Can’t click anything on desktop
January 27th, 2020
Do you remember what your AV detected [variant name + location] and you deleted?
It actually said Trojan with some other stuff but I didn’t know where it has the location written because I remember looking but it didn’t say. Also I don’t really know how I got the virus because both of those things were from good uploaders. One was a virtual drive program, I forgot the name and it was from the sticky topic of most wanted apps. Which had many pages of thank you’s and works fine. Also I downloaded the game Oblivion from a guy that uploads allot (I looked at his posts) and also people on that thread said that the game works fine.
When you say couldn’t click anything on the desktop. Were the icons there? if not, sounds like something is stopped explorer.exe from opening properly.
Yea the icons are there and it’s not the actual internet icon that didn’t work but connecting to the internet. It said the strength was good but it just wouldn’t connect.
Best I can come up with is something messing around with your LSP chain.
Please download the current version of HijackThis from here.
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
- Double click and run the installer.
- It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
- After installing, you should get the user agreement, press accept and Hijack This will run.
- Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:37 PM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3418
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 – URLSearchHook: myBabylon Toolbar – {34ea1c70-42cc-42c5-aa29-ec58b95a343e} – C:\Program Files\myBabylon\tbmyBa.dll
O2 – BHO: IDM Helper – {0055C089-8582-441B-A0BF-17B458C2A3A8} – C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 – BHO: RealPlayer Download and Record Plugin for Internet Explorer – {3049C3E9-B461-4BC5-8870-4C09146192CA} – C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 – BHO: myBabylon Toolbar – {34ea1c70-42cc-42c5-aa29-ec58b95a343e} – C:\Program Files\myBabylon\tbmyBa.dll
O2 – BHO: NCO 2.0 IE BHO – {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 – BHO: Symantec Intrusion Prevention – {6D53EC84-6AAE-4787-AEEE-F4628F01010C} – C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 – BHO: Groove GFS Browser Helper – {72853161-30C5-4D22-B7F9-0BBC1D38A37E} – C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 – BHO: Megaupload Toolbar – {A057A204-BACC-4D26-C39E-35F1D2A32EC8} – (no file)
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – c:\program files\google\googletoolbar1.dll
O2 – BHO: Browser Address Error Redirector – {CA6319C0-31B7-401E-A518-A07C3DB8F777} – c:\windows\system32\BAE.dll
O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
O3 – Toolbar: (no name) – {0BF43445-2F28-4351-9252-17FE6E806AA0} – (no file)
O3 – Toolbar: Easy-WebPrint – {327C2873-E90D-4c37-AA9D-10AC9BABA46C} – C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 – Toolbar: myBabylon Toolbar – {34ea1c70-42cc-42c5-aa29-ec58b95a343e} – C:\Program Files\myBabylon\tbmyBa.dll
O3 – Toolbar: Show Norton Toolbar – {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} – C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 – Toolbar: Megaupload Toolbar – {A057A204-BACC-4D26-C39E-35F1D2A32EC8} – (no file)
O4 – HKLM\..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 – HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 – HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 – HKLM\..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 – HKLM\..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [osCheck] “C:\Program Files\Norton Internet Security\osCheck.exe”
O4 – HKLM\..\Run: [svchosts] C:\WINDOWS\svchosts.exe
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 – HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 – HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User ‘Default user’)
O4 – Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 – Extra context menu item: Add to AMV Converter… – C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 – Extra context menu item: Add to Media Manager… – C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 – Extra context menu item: Download all links with IDM – C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 – Extra context menu item: Download FLV video content with IDM – C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 – Extra context menu item: Download with IDM – C:\Program Files\Internet Download Manager\IEExt.htm
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 – Extra context menu item: Easy-WebPrint Add To Print List – res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 – Extra context menu item: Easy-WebPrint High Speed Print – res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 – Extra context menu item: Easy-WebPrint Preview – res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 – Extra context menu item: Easy-WebPrint Print – res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 – Extra context menu item: Translate with &Babylon – res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 – Extra button: Send to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra ‘Tools’ menuitem: S&end to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: PartyPoker.com – {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} – C:\WINDOWS\system32\shdocvw.dll
O9 – Extra ‘Tools’ menuitem: PartyPoker.com – {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} – C:\WINDOWS\system32\shdocvw.dll
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:\WINDOWS\system32\Shdocvw.dll
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://*.mcafee.com
O16 – DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} – http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 – Protocol: grooveLocalGWS – {88FED34C-F0CA-4636-A375-3CB6248B04CD} – C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 – Service: Automatic LiveUpdate Scheduler – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Lic NetConnect service (CLTNetCnService) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: COM Host (comHost) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 – Service: LiveUpdate – Symantec Corporation – C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 – Service: LiveUpdate Notice – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: PrismXL – New Boundary Technologies, Inc. – C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 – Service: Symantec Core LC – Unknown owner – C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 – Service: WMP54Gv4SVC – GEMTEKS – C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
—
End of file – 11137 bytes
- Open HijackThis
- Choose “Do a system scan only”
- Check the boxes in front of these lines:
O4 – HKLM\..\Run: [svchosts] C:\WINDOWS\svchosts.exe - Press “Fix Checked”
- Close Hijack This.
