Jump to content


Photo
- - - - -

SUSPECTED TROJAN!


  • This topic is locked This topic is locked
72 replies to this topic

#21 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 September 2006 - 12:43 PM

Can you create a .reg file please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy all the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]
"WinHeight"="8000"
"WinWidth"="9780"
"AutoSelect"="0"
"Confirm"="1"
"MakeBackup"="1"
"IgnoreSafe"="1"
"LogProcesses"="1"
"ShowIntroFrame"="1"
"DefStartPage"="about:blank"
"DefSearchPage"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"DefSearchAss"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"DefSearchCust"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"IgnoreNum"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"F-StopW"="C:\\Programmi\\FSI\\F-Prot\\F-StopW.EXE"
"FRISK FP-Scheduler"="C:\\Programmi\\FSI\\F-Prot\\F-Sched.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"!ewido"="\"C:\\Programmi\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Double click on fix.reg and allow to add/merge to the registry

==Download DelDomains.inf from HERE
Save it to desktop
If using a browser such as Firefox, Right click on that link and choose "Save link as.."

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Copy ALL the text contained in blue below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


folders to delete:
C:\Program Files\DSB
C:\Program Files\E-nrgyPlus
C:\Program Files\SHA256
C:\Program Files\WIZZ



Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Can you check and set the following
1. Open Microsoft Internet Explorer.
2. Click Tools > Internet Options.
3. Click the Security tab.
4. Click the Internet Icon.
5. Click Default Level.
6. Click the Local Intranet Icon.
7. Click Sites.
8. Remove any Web sites from the list that you do not recognise or do not trust.
9. Click Default Level.
10. Click the Trusted sites Icon.
11. Click on Sites.
12. Remove any Web sites from the list that you do not recognise or do not trust.
13. Click Default Level.
14. Click the Restricted sites Icon.
15. Click Default Level on lower right corner of the window.
16. Click OK on lower right corner of the window.

You have SpywareBlaster 3.4 installed
Can you open it please, under Protection>>Disable ALL Protections
Access your Add/remove programs and remove all the following
My Search Bar
SpywareBlaster v3.4


I haven't seen the next one before, if you didn't purposely install it remove it
haka2 Screen Saver

Finally remove Spybot - Search & Destroy 1.3
Reboot the computer afterwards

Back in Windows
*Install SpywareBlaster 3.5.1 by JavaCool *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Get the newest version of Spybot
Download and Install Spybot 1.4 from
HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Back in Windows

This entry in your combofix log indicates you have changed your desktop background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.htmb.it/m...ags/russia.gif"
Did you change to this on purpose?
If not, can you do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
7. Uncheck Everything here except for Pagina iniziale corrente if it is selected
OK your way out

Your uninstall list indicates you have Sygates' personal pro installed
Have you disabled it??
If not, it may be corrupt, access your add/remove programs and remove it
Reboot the computer afterwards
We can replace or reinstall it
Let me know if you paid for this please
Can you post back all the following

1. The log from Avenger
2. A fresh hijackthis log
3. Can you also double click on Export.bat again and post the contents

Can you also delete blbeta.exe from desktop
Try redownloading it again per instructions
Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

EDIT>>Don't worry about the desktop.ini files your seeing right now
We have shown hidden files and folders
You normally wouldn't see them, we'll cover these up later

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#22 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 03 September 2006 - 06:29 AM

Well...
DelDomains.inf doesn't work...It says it can't install...
I deleted and re-install blbeta.exe,but it says always the same things...It can't work...

Fresh Hijack logfile:

Logfile of HijackThis v1.99.1
Scan saved at 14.27.38, on 03/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\Programmi\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programmi\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Apri immagine in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1040\phdintl.dll/phdContext.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130251960698
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{346CE3E6-CEFF-487D-8062-41622532CFC9}: NameServer = 212.216.172.62,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E23121B-051B-4265-97D3-DE26F9093EA0}: NameServer = 85.37.17.6 85.38.28.89
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe

Avenger logfile:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aysiatsr

*******************

Script file located at: \??\C:\WINDOWS\System32\pquavwoh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Folder C:\Program Files\DSB not found!
Deletion of folder C:\Program Files\DSB failed!

Could not process line:
C:\Program Files\DSB
Status: 0xc0000034



Folder C:\Program Files\E-nrgyPlus not found!
Deletion of folder C:\Program Files\E-nrgyPlus failed!

Could not process line:
C:\Program Files\E-nrgyPlus
Status: 0xc0000034



Folder C:\Program Files\SHA256 not found!
Deletion of folder C:\Program Files\SHA256 failed!

Could not process line:
C:\Program Files\SHA256
Status: 0xc0000034



Folder C:\Program Files\WIZZ not found!
Deletion of folder C:\Program Files\WIZZ failed!

Could not process line:
C:\Program Files\WIZZ
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Export text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Soeperman Enterprises Ltd.\HijackThis]
"WinHeight"="8000"
"WinWidth"="9780"
"AutoSelect"="0"
"Confirm"="1"
"MakeBackup"="1"
"IgnoreSafe"="1"
"LogProcesses"="1"
"ShowIntroFrame"="1"
"DefStartPage"="about:blank"
"DefSearchPage"="http://www.microsoft...ie&ar=iesearch"
"DefSearchAss"="http://ie.search.msn...t/srchasst.htm"
"DefSearchCust"="http://ie.search.msn...t/srchcust.htm"
"IgnoreNum"="0"

#23 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 03 September 2006 - 09:13 AM

Are things running better now?
Did you remove Sygate's firewall from add/remove programs?

Can you create another .reg file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy all the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix2.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Double click on fix2.reg and allow to add/merge to the registry

Reboot your computer
Back in Windows

Open SpywareBlaster 3.5.1, we will have to reeanble it's protections
Click on Protections>>Enable All Protections
When done you can exit

Can you ensure you disable F-Prot's realtime protector temporarily please
try Blacklight one last time
If it still won't work

Can I see if you can run another tool
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#24 joy

joy

    Member

  • Members
  • PipPipPip
  • 94 posts

Posted 04 September 2006 - 03:42 AM

Well...I really don't know if my Real Time Protector is disabled,but Blacklight is still out of order!
This is my Gmer lofile:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-04 11:36:29
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F50A7143

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{D8D61582-A32E-4FC7-B9FB-F25421AFB0AB}
File C:\WINDOWS\teifk1.dll
File C:\WINDOWS\teifk1.upd

---- EOF - GMER 1.0.10 ----

Do I have to keep saved both of the fix.reg files?
Thanks

#25 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 04 September 2006 - 08:13 AM

Do I have to keep saved both of the fix.reg files?

No, you can right click on them and delete them

GMER showed a couple files that we should deal with
Can I see another log from GMER please
This is an instant log,