Hijack Log maybe a virus

Osiris · Feb 3, 2007

remove these:

O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)

O2 - BHO: (no name) - {8036D4D7-AAD3-4793-AB49-329E437155A8} - (no file)

O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe <-- delete this then go to C:\WINDOWS\system32\kernels88.exe and delete it. you may need to boot into safemode to do so.

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Dimon\LOCALS~1\Temp\88723218.exe

O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} -

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -

After that, download this
http://download.bleepingcomputer.com/sUBs/combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

run cleanup!

then post a new log

4uvak · Feb 3, 2007

everytime on start up spybot window pops up about registry and it asks me to deny or approve some keys i guess
What should i do to that?

Osiris · Feb 3, 2007

post a screenshot of it if you can. otherwise write down the reg key its wanting to deny/allow

4uvak · Feb 3, 2007

ok will do do you have msn or aol so we can discuss this
Thanks for helping me

Osiris · Feb 3, 2007

I do but not installed at the moment. I just installed Vista Enterprise and I'm going thru it as much as possible trying to find out errors, compat issues, etc.

4uvak · Feb 3, 2007

ok here is a screen for the message i get
if i press send or dont send virus window pops up
if i press debug screen just dissapears for couple of seconds then appears back

4uvak · Feb 3, 2007

4uvak · Feb 3, 2007

4uvak · Feb 3, 2007

somehow now virus window didnt appear

4uvak · Feb 3, 2007

here is a log
"Dimon" - 07-02-03 19:26:54 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\Dimon\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\hosts

((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))

2007-02-03 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-02-03 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-02-03 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sun
2007-02-03 14:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\SampleView
2007-02-02 22:32 <DIR> d-------- C:\hijackthis
2007-02-02 21:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sonic
2007-02-02 21:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Real
2007-02-02 21:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\interMute
2007-02-02 21:39 718 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-02 19:27 <DIR> d-------- C:\DOCUME~1\Dimon\Application Data\Tenebril
2007-02-02 16:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-02-02 16:18 <DIR> d-------- C:\DOCUME~1\Dimon\.housecall6.6
2007-02-02 16:10 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2007-02-02 16:09 <DIR> d-------- C:\Program Files\Yahoo!
2007-02-02 16:09 <DIR> d-------- C:\Program Files\CCleaner
2007-02-02 16:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 16:01 307,200 --a-s---- C:\WINDOWS\system32\InterceptHelper.dll
2007-02-02 16:01 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-02-02 16:01 176,128 --a-s---- C:\WINDOWS\system32\Interceptor.dll
2007-02-02 16:01 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-02-02 16:01 <DIR> d-------- C:\Program Files\SpyCatcher 2006
2007-02-02 16:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Tenebril
2007-02-02 15:59 <DIR> d-------- C:\MessengerCtrlUninstall
2007-02-02 07:28 <DIR> d-------- C:\WINDOWS\WBEM
2007-02-02 07:28 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-02-02 07:27 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-02-02 07:26 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-02-02 07:24 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-02-01 19:53 6,034 --a------ C:\WINDOWS\system32\lnwin.exe
2007-02-01 19:53 6,034 --a------ C:\WINDOWS\system32\game4.exe
2007-02-01 19:53 6,034 --a------ C:\WINDOWS\system32\game2.exe
2007-02-01 19:53 6,034 --a------ C:\WINDOWS\system32\game1.exe
2007-02-01 19:53 50,578 --a------ C:\WINDOWS\system32\game3.exe
2007-02-01 19:53 35,730 --a------ C:\WINDOWS\system32\cAl20rt.exe
2007-02-01 19:53 169,472 --a------ C:\WINDOWS\system32\eziel.dll
2007-02-01 19:52 54,162 --a------ C:\WINDOWS\system32\game0.exe.exe
2007-02-01 19:52 35,730 --a------ C:\WINDOWS\system32\game5p.exe.exe
2007-01-12 18:29 <DIR> d-------- C:\Program Files\iTunes
2007-01-12 18:29 <DIR> d-------- C:\Program Files\iPod
2007-01-12 18:23 <DIR> d-------- C:\Program Files\Apple Software Update
2007-01-07 15:39 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-07 15:39 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-07 15:39 <DIR> d-------- C:\Program Files\DivX
2007-01-07 13:50 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-07 13:50 <DIR> d-------- C:\DOCUME~1\Dimon\Application Data\URSoft

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-03 19:25 -------- d-------- C:\Program Files\mozilla firefox
2007-02-02 19:33 -------- d-------- C:\Program Files\daemon tools
2007-02-02 16:08 -------- d-------- C:\Program Files\grisoft
2007-02-02 16:02 -------- d--h----- C:\Program Files\installshield installation information
2007-02-02 07:01 -------- d-------- C:\DOCUME~1\Dimon\Application Data\openoffice.org2
2007-02-01 21:41 -------- d-------- C:\Program Files\microsoft works
2007-02-01 21:41 -------- d-------- C:\Program Files\microsoft office2003
2007-02-01 20:53 -------- d-------- C:\Program Files\registry mechanic
2007-02-01 19:57 -------- d---s---- C:\DOCUME~1\Dimon\Application Data\microsoft
2007-01-28 00:24 -------- d-------- C:\DOCUME~1\Dimon\Application Data\adobe
2007-01-26 21:16 -------- d-------- C:\DOCUME~1\Dimon\Application Data\skype
2007-01-14 09:23 -------- d-------- C:\Program Files\mario forever
2007-01-12 18:54 -------- d-------- C:\Program Files\java
2007-01-12 18:27 -------- d-------- C:\Program Files\quicktime
2007-01-07 17:48 -------- d-------- C:\Program Files\tuneup utilities 2006
2007-01-07 15:13 -------- d-------- C:\Program Files\real
2007-01-07 15:07 -------- d-------- C:\Program Files\google
2006-12-27 17:21 -------- d-------- C:\DOCUME~1\Dimon\Application Data\divx
2006-12-18 19:28 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-12 11:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-12-12 11:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 11:30 20640 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-12-12 11:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 11:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 11:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 11:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 11:25 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-12 11:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-12-12 11:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 11:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-12-12 11:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 11:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 11:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 11:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-12-05 22:21 -------- d-------- C:\DOCUME~1\Dimon\Application Data\myspace
2006-12-03 13:31 -------- d-------- C:\Program Files\mp3 audio converter
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1146450863\\ee\\AOLSoftware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="interceptor.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B60787}"="DCOM Server 60787"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"DCOM Server 60787"="{2C1CD3D7-86AC-4068-93BC-A02304B60787}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#deskjet3600#TH39T1453D6B.job
C:\WINDOWS\tasks\WebReg 20040316183708.job
C:\WINDOWS\tasks\XoftSpy.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 8 bytes
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 8 bytes
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 8 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3

********************************************************************

Completion time: 07-02-03 19:40:42

Hijack Log maybe a virus

Osiris

Golden Master

4uvak

In Runtime

Osiris

Golden Master

4uvak

In Runtime

Osiris

Golden Master

4uvak

In Runtime

4uvak

In Runtime

4uvak

In Runtime

4uvak

In Runtime

4uvak

In Runtime

Similar threads