Help required! - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Dec 1^st, 2008, 8:20pm

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Help required!

« Previous topic | Next topic »

Pages: 1 2 3

Notify of replies

Send Topic

Author

Topic: Help required! (Read 4635 times)

Sandiego30
Newbie

Posts: 18

Help required!
« on: Sep 19^th, 2006, 3:48pm »

Quote

Modify

Hi,

Hopefully someone can help me, on a recent reinstall I have unfortunately been infected with a trojan/virus which is affecting my web browsing and also allows popups even though i run PCGuard (supplied by Telewest Blueyonder) Huh

I have run various programs including Trojanhunter, Spysweeper, Spybot, all of which have caught and deleted an element of problems however i am not sure if the system is now completely clean.

It would be great if someone could help me establish whether my system is clean to put my mind at rest and also set it up for the future so that no more critters get on my system. Grin

Thanks in advance

Sandiego30

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #1 on: Sep 19^th, 2006, 4:00pm »

Quote

Modify

Welcome to the forum Sandiego30 Wink

We'll surely try our best to assist you in getting cleaned up and then we'll provide some additional guidance to help you stay clean.

Please go to the link below and download Hijackthis 1.99.1. Install it in its own folder on your hard drive...such as a folder at C:\Program Files\Hijackthis (Hijackthis is the name of the new folder).

http://www.majorgeeks.com/download3155.html

Once you get HJT installed, please rename Hijackthis.exe to a new name of your choice...such as AnalyzeMe.exe. The reason for this is that some of the new malware fools Hijackthis.exe itself...so we fool the malware by renaming Hijackthis.exe.

Then run a Hijackthis scan and post the scan log back here. We'll examine it and see what is hanging around that should not be there. Wink

If it's a really long scan log, you might have to break it into 2 posts because this forum has a length restriction per post.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #2 on: Sep 20^th, 2006, 3:37pm »

Quote

Modify

Hi siliconman01,

Thanks for the quick response, as requested please find below the hijackthis scan, I renamed the .exe as asked, look forward to your help.

Regards

Sandiego30 Grin

Logfile of HijackThis v1.99.1
Scan saved at 21:29:03, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
E:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
E:\Program Files\blueyonder\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
e:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\NETGEAR\WG111T\wlan111t.exe
E:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
e:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
e:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\Analyzeme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C8944BB-6C92-41DC-94FA-8276C3C908E4} - (no file)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {3C5187D8-5D0C-4F6F-BE82-887BAC79F3C0} - (no file)
O2 - BHO: (no name) - {523C4D2D-235A-430C-BF45-A20609431F21} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: (no name) - {72C1D5FE-92C8-4A29-8F3B-D422080F2256} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B1EE846-2C6B-4B55-ADE4-36C0F9E650EC} - (no file)
O2 - BHO: (no name) - {8FEC26D3-45F9-4265-8AA1-74121A577F57} - (no file)
O2 - BHO: (no name) - {9D2532BE-9DDC-43CA-8ED1-D2EE04750D8F} - (no file)
O2 - BHO: (no name) - {AA43F0BD-3131-45FA-9668-E353DBC911D2} - C:\WINDOWS\system32\gebyx.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3F8ADCE-5365-43BB-9543-D7EA6A106696} - (no file)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\jcfsfcsj.dll
O2 - BHO: (no name) - {E639A1CC-942F-4EE6-90EB-EED6EF113C2C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IntelliType] "e:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dmaky.exe] C:\WINDOWS\system32\dmaky.exe
O4 - HKLM\..\Run: [PCguard] "e:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkypeClient] "E:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1154465413254
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E8AE6-5C48-419F-A8FB-824B8D5BCC24} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F69D37-221D-4DA7-984C-125518404C79} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABFF1CB-5915-4C23-8AA2-71EDF45814A2} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winftx32 - winftx32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - E:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #3 on: Sep 20^th, 2006, 4:34pm »

Quote

Modify

Okay, there are some remnants left from the cleaning that your anti-trojan/anti-spyware program(s) performed. So let's get rid of some of the obvious stuff first.