Delete this file in bold.
C:\WINDOWS\svchosts.exe
Make sure to only delete the one in Windows folder, do not delete it anywhere else.
ok did but in the C:\windows there are 2 svchosts files both are named exactly that but neither are .exe or bolded, but they do have different icons. I right clicked then went to properties and one it said was an application, the second it just said file.
Okay, not what I was expecting.
1. Download combofix from here
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts to install the recovery console.
3. It may want to reboot your machine after removing the files. Allow it to happen.
4. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix’s window whilst it’s running. That may cause it to stall.
While I was typing the last message, the Firefox icon on the taskbar disappeared but the actual window stayed open. After I was done with the message I clicked submit and it did it. I exited out of Firefox, but when I tried to turn it back on it said there was another Firefox already running, so either turn of the first one or restart your system. I turned the computer off and when I turned it back on everything flipped again so now I can click on the desktop but not on the computer, and I opened things by click CTR-ALT-DEL. Also didn’t mention before but every time I click on the desktop when the taskbar is working or vice versa the computer makes sound.
No idea what that is, but somethings going on.
Can you get combofix to run? don’t worry if you can’t, I have one or two more thoughts.
Why dont you try to do this while in safe mode.
Ok I did combofix thing and first of all it worked! I can click on both desktop and task bar.Also while it was working I wrote down the things it deleted don’t know if its in the log report or not it was: autorun.inf, svchosts.exe, and WMDSKNSD.XML
ComboFix 08-11-04.02 – Owner 2008-11-04 16:15:45.1 – NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.151 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Application Data\.#
c:\documents and settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\svchosts.exe
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-04 15:35 . 2008-11-04 15:35<DIR>d——–c:\program files\Trend Micro
2008-11-02 09:34 . 2008-11-02 14:4923–a——c:\windows\BlendSettings.ini
2008-11-01 11:15 . 2008-11-01 11:150–a——c:\documents and settings\Owner\mspass.exe
2008-11-01 11:14 . 2008-11-01 11:1816,368–a——c:\documents and settings\Owner\PasswordFox.exe
2008-10-31 23:19 . 2008-11-04 16:1258,320–a——c:\windows\svchosts
2008-10-27 00:30 . 2008-10-27 00:30<DIR>d——–c:\program files\Atomic Alarm Clock
2008-10-27 00:19 . 2008-10-31 23:18<DIR>d——–c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2008-10-27 00:19 . 2008-10-27 00:19717,296–a——c:\windows\system32\drivers\sptd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 00:17———d—–wc:\program files\Common Files\Symantec Shared
2008-11-05 00:17———d—–wc:\documents and settings\Owner\Application Data\DMCache
2008-11-04 23:57———d—–wc:\documents and settings\All Users\Application Data\Babylon
2008-11-03 04:59———d–h–wc:\program files\InstallShield Installation Information
2008-11-02 03:29———d—–wc:\documents and settings\Owner\Application Data\MegauploadToolbar
2008-10-31 10:22———d—–wc:\documents and settings\Owner\Application Data\Babylon
2008-09-29 05:50———d—–wc:\documents and settings\Owner\Application Data\IDM
2008-09-26 05:31———d—–wc:\program files\Internet Download Manager
2008-09-25 14:26———d—–wc:\documents and settings\All Users\Application Data\Symantec
2008-09-25 14:01805—-a-wc:\windows\system32\drivers\SYMEVENT.INF
2008-09-25 14:0160,800—-a-wc:\windows\system32\S32EVNT1.DLL
2008-09-25 14:01123,952—-a-wc:\windows\system32\drivers\SYMEVENT.SYS
2008-09-25 14:0110,671—-a-wc:\windows\system32\drivers\SYMEVENT.CAT
2008-09-25 14:01———d—–wc:\program files\Symantec
2008-09-22 07:27———d—–wc:\program files\Sun
2008-09-22 07:26———d—–wc:\program files\Java
2008-09-22 06:04———d—–wc:\documents and settings\Owner\Application Data\Symantec
2008-09-22 06:03———d—–wc:\program files\Norton Internet Security
2008-09-22 06:02———d—–wc:\program files\Windows Sidebar
2008-09-22 05:56———d—–wc:\program files\McAfee.com
2008-09-22 05:56———d—–wc:\documents and settings\All Users\Application Data\McAfee
2008-09-22 05:53———d—–wc:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 11:571,846,016—-a-wc:\windows\system32\win32k.sys
2008-09-13 19:57———d—–wc:\program files\Folder Lock
2008-09-10 10:01———d—–wc:\program files\Microsoft Works
2008-09-10 06:17———d—–wc:\program files\myBabylon
2008-09-10 06:17———d—–wc:\program files\Conduit
2008-09-10 06:17———d—–wc:\program files\Babylon
2008-09-03 00:0061,440—-a-wc:\windows\xspeech.dll
2008-08-28 08:580—-a-wc:\documents and settings\Owner\Application Data\wklnhst.dat
2008-08-26 07:24826,368—-a-wc:\windows\system32\wininet.dll
2008-08-14 09:572,185,984—-a-wc:\windows\system32\ntoskrnl.exe
2008-08-14 09:182,062,976—-a-wc:\windows\system32\ntkrnlpa.exe
