Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
qtplugin.exe and rundll32_s.exe removal?
-
20-01-2010 12:12AM#1
Comments
-
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 01:32:13, on 1/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
\Programi\avast\aswUpdSv.exe\Programi\avast\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE\Programi\avast\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe\Programi\hamachi\hamachi-2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe\Programi\avast\ashMaiSv.exe\Programi\avast\ashWebSv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\rundll32_s.exe
C:\WINDOWS\TEMP\rundll32_s.exe
C:\WINDOWS\TEMP\rundll32_s.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 172.31.31.254 msnfix.changelog.fr
O1 - Hosts: 172.31.31.254 www.incodesolutions.com
O1 - Hosts: 172.31.31.254 virusinfo.prevx.com
O1 - Hosts: 172.31.31.254 download.bleepingcomputer.com
O1 - Hosts: 172.31.31.254 www.dazhizhu.cn
O1 - Hosts: 172.31.31.254 foro.noticias3d.com
O1 - Hosts: 172.31.31.254 www.spybotupdates.com
O1 - Hosts: 172.31.31.254 club.myce.com
O1 - Hosts: 172.31.31.254 www.k7computing.com
O1 - Hosts: 172.31.31.254 softwaresecuritysolutions.com
O1 - Hosts: 172.31.31.254 www.nabble.com
O1 - Hosts: 172.31.31.254 lurker.clamav.net
O1 - Hosts: 172.31.31.254 lexikon.ikarus.at
O1 - Hosts: 172.31.31.254 research.sunbelt-software.com
O1 - Hosts: 172.31.31.254 www.virusdoctor.jp
O1 - Hosts: 172.31.31.254 www.elitepvpers.de
O1 - Hosts: 172.31.31.254 guru.avg.com
O1 - Hosts: 172.31.31.254 downloads.sophos.com
O1 - Hosts: 172.31.31.254 share.skype.com
O1 - Hosts: 172.31.31.254 myantispyware.com
O1 - Hosts: 172.31.31.254 www.computerhilfen.de
O1 - Hosts: 172.31.31.254 www.superuser.co.kr
O1 - Hosts: 172.31.31.254 ntfaq.co.kr
O1 - Hosts: 172.31.31.254 v.dreamwiz.com
O1 - Hosts: 172.31.31.254 cit.kookmin.ac.kr
O1 - Hosts: 172.31.31.254 forums.whatthetech.com
O1 - Hosts: 172.31.31.254 forum.hijackthis.de
O1 - Hosts: 172.31.31.254 avg.vo.llnwd.net
O1 - Hosts: 172.31.31.254 ftp.drweb.com
O1 - Hosts: 172.31.31.254 www.zonealarm.com
O1 - Hosts: 172.31.31.254 smadaver.com
O1 - Hosts: 172.31.31.254 support.emsisoft.com
O1 - Hosts: 172.31.31.254 www.huaifai.go.th
O1 - Hosts: 172.31.31.254 www.mostz.com
O1 - Hosts: 172.31.31.254 www.krupunmai.com
O1 - Hosts: 172.31.31.254 www.cddchiangmai.net
O1 - Hosts: 172.31.31.254 forum.malekal.com
O1 - Hosts: 172.31.31.254 tech.pantip.com
O1 - Hosts: 172.31.31.254 sapcupgrades.com
O1 - Hosts: 172.31.31.254 www.elguruinformatico.com
O1 - Hosts: 172.31.31.254 forums.avg.com
O1 - Hosts: 172.31.31.254 zastita.com
O1 - Hosts: 172.31.31.254 support.kaspersky.com
O1 - Hosts: 172.31.31.254 www.247fixes.com
O1 - Hosts: 172.31.31.254 forum.sysinternals.com
O1 - Hosts: 172.31.31.254 forum.telecharger.01net.com
O1 - Hosts: 172.31.31.254 sophos.com
O1 - Hosts: 172.31.31.254 foros.softonic.com
O1 - Hosts: 172.31.31.254 avast-home.uptodown.com
O1 - Hosts: 172.31.31.254 dr-web-cureit.softonic.com
O1 - Hosts: 172.31.31.254 heavenward.ru
O1 - Hosts: 172.31.31.254 forum.smadav.net
O1 - Hosts: 172.31.31.254 www.forum.kaspersky.com
O1 - Hosts: 172.31.31.254 www.f-secure.com
O1 - Hosts: 172.31.31.254 www.chkrootkit.org
O1 - Hosts: 172.31.31.254 diamondcs.com.au
O1 - Hosts: 172.31.31.254 www.rootkit.nl
O1 - Hosts: 172.31.31.254 www.sysinternals.com
O1 - Hosts: 172.31.31.254 z-oleg.com
O1 - Hosts: 172.31.31.254 espanol.dir.groups.yahoo.com
O1 - Hosts: 172.31.31.254 ftp01net.telechargement.fr
O1 - Hosts: 172.31.31.254 modelayu.com
O1 - Hosts: 172.31.31.254 vaksin.com
O1 - Hosts: 172.31.31.254 bbs.kaspersky.com.cn
O1 - Hosts: 172.31.31.254 www.castlecrops.com
