3...370CD9CB742F44B access denied
10/6/2007 1:36:31 PM URL: http://89.188.16.57/dw/aaafff/gepj.dll?uid...p;data=rollback ok iChecker
10/6/2007 1:36:50 PM URL: http://tamotua.com/ ok scanned
10/6/2007 1:37:16 PM URL: http://k8l.info/83122.html ok iChecker
10/6/2007 1:37:18 PM URL: http://ads.k8l.info/media/servlet/view/dyn...d=44&pid=67 ok scanned
10/6/2007 1:37:23 PM URL: http://www.top-banners.com/tmc/to.php?id=z44u ok iChecker
10/6/2007 1:37:26 PM URL: http://www.fun-photo.com/BanCon720.html ok scanned
10/6/2007 1:37:30 PM Script: <unknown> ok scanned
10/6/2007 1:37:30 PM Script: <unknown> ok scanned
10/6/2007 1:37:32 PM URL: http://ad.bannerconnect.net/imp?z=0&Z=...w=720&h=300 ok iChecker
10/6/2007 1:37:32 PM URL: http://ad.yieldmanager.com/imp?z=0&Z=0...w=720&h=300 ok scanned
10/6/2007 1:37:34 PM Script: <unknown> ok scanned
10/6/2007 1:40:12 PM URL: http://82.98.235.78/jaun/jaun_20070726.dll...370CD9CB742F44B detected Trojan program 'Trojan.Win32.BHO.hj'
10/6/2007 1:40:12 PM URL: http://82.98.235.78/jaun/jaun_20070726.dll...d=6615B0E0CDB64
This machine is quite a mess. You need to be aware of the implications of both the rootkit infection and a backdoor trojan (aka RAT or "remote access trojan) as your PC may have been compromised by a remote attacker which is very serious and the most prudent action after an infection of this nature would be to reformat and reinstall to ensure that no hidden files or changes to the system to allow the attacker back in are present.
One thing that I notice is that you do not have SP2 installed for your XP or IE. This leaves your computer extremely vulnerable to exploit by a remote attack or malware just waiting to infect you if you should visit a malicious website. It is not advisable to upgrade to SP2 while this machine is infected but this is something that needs to be addressed as soon as we get this PC cleaned up (or windows reinstall if that is an option for you).
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/sec.....;/virusrat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
It's a trivial matter to clean up the rootkit itself, and the remote access torjan, most rootkits and all botnet clients are Remote Access Trojans (RATs).
A RAT is a program that allows a remote user to connect to the computer and issue commands.
Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.
That unknown is what accounts for the recommendation to rebuild the machine.
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
Some helpful info if you choose that is the route you want to take to be safe:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
And this because there were some trojans that steal data off of the compromised PC - you should change all accounts, passwords, etc. See this FAQ:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
........................
If you should choose to try to clean, I can't make any guarantees that the removal of this malware may not be complete, won't reverse any changes made we can't see and is entirely at your own risk. It is common for trojan such as Agobot or SDbot to do much damage on a computer or make removal impossible.
These would be the steps to follow if you do choose to try to clean or cannot reformat/reinstall.
1. Please download FixwareOut from one of the following sites:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Note: ONLY if you have connection problems after performing above steps - go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
[/quote]
..................................
2. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
3. Finally, we'll use this free tool to remove known malware and to generate a comprehensive diagnostic log for review.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click on combofix.exe & follow the prompts.
Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.
3. When finished, it shall produce a log for you, Combofix.txt. Post that log in your next reply
.....................
Once you have finished the above steps, there will be more to do. So please as a final step, scan once more with HijackThis and post a fresh HijackThis log in addition to the new logs requested above.
One thing that I notice is that you do not have SP2 installed for your XP or IE. This leaves your computer extremely vulnerable to exploit by a remote attack or malware just waiting to infect you if you should visit a malicious website. It is not advisable to upgrade to SP2 while this machine is infected but this is something that needs to be addressed as soon as we get this PC cleaned up (or windows reinstall if that is an option for you).
