Ma TriX 0978 Posted January 9, 2007 Posted January 9, 2007 Whats up Tarun could you check this. Logfile of HijackThis v1.99.1 Scan saved at 7:51:23 PM, on 1/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM\aim.exe C:\Documents and Settings\OpicheDesigns\Desktop\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe O4 - Startup: Silica Webcam.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\Silica Webcam.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Administrator Tarun Posted January 9, 2007 Administrator Posted January 9, 2007 Two entries are catching my attention. I checked for them but could find no information. [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll Scan with Ad-Aware and Spybot with the full definitions and settings. Please let me know the results. :happybday:
Ma TriX 0978 Posted January 9, 2007 Author Posted January 9, 2007 I scaned with Spyboy and got 146 registry entries, although i deleted the results before i saw this post. Sorry. I am also unsure of what those 2 entries are....
Ma TriX 0978 Posted January 9, 2007 Author Posted January 9, 2007 Found the recovery. FunWebProducts and Swizzor were the the entries found.
Administrator Tarun Posted January 9, 2007 Administrator Posted January 9, 2007 After you scan with Ad-Aware, post another HijackThis log and those two entries may be removed.
Ma TriX 0978 Posted January 9, 2007 Author Posted January 9, 2007 Ad-Aware SE Build 1.06r1 Logfile Created on:Monday, January 08, 2007 8:39:08 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R143 08.01.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Coulomb Dialer(TAC index:5):1 total references Tracking Cookie(TAC index:3):3 total references Win32.TrojanDownloader.Swizzor.br(TAC index:8):6 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : opichedesigns@atdmt[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:2 Value : Cookie:opichedesigns@atdmt.com/ Expires : 1-7-2012 4:00:00 PM LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking Cookie Object Recognized! Type : IECache Entry Data : opichedesigns@advertising[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:3 Value : Cookie:opichedesigns@advertising.com/ Expires : 1-7-2012 8:27:16 PM LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : opichedesigns@ads.addynamix[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:1 Value : Cookie:opichedesigns@ads.addynamix.com/ Expires : 1-9-2007 5:10:44 PM LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 3 Objects found so far: 3 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Coulomb Dialer Object Recognized! Type : File Data : Groove.x32 TAC Rating : 5 Category : Dialer Comment : Object : C:\Documents and Settings\OpicheDesigns\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\ FileVersion : 1, 8, 1, 0 ProductVersion : 1, 8, 1, 0 ProductName : GROOVE FileDescription : GROOVE InternalName : GROOVE LegalCopyright : Copyright 2001 OriginalFilename : GROOVE.x32 Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : File Data : npdlplug.dll TAC Rating : 8 Category : Malware Comment : Object : C:\Program Files\Download Plugin\DlPlugin-Moz\ FileVersion : 1.5.0.1 ProductVersion : 1.5.0.1 ProductName : Download Plugin FileDescription : Download Plugin v.1.5.0.1 InternalName : DLPLUG OriginalFilename : npdlplug.dll Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : File Data : npdlplug.dll TAC Rating : 8 Category : Malware Comment : Object : C:\Program Files\Mozilla Firefox\plugins\ FileVersion : 1.5.0.1 ProductVersion : 1.5.0.1 ProductName : Download Plugin FileDescription : Download Plugin v.1.5.0.1 InternalName : DLPLUG OriginalFilename : npdlplug.dll Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : File Data : A0346740.exe TAC Rating : 8 Category : Malware Comment : Object : C:\System Volume Information\_restore{4EA9E31D-3146-411E-ACF7-4A9C457425C2}\RP618\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 7 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 71 entries scanned. New critical objects:0 Objects found so far: 7 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\download plugin Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\download plugin Win32.TrojanDownloader.Swizzor.br Object Recognized! Type : RegValue Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\download plugin Value : UninstallString Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 3 Objects found so far: 10
Administrator Tarun Posted January 9, 2007 Administrator Posted January 9, 2007 How's your HijackThis log look? :happybday:
Ma TriX 0978 Posted January 9, 2007 Author Posted January 9, 2007 Logfile of HijackThis v1.99.1 Scan saved at 9:08:14 AM, on 1/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE C:\Program Files\AIM\aim.exe C:\Program Files\Steam\Steam.exe C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Documents and Settings\OpicheDesigns\Desktop\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe O4 - HKCU\..\Run: [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe O4 - Startup: Silica Webcam.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\Silica Webcam.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Administrator Tarun Posted January 9, 2007 Administrator Posted January 9, 2007 You may wish to upload these two files to Jotti and VirusTotal. [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll Please post the results of the upload.
Ma TriX 0978 Posted January 10, 2007 Author Posted January 10, 2007 Jotti - Nothing came up with the biosmon system file Although for the other file, here are the results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found Trojan-Downloader.Obfuscated.1 (paranoid heuristics) (probable variant) VirusTotal Results for Biosmon only came out 1 to be suspicous.. Fortinet 2.82.0.0 01.10.2007 suspicious But for the other file... AntiVir 7.3.0.21 01.09.2007 no virus found Authentium 4.93.8 01.09.2007 no virus found Avast 4.7.892.0 12.30.2006 no virus found AVG 386 01.09.2007 no virus found BitDefender 7.2 01.10.2007 no virus found CAT-QuickHeal 9.00 01.09.2007 (Suspicious) - DNAScan ClamAV devel-20060426 01.09.2007 no virus found DrWeb 4.33 01.09.2007 no virus found eSafe 7.0.14.0 01.09.2007 no virus found eTrust-InoculateIT 23.73.110 01.10.2007 no virus found eTrust-Vet 30.3.3316 01.10.2007 no virus found Ewido 4.0 01.09.2007 no virus found Fortinet 2.82.0.0 01.10.2007 suspicious F-Prot 3.16f 01.09.2007 no virus found F-Prot4 4.2.1.29 01.09.2007 no virus found Ikarus T3.1.0.27 01.09.2007 no virus found Kaspersky 4.0.2.24 01.10.2007 no virus found McAfee 4935 01.09.2007 no virus found Microsoft 1.1904 01.10.2007 no virus found NOD32v2 1968 01.09.2007 no virus found Norman 5.80.02 12.31.2007 no virus found Panda 9.0.0.4 01.09.2007 Adware/Lop Prevx1 V2 01.10.2007 no virus found Sophos 4.13.0 01.05.2007 no virus found Sunbelt 2.2.907.0 01.05.2007 no virus found TheHacker 6.0.3.146 01.08.2007 no virus found UNA 1.83 01.10.2007 no virus found VBA32 3.11.2 01.09.2007 suspected of Trojan-Downloader.Obfuscated.1 (paranoid heuristics) VirusBuster 4.3.19:9 01.09.2007 no virus found
Administrator Tarun Posted January 10, 2007 Administrator Posted January 10, 2007 Remove both of those files from HijackThis. You may also want to run a full virus scan on the safe side.
Recommended Posts