Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - trj

Pages: [1]

Tech Clinic / trojan.rootkit.h

« on: June 13, 2005, 04:59:38 AM »

this is the latest log from hijacthis

Logfile of HijackThis v1.99.1
Scan saved at 12:34:23 PM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Babylon\Babylon.exe
C:\HJT\hijackthis.exe

O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\System32\LightFrame3IECOM.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

and the log from ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:51:30 PM, 6/8/2005
+ Report-Checksum:      EDB29879

+ Date of database:      6/8/2005
+ Version of scan engine:   v3.0

+ Duration:            9 min
+ Scanned Files:         17390
+ Speed:            31.19 Files/Second
+ Infected files:         21
+ Removed files:         20
+ Files put in quarantine:      20
+ Files that could not be opened:   0
+ Files that could not be cleaned:   1

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\configure32.exe/ss.exe -> Trojan.LowZones.d -> Error during cleaning
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@landing.domainsponsor[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Local Settings\Temp\Cookies\ayk!r!@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Local Settings\Temp\Cookies\ayk!r!@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\msdirectx.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\WINDOWS\system32\bot.exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWWHQJJD\bot[1].exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\scvhost.exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\TCPService2.exe -> Backdoor.Agent.bc -> Cleaned with backup
   C:\WINDOWS\system32\tksrv99.exe -> TrojanDownloader.Esepor.ac -> Cleaned with backup
   C:\WINDOWS\system32\uc1362.exe -> TrojanDownloader.Small.aqw -> Cleaned with backup
   C:\WINDOWS\system32\ucsi.exe -> Backdoor.Agent.bc -> Cleaned with backup
   C:\WINDOWS\system32\ucsl.exe -> TrojanDownloader.Small.aom -> Cleaned with backup
   C:\WINDOWS\system32\__delete_on_reboot__WStart.dll -> Backdoor.Agent.bc -> Cleaned with backup

::Report End

I couldn't run those online scans...computer froze again...I can't stay on the internet for a long time...
and the taskbar appears like safe mode...just the taskbar...although I restart in normal mode again it still appears like safe mode...

and one more thing...ewido didn't find anything but there are files in the quarantina folder...does it matter?

and thank you very very much

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Tech Clinic / trojan.rootkit.h

« on: June 09, 2005, 04:17:03 AM »

I am really hopeless...I don't know how I can explain...I used many antivirus programs such as norton, mcafee, kapersky, ad aware, avast...and they couldn't be able to remove the file msdirekx.sys.there are some serious problems which I think this trojan causes...I can't run regedit and task manager...there are messages popping up and warning about system...I cannot open my e-mails...and when I am connected to internet after a while my computer freezes and I had to restart it...

I did what I've told.I downloaded and saved hijacthis to a folder.I scanned and saved the log. here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 11:47:33 AM, on 6/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Babylon\Babylon.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cenkerdem.com/
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\System32\LightFrame3IECOM.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I didn't try to fix anything...and if it is not enough I scanned with ewido too...the log is...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:10:42 PM, 6/9/2005
+ Report-Checksum:      38295C0F

+ Date of database:      6/9/2005
+ Version of scan engine:   v3.0

+ Duration:            8 min
+ Scanned Files:         19558
+ Speed:            40.56 Files/Second
+ Infected files:         1
+ Removed files:         0
+ Files put in quarantine:      0
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\configure32.exe/ss.exe -> Trojan.LowZones.d -> Ignored

::Report End

I don't understand why it is shorter than hijacthis'
there is nothing I can do...hope I could explain my situation...I'm saying again; it is really hard for me to tell my problem in english...please help me...

ps: sorry about the complication yesterday...It was the same problem and I thought I should post there...

thanks...

Tech Clinic / SDbot worm (msdirectx.sys)

« on: June 08, 2005, 09:57:35 AM »

Log removed,

Please, Read this

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - trj

Tech Clinic / trojan.rootkit.h

Tech Clinic / trojan.rootkit.h

Tech Clinic / SDbot worm (msdirectx.sys)