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/sec.....;/virusrat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
It's a trivial matter to clean up the rootkit itself, and the remote access torjan, most rootkits and all botnet clients are Remote Access Trojans (RATs).
A RAT is a program that allows a remote user to connect to the computer and issue commands.
Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the rootkit.
That unknown is what accounts for the recommendation to rebuild the machine.
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community...tip/st1005.mspx
Some helpful info if you choose that is the route you want to take to be safe:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
And this because there were some trojans that steal data off of the compromised PC - you should change all accounts, passwords, etc. See this FAQ:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
........................
If you should choose to try to clean, I can't make any guarantees that the removal of this malware may not be complete, won't reverse any changes made we can't see and is entirely at your own risk. It is common for trojan such as Agobot or SDbot to do much damage on a computer or make removal impossible.
These would be the steps to follow if you do choose to try to clean or cannot reformat/reinstall.
1. Please download FixwareOut from one of the following sites:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Note: ONLY if you have connection problems after performing above steps - go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
[/quote]
..................................
2. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
3. Finally, we'll use this free tool to remove known malware and to generate a comprehensive diagnostic log for review.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click on combofix.exe & follow the prompts.
Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.
3. When finished, it shall produce a log for you, Combofix.txt. Post that log in your next reply
.....................
Once you have finished the above steps, there will be more to do. So please as a final step, scan once more with HijackThis and post a fresh HijackThis log in addition to the new logs requested above.
Thank you LS CalamityJane. My problems appear much more severe than I anticipated. I think I am just going to buy a new machine if there is no way of guarantying full safety on my current machine even if rebuilt. A few questions before I abandon this machine - Can I safely copy my critical files (word, powerpoint, excel, itunes library etc) without risk of transfering infections on this machine to a new machine? If so, what would you recommend as the most efficient and safest way? Copying onto discs or emailing files to myself and then down loading? How can I prevent this type of disaster in the future? One final question - there is a message on my computer which tells me that "an unauthorized access was gained to my computer". Is there any way for an attacker to have access to my PC if I am not connected to the internet? Thanks a lot!
QUOTE(pairednote @ Oct 10 2007, 01:10 AM) 
I think I am just going to buy a new machine if there is no way of guarantying full safety on my current machine even if rebuilt.
No, you misunderstood. Cleaning this PC in it's current state isn't good enough but You CAN rebuild the machine with a reformat/reinstall of the operating system. You should backup any data files you want to save (and put them on external media). Those files saved should be scanned with an up to date antivirus program before loading onto the new install.
By far, the largest problem here is that the machine had no windows updates! That left it wide open to exploit. Once you reinstall windows, enable the windows firewall before going online and the very next step should be to get SP2 and then again go to Windows update to get all critical security updates following the install of SP2.
You should also upgrade your IE version to IE7 as that is much more secure than IE6. Once you are sure you have all critical security updates for both your operating system, IE and for any other installed applications, make sure you have a current up to date antivirus program installed. Install any other security programs you have (Ad-Aware, etc.) Scan your backed up data to make sure none were compromised or infected before you put them on the newly installed Windows operating system. All programs and software applications should be installed from original media and not from backups. My links provided in my first reply to you should give you some idea of what needs to be done regarding a reformat/reinstall but if that is intimidating or a procedure you are not familiar with, enlist the help of a knowledgeable friend or even a local repair shop. You'll need your original installation CD or recovery CDs provided with the machine. Once you have done that, and gotten all the updates for it you should be able to use it with trust at that point.
It's current state doesn't recommend cleaning but the reformat/reinstall should return it to it's original factory state and you can then take the necessary steps to secure it properly before using it for any other activities. SP2 on an XP machine is positively critical for keeping it clean and reliable. You should make sure you also have any other critical security updates as well. Those come out once a month from Microsoft (usually on the 2nd Tuesday of each month).
Windows Update
http://update.microsoft.com/microsoftupdate/
And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx
Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).
A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.
Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help
.How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Thank You !
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.