Please run another HiJackthis scan. When the scan is completed, place a checkmark in the boxes next to the following items. BE SURE that only these items are checkmarked:

O2 - BHO: (no name) - {2C8944BB-6C92-41DC-94FA-8276C3C908E4} - (no file)

O2 - BHO: (no name) - {3C5187D8-5D0C-4F6F-BE82-887BAC79F3C0} - (no file)

O2 - BHO: (no name) - {523C4D2D-235A-430C-BF45-A20609431F21} - (no file)

O2 - BHO: (no name) - {72C1D5FE-92C8-4A29-8F3B-D422080F2256} - (no file)

O2 - BHO: (no name) - {7B1EE846-2C6B-4B55-ADE4-36C0F9E650EC} - (no file)

O2 - BHO: (no name) - {8FEC26D3-45F9-4265-8AA1-74121A577F57} - (no file)

O2 - BHO: (no name) - {9D2532BE-9DDC-43CA-8ED1-D2EE04750D8F} - (no file)

O2 - BHO: (no name) - {B3F8ADCE-5365-43BB-9543-D7EA6A106696} - (no file)

O2 - BHO: (no name) - {AA43F0BD-3131-45FA-9668-E353DBC911D2} - C:\WINDOWS\system32\gebyx.dll (file missing)

O2 - BHO: (no name) - {B3F8ADCE-5365-43BB-9543-D7EA6A106696} - (no file)

O2 - BHO: (no name) - {E639A1CC-942F-4EE6-90EB-EED6EF113C2C} - (no file)

O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll (file missing)

O20 - Winlogon Notify: winftx32 - winftx32.dll (file missing)

Once the above are checkmarked, click on Fixed Checked on the bottom left of the HJT window. Confirm that you want these fixed and let HJT FIX them.

Close HJT and REBOOT your computer.

After the reboot:

1. Please go to the link below and follow the procedure to make all your files and folders visible.

http://www.misec.net/forum/board/FAQ/1139610900

2. Then locate the following two files and submit them to Mischel Internet Security for analysis. The procedure for submitting is shown in the link below.

jcfsfcsj.dll (located in C:\Windows\System32)

dmaky.exe (located in C:\Windows\System32)

I feel certain the jcfsfcsj.dll is a malicious element. dmaky.exe is suspicous.

http://www.misec.net/forum/board/FAQ/1139308293

3. Go to the link below and download UNLOCKER. Install it in its own folder on your hard drive.

http://ccollomb.free.fr/unlocker/

4. Once you get the above completed, please run another HJT scan and post the scan results back here. We have some more work to do. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #4 on: Sep 20^th, 2006, 6:20pm »

Quote

Modify

Hi siliconman01,

New HJT scan below, I have also submitted the jcfsfcsj.dll as requested however there is no sign of dmaky.exe (maybe is was cleaned up by the fix from HJT) on my system Huh

also unlocker is installed and ready to go Cheesy

.

Look forward to your help

Regards

Sandiego30

Logfile of HijackThis v1.99.1
Scan saved at 00:18:20, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
E:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
E:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Skype\Phone\Skype.exe
e:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
e:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
e:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
E:\PROGRA~1\WINZIP\wzqkpick.exe
e:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\HijackThis\Analyzeme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\jcfsfcsj.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IntelliType] "e:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dmaky.exe] C:\WINDOWS\system32\dmaky.exe
O4 - HKLM\..\Run: [PCguard] "e:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "e:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkypeClient] "E:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1154465413254
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E8AE6-5C48-419F-A8FB-824B8D5BCC24} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F69D37-221D-4DA7-984C-125518404C79} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABFF1CB-5915-4C23-8AA2-71EDF45814A2} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - E:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #5 on: Sep 21^st, 2006, 12:13am »

Quote

Modify

Going good thus far Wink

Please reboot your computer into SAFE MODE.

