Jump to content

Recommended Posts

Posted

Whats up Tarun could you check this.

Logfile of HijackThis v1.99.1

Scan saved at 7:51:23 PM, on 1/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe

C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AIM\aim.exe

C:\Documents and Settings\OpicheDesigns\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

O4 - HKCU\..\Run: [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe

O4 - Startup: Silica Webcam.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\Silica Webcam.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

  • Administrator
Posted

Two entries are catching my attention. I checked for them but could find no information.

[Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe

O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll

Scan with Ad-Aware and Spybot with the full definitions and settings. Please let me know the results. :happybday:

Posted

I scaned with Spyboy and got 146 registry entries, although i deleted the results before i saw this post. Sorry. I am also unsure of what those 2 entries are....

  • Administrator
Posted

After you scan with Ad-Aware, post another HijackThis log and those two entries may be removed.

Posted

Ad-Aware SE Build 1.06r1

Logfile Created on:Monday, January 08, 2007 8:39:08 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R143 08.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Coulomb Dialer(TAC index:5):1 total references

Tracking Cookie(TAC index:3):3 total references

Win32.TrojanDownloader.Swizzor.br(TAC index:8):6 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : opichedesigns@atdmt[2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:opichedesigns@atdmt.com/

Expires : 1-7-2012 4:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : opichedesigns@advertising[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:opichedesigns@advertising.com/

Expires : 1-7-2012 8:27:16 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : opichedesigns@ads.addynamix[1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:opichedesigns@ads.addynamix.com/

Expires : 1-9-2007 5:10:44 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 3

Objects found so far: 3

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Coulomb Dialer Object Recognized!

Type : File

Data : Groove.x32

TAC Rating : 5

Category : Dialer

Comment :

Object : C:\Documents and Settings\OpicheDesigns\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\

FileVersion : 1, 8, 1, 0

ProductVersion : 1, 8, 1, 0

ProductName : GROOVE

FileDescription : GROOVE

InternalName : GROOVE

LegalCopyright : Copyright 2001

OriginalFilename : GROOVE.x32

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : File

Data : npdlplug.dll

TAC Rating : 8

Category : Malware

Comment :

Object : C:\Program Files\Download Plugin\DlPlugin-Moz\

FileVersion : 1.5.0.1

ProductVersion : 1.5.0.1

ProductName : Download Plugin

FileDescription : Download Plugin v.1.5.0.1

InternalName : DLPLUG

OriginalFilename : npdlplug.dll

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : File

Data : npdlplug.dll

TAC Rating : 8

Category : Malware

Comment :

Object : C:\Program Files\Mozilla Firefox\plugins\

FileVersion : 1.5.0.1

ProductVersion : 1.5.0.1

ProductName : Download Plugin

FileDescription : Download Plugin v.1.5.0.1

InternalName : DLPLUG

OriginalFilename : npdlplug.dll

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : File

Data : A0346740.exe

TAC Rating : 8

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{4EA9E31D-3146-411E-ACF7-4A9C457425C2}\RP618\

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 7

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

71 entries scanned.

New critical objects:0

Objects found so far: 7

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : Regkey

Data :

TAC Rating : 8

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\download plugin

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : Regkey

Data :

TAC Rating : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\download plugin

Win32.TrojanDownloader.Swizzor.br Object Recognized!

Type : RegValue

Data :

TAC Rating : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\download plugin

Value : UninstallString

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 3

Objects found so far: 10

Posted

Logfile of HijackThis v1.99.1

Scan saved at 9:08:14 AM, on 1/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE

C:\Program Files\AIM\aim.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\OpicheDesigns\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

O4 - HKCU\..\Run: [Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe

O4 - Startup: Silica Webcam.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\Silica Webcam.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

  • Administrator
Posted

You may wish to upload these two files to Jotti and VirusTotal.

[Frag4] C:\DOCUME~1\OPICHE~1\APPLIC~1\TYPEDU~1\sizereadmeuser.exe

O21 - SSODL: Biosmon - {5CE8A725-9DE4-4741-A2B5-357D41C84CA2} - C:\WINDOWS\system32\fatuni32.dll

Please post the results of the upload.

Posted

Jotti -

Nothing came up with the biosmon system file

Although for the other file, here are the results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

VirusBuster Found nothing

VBA32 Found Trojan-Downloader.Obfuscated.1 (paranoid heuristics) (probable variant)

VirusTotal

Results for Biosmon only came out 1 to be suspicous..

Fortinet 2.82.0.0 01.10.2007 suspicious

But for the other file...

AntiVir 7.3.0.21 01.09.2007 no virus found

Authentium 4.93.8 01.09.2007 no virus found

Avast 4.7.892.0 12.30.2006 no virus found

AVG 386 01.09.2007 no virus found

BitDefender 7.2 01.10.2007 no virus found

CAT-QuickHeal 9.00 01.09.2007 (Suspicious) - DNAScan

ClamAV devel-20060426 01.09.2007 no virus found

DrWeb 4.33 01.09.2007 no virus found

eSafe 7.0.14.0 01.09.2007 no virus found

eTrust-InoculateIT 23.73.110 01.10.2007 no virus found

eTrust-Vet 30.3.3316 01.10.2007 no virus found

Ewido 4.0 01.09.2007 no virus found

Fortinet 2.82.0.0 01.10.2007 suspicious

F-Prot 3.16f 01.09.2007 no virus found

F-Prot4 4.2.1.29 01.09.2007 no virus found

Ikarus T3.1.0.27 01.09.2007 no virus found

Kaspersky 4.0.2.24 01.10.2007 no virus found

McAfee 4935 01.09.2007 no virus found

Microsoft 1.1904 01.10.2007 no virus found

NOD32v2 1968 01.09.2007 no virus found

Norman 5.80.02 12.31.2007 no virus found

Panda 9.0.0.4 01.09.2007 Adware/Lop

Prevx1 V2 01.10.2007 no virus found

Sophos 4.13.0 01.05.2007 no virus found

Sunbelt 2.2.907.0 01.05.2007 no virus found

TheHacker 6.0.3.146 01.08.2007 no virus found

UNA 1.83 01.10.2007 no virus found

VBA32 3.11.2 01.09.2007 suspected of Trojan-Downloader.Obfuscated.1 (paranoid heuristics)

VirusBuster 4.3.19:9 01.09.2007 no virus found

  • Administrator
Posted

Remove both of those files from HijackThis. You may also want to run a full virus scan on the safe side.

Guest
This topic is now closed to further replies.
×
×
  • Create New...