O1 - Hosts: 172.31.31.254 www.misec.net
O1 - Hosts: 172.31.31.254 safecomputing.umn.edu
O1 - Hosts: 172.31.31.254 www.antirootkit.com
O1 - Hosts: 172.31.31.254 www.greatis.com
O1 - Hosts: 172.31.31.254 ar.answers.yahoo.com
O1 - Hosts: 172.31.31.254 www.elhacker.org
O1 - Hosts: 172.31.31.254 research.pandasecurity.com
O1 - Hosts: 172.31.31.254 www.tpu.ro
O1 - Hosts: 172.31.31.254 www.pinoyden.com
O1 - Hosts: 172.31.31.254 forum.avira.de
O1 - Hosts: 172.31.31.254 www.rootkit.com
O1 - Hosts: 172.31.31.254 www.pctools.com
O1 - Hosts: 172.31.31.254 www.pcsupportadvisor.com
O1 - Hosts: 172.31.31.254 www.resplendence.com
O1 - Hosts: 172.31.31.254 www.personal.psu.edu
O1 - Hosts: 172.31.31.254 foro.ethek.com
O1 - Hosts: 172.31.31.254 foro.elhacker.net
O1 - Hosts: 172.31.31.254 download.zonealarm.com
O1 - Hosts: 172.31.31.254 spywarehammer.com
O1 - Hosts: 172.31.31.254 www.codelain.com
O1 - Hosts: 172.31.31.254 www.thaicert.org
O1 - Hosts: 172.31.31.254 vil.nail.com
O1 - Hosts: 172.31.31.254 search.mcafee.com
O1 - Hosts: 172.31.31.254 wwww.mcafee.com
O1 - Hosts: 172.31.31.254 download.nai.com
O1 - Hosts: 172.31.31.254 wwww.experts-exchange.com
O1 - Hosts: 172.31.31.254 www.bakunos.com
O1 - Hosts: 172.31.31.254 www.darkclockers.com
O1 - Hosts: 172.31.31.254 www2.gmer.net
O1 - Hosts: 172.31.31.254 ariefew.com
O1 - Hosts: 172.31.31.254 www.emsisoft.com
O1 - Hosts: 172.31.31.254 forum.romeonet.ro
O1 - Hosts: 172.31.31.254 www.Merijn.org
O1 - Hosts: 172.31.31.254 www.spywareinfo.com
O1 - Hosts: 172.31.31.254 www.spybot.info
O1 - Hosts: 172.31.31.254 www.viruslist.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program
Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!]\Programi\avast\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search
Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSConfig] C:\Documents and Settings\Danijel\pifj.exe \u
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default
user')
O4 - Startup: Startup Defender.lnk = C:\Program Files\Zards software\Startup
Defender\Startup Defender.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices -
{C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates -
{C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -
http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -
http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon -\Programi\superspyware\SASWINLO.dll
O20 - Winlogon Notify: csbdll - csbdll.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} -
C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -\Programi\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software -\Programi\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software -\Programi\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software -\Programi\avast\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. -\Programi\hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common
Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner -\Programi\matlab7\webserver\bin\win32\matlabserver.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG -\Programi\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony
Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity
Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common
Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 12722 bytes0 -
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 15 Model 67 Stepping 3, AuthenticAMD
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.13
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:19 Go - Free:6 Go )\ [Fixed-NTFS] .. ( Total:129 Go - Free:62 Go )
E:\ [Fixed-NTFS] .. ( Total:298 Go - Free:116 Go )
F:\ [CD_Rom]
G:\ [CD_Rom]
.