1. Locate the file jcfsfcsj.dll again.

2. Right click on it and select Unlocker from the menu

3. In the box that appears, select Delete All and then click on OK to delete this file. This file should now be gone.

4. Run another HJT scan and FIX the two items below.

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\jcfsfcsj.dll (file missing)

O4 - HKLM\..\Run: [dmaky.exe] C:\WINDOWS\system32\dmaky.exe

5. Reboot back into Normal Mode

6. Update the definitions for TrojanHunter to the latest rulesets. Note: If you are running the trial version, please manually update to the latest rulesets via the link below:

http://www.misec.net/trojanhunter/updating/

Then run a FULL Scan with TH scanner and let it fix what it finds if anything.

7. Run another HJT scan and post a new scan log. Also let me know if and what TH scanner did. Post its log if it found and cleaned something.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #6 on: Sep 21^st, 2006, 2:27pm »

Quote

Modify

Hi,

Points 1 to 7 completed, please find below HJT scan and Trojanhunter scan results.

HJT Scan

Logfile of HijackThis v1.99.1
Scan saved at 20:25:16, on 21/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
E:\Program Files\blueyonder\PCguard\Rps.exe
E:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Skype\Phone\Skype.exe
e:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\NETGEAR\WG111T\wlan111t.exe
E:\Program Files\WinZip\WZQKPICK.EXE
e:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
e:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\TrojanHunter 4.5\TrojanHunter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\Analyzeme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IntelliType] "e:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCguard] "e:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkypeClient] "E:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1154465413254
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E8AE6-5C48-419F-A8FB-824B8D5BCC24} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F69D37-221D-4DA7-984C-125518404C79} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABFF1CB-5915-4C23-8AA2-71EDF45814A2} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - E:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

TH Scan results

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\ATI.ACE.SDK.dll
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\CLI.Component.Eeu.dll
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\CLI.Component.SDK.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__ 71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f 11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Mic rosoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System .XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa. dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.kor.dll
No trojan files found

Speak Soon

Sandiego30

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #7 on: Sep 21^st, 2006, 4:36pm »

Quote

Modify

Wonderful! Your HJT scan is clean.

I assume that these entries are for your ISP DNS Server, correct?

O17 - HKLM\System\CCS\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E8AE6-5C48-419F-A8FB-824B8D5BCC24} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F69D37-221D-4DA7-984C-125518404C79} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABFF1CB-5915-4C23-8AA2-71EDF45814A2} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24

If you do not recognize these IP numbers, then please check with your ISP and ensure that they are valid.

Other than that, everything is okay. No critters showing up at all. Is your system running okay? No detections/alerts by other security programs on your system?

The scan log for TrojanHunter looks fine too. The double extensions are all valid and okay. You can "silence" these log displays by unchecking the very last option under the Option icon in TrojanHunter scanner....."Log executable files with double extensions". TH still scans them for malicious elements; it just does not alert log that it found a double extension.

Please post back as to the above questions and also any other items you wish to discuss. Then we can move on to the second part.... recommendations for improving security.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #8 on: Sep 22^nd, 2006, 2:18pm »

Quote

Modify

I have checked with my ISP provider with regards to the IP addresses you mentioned above and they have stated that they are not connected to their service Huh

Another problem I have encountered is that i keep finding a dleted file in my recycle bin names "RB2A.TMP" which appears when i have started the PC up Huh

Not too sure where we go from here so please let me know how you want to proceed

Sandiego30

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #9 on: Sep 22^nd, 2006, 2:55pm »

Quote

Modify

Does the information on the IP addresses ring any bells for you?

% Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filtered

organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: abuse@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: support@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filtered

person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filtered

person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20�, Solomenskaya street. room 201.
address: UA
phone: +35 79 91 17 759
e-mail: support@fwebhost.net
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered

If the above does not look familiar or you know what it is, then:

1. Manually create a System Restore point through the START-Help and Support.

2. Run a HiJackthis scan and FIX the items below.

O17 - HKLM\System\CCS\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E8AE6-5C48-419F-A8FB-824B8D5BCC24} : NameServer = 85.255.115.5,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{80F69D37-221D-4DA7-984C-125518404C79} : NameServer = 85.255.115.5,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\..\{DABFF1CB-5915-4C23-8AA2-71EDF45814A2} : NameServer = 85.255.115.5,85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24

O17 - HKLM\System\CS1\Services\Tcpip\..\{4E71C429-4321-4D1B-AC2A-0B4C28175D14} : NameServer = 85.255.115.5,85.255.112.24

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.5 85.255.112.24

Then close HJT, reboot, rescan with HJT and post another HJT log.

The above items appear to be part of TROJ_ZLOB.ALF trojan as per Trend Micro's info.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #10 on: Sep 22^nd, 2006, 4:13pm »

Quote

Modify

Also:

Please go the folder location C:\Windows\System32\Drivers\etc and open the "etc" folder.

Find the file that is named HOSTS (no extension...just HOSTS).

Right click on it and Open it with NotePad. Copy the contents and post it back here.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #11 on: Sep 22^nd, 2006, 6:07pm »

Quote

Modify

New HJT scan below;

Logfile of HijackThis v1.99.1
Scan saved at 23:57:42, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
E:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
E:\Program Files\blueyonder\PCguard\Rps.exe
E:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
e:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\Program Files\NETGEAR\WG111T\wlan111t.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
e:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
E:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
e:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\Analyzeme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - E:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - E:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - e:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [IntelliType] "e:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCguard] "e:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkypeClient] "E:\Program Files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - e:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - e:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1154465413254
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - E:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - e:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Hosts file information below;

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Awaiting your help to the next stage

Sandiego30

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5815

Re: Help required!
« Reply #12 on: Sep 23^rd, 2006, 2:05am »

Quote

Modify

Okay, that's much better. Thanks for contacting your ISP concerning those rodent IPs.

Your HJT log looks fine now and your HOSTS file is correct.

After you reboot and this mysterious RB2A.tmp file appears in your Recycle bin-

Open the Recycle Bin and see where the file's Original Location is. That might give us a clue as to what is generating it. Please post back the original location of this file.

I'm making the basic assumption that you have intentionally set up your system for this feature shown below, Correct? This is not malicious; I'm just curious as to whether you need/want it as part of the startup on your system.

Quote:

The tintsetp.exe process is part of Microsoft's 'Input Message Editor' and is used when translating Japanese and/or Chinese text in Internet Explorer, Outlook and other Microsoft Programs.

Please do a quick check/scan for possible rootkits. To do this, go to the site below and download/install Blacklight. Run a system scan with it and see if it detects any rootkits. Please post back the results of this scan.

http://www.f-secure.com/blacklight/

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #13 on: Sep 23^rd, 2006, 3:11pm »

Quote

Modify

RB2A.tmp file has now been replaced by RB3.TMP file loctaed in recycler Huh

The folder found in the recycler also have detail as follows "S-1-5-21-507921405-1606980848-839522115-1003 OR 1004"

As for the tintsetp.exe [rocess I have no need to have it running so i don't mind if its switched off/uninstalled etc.

The backlight scan has also found no issues, looking forward to the next steps Grin

Sandiego30

IP Logged

Sandiego30
Newbie

Posts: 18

Re: Help required!
« Reply #14 on: Sep 23^rd, 2006, 3:13pm »

Quote

Modify

Also Log scan from Backlight below.

09/23/06 21:09:21 [Info]: BlackLight Engine 1.0.46 initialized
09/23/06 21:09:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/23/06 21:09:21 [Note]: 7019 4
09/23/06 21:09:21 [Note]: 7005 0
09/23/06 21:09:28 [Note]: 7006 0
09/23/06 21:09:29 [Note]: 7011 1492
09/23/06 21:09:29 [Note]: 7026 0
09/23/06 21:09:29 [Note]: 7026 0
09/23/06 21:09:33 [Note]: FSRAW library version 1.7.1019
09/23/06 21:11:08 [Note]: 7007 0

IP Logged

Pages: 1 2 3

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register