Scan : 01:41.01
Path : E:\programs\Rooter.exe
User : Danijel ( Administrator -> YES )
.
\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (952)
______ \??\C:\WINDOWS\system32\csrss.exe (1000)
______ \??\C:\WINDOWS\system32\winlogon.exe (1024)
______ C:\WINDOWS\system32\services.exe (1068)
______ C:\WINDOWS\system32\lsass.exe (1080)
______ C:\WINDOWS\system32\svchost.exe (1256)
______ C:\WINDOWS\system32\svchost.exe (1304)
______ C:\WINDOWS\System32\svchost.exe (1656)
______ C:\WINDOWS\system32\svchost.exe (1844)
______ C:\WINDOWS\system32\svchost.exe (1928)
______\Programi\avast\aswUpdSv.exe (380)
______\Programi\avast\ashServ.exe (436)
______ C:\WINDOWS\system32\LEXBCES.EXE (1356)
______ C:\WINDOWS\system32\spoolsv.exe (1384)
______ C:\WINDOWS\system32\LEXPPS.EXE (1400)
______ C:\WINDOWS\Explorer.EXE (1712)
______ C:\WINDOWS\RTHDCPL.EXE (1700)
______\Programi\avast\ashDisp.exe (1864)
______ C:\WINDOWS\system32\RUNDLL32.EXE (1980)
______ C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (1996)
______ C:\WINDOWS\system32\ctfmon.exe (164)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (1128)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (888)
______ C:\WINDOWS\system32\svchost.exe (1140)
______ C:\WINDOWS\system32\cisvc.exe (1936)
______\Programi\hamachi\hamachi-2.exe (2220)
______ C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (3296)
______ C:\WINDOWS\system32\nvsvc32.exe (3652)
______ C:\WINDOWS\system32\PnkBstrA.exe (3820)
______ C:\WINDOWS\system32\svchost.exe (3888)
______ C:\WINDOWS\system32\wdfmgr.exe (3940)
______\Programi\avast\ashMaiSv.exe (2252)
______\Programi\avast\ashWebSv.exe (2352)
______ C:\WINDOWS\System32\alg.exe (4064)
______ C:\Program Files\Windows Live\Contacts\wlcomm.exe (3276)
______ C:\WINDOWS\system32\cidaemon.exe (768)
______ C:\WINDOWS\system32\cidaemon.exe (4036)
______ C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (4120)
______ C:\Program Files\Internet Explorer\iexplore.exe (1148)
______ C:\WINDOWS\TEMP\rundll32_s.exe (1480)
______ C:\WINDOWS\TEMP\rundll32_s.exe (5104)
______ C:\WINDOWS\system32\msiexec.exe (6048)
______ C:\WINDOWS\TEMP\rundll32_s.exe (4224)
______ E:\programs\Rooter.exe (4580)
.
\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:20974431744)
\Device\Harddisk0\Partition0 (Start_Offset:20974464000 | Length:139056583680)
\Device\Harddisk0\Partition2 (Start_Offset:20974496256 | Length:139056551424)
.
\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
\\ Registry
.
.
\\ Files & Folders
.
\\ Scan completed at 01:41.01
.
C:\Rooter$\Rooter_3.txt - (20/01/2010 | 01:41.01)0 -
-
how, and what exactly did u replace? did it solve it? My host file is unedited, it only has the localhost entry... I think that list of websites was created by this malware, since I havent seen any of those sites ever, and I'm having a lots of trouble accessing some online virus scan sites since the infection. And honestly, I dont really know what ur trying to say in that second part, call me a Noob if u must.Candlemaker wrote: »your hosts file gets seriously infected. I replaced mine (same problem different thread as you've already seen). I'd look through that list and make sure that any website that's there you don't try an access. do a dns lookup and use the ip instead (online website not your own computer).
0 -
-
Advertisement
-
Advertisement