2008-08-09 04:23218,624—-a-wc:\windows\system32\uxtheme.dll
2008-08-09 04:23218,624—-a-wc:\windows\system32\uxtheme(3).dll
2008-08-09 03:1635,363—-a-wc:\windows\system32\windrvNT.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{34ea1c70-42cc-42c5-aa29-ec58b95a343e}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:541555480–a——c:\program files\myBabylon\tbmyBa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{34ea1c70-42cc-42c5-aa29-ec58b95a343e}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{34EA1C70-42CC-42C5-AA29-EC58B95A343E}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”c:\windows\system32\ctfmon.exe” [2004-08-04 15360]
“SkinClock”=”c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe” [2008-09-11 1739264]
“IDMan”=”c:\program files\Internet Download Manager\IDMan.exe” [2008-07-15 931248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RemoteControl”=”c:\program files\CyberLink\PowerDVD\PDVDServ.exe” [2005-01-12 32768]
“NvCplDaemon”=”c:\windows\system32\NvCpl.dll” [2005-09-18 7204864]
“NvMediaCenter”=”c:\windows\system32\NvMcTray.dll” [2005-09-18 86016]
“readericon”=”c:\program files\Digital Media Reader\readericon45G.exe” [2005-08-27 139264]
“Recguard”=”c:\windows\SMINST\RECGUARD.EXE” [2002-09-13 212992]
“Reminder”=”c:\windows\Creator\Remind_XP.exe” [2005-02-25 966656]
“GrooveMonitor”=”c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2007-08-24 33648]
“TkBellExe”=”c:\program files\Common Files\Real\Update_OB\realsched.exe” [2008-08-08 185896]
“SunJavaUpdateSched”=”c:\program files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“QuickTime Task”=”c:\program files\QuickTime\qttask.exe” [2008-08-03 98304]
“Babylon Client”=”c:\program files\Babylon\Babylon-Pro\Babylon.exe” [2008-02-14 3165920]
“ccApp”=”c:\program files\Common Files\Symantec Shared\ccApp.exe” [2008-01-25 51048]
“osCheck”=”c:\program files\Norton Internet Security\osCheck.exe” [2008-02-06 718704]
“SoundMan”=”SOUNDMAN.EXE” [2005-09-26 c:\windows\soundman.exe]
“nwiz”=”nwiz.exe” [2005-09-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Power2GoExpress”=”NA” [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk – c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.clmp3enc”= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
“vidc.ffds”= ffdshow.ax
“msacm.ac3filter”= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE”=
“c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\Messenger\\msmsgs.exe”=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
*Newly Created Service* – COMHOST
*Newly Created Service* – GTNDIS5
*Newly Created Service* – PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{860D6002-9BDB-9385-93ED-5C975205E235}]
c:\windows\svchosts.exe
.
Contents of the ‘Scheduled Tasks’ folder
2008-08-03 c:\windows\Tasks\ISP signup reminder 1.job
– c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 11:00]
2008-11-04 c:\windows\Tasks\Norton Internet Security – Run Full System Scan – Owner.job
– c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
– – – – ORPHANS REMOVED – – – –
BHO-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} – (no file)
Toolbar-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} – (no file)
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} – (no file)
HKLM-Run-svchosts – c:\windows\svchosts.exe
.
——- Supplementary Scan ——-
.
FireFox -: Profile – c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jgnr2314.default\
FireFox -: prefs.js – STARTUP.HOMEPAGE – hxxp://www.yahoo.com/
FF -: plugin – c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin – c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin – c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 16:17:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes … scanning hidden autostart entries …
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchosts = c:\windows\svchosts.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
Completion time: 2008-11-04 16:18:55
ComboFix-quarantined-files.txt 2008-11-05 00:18:51
Pre-Run: 118,161,330,176 bytes free
Post-Run: 118,304,333,824 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=”Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect
173— E O F —2004-10-28 10:06:16
I have to alarm you that your log shows a backdoor bot. This allows hackers to remotely log your keystrokes, steal passwords and other person info.
From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
===
Now open a new notepad file.
Input this into the notepad file:
File::
c:\documents and settings\Owner\PasswordFox.exe
c:\documents and settings\Owner\mspass.exe
Folder::
c:\windows\svchosts Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "svchosts"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{860D6002-9BDB-9385-93ED-5C975205E235}]
Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
This will open combofix.exe again, agree to it’s terms and allow it to run, it may want to reboot after it’s done. Post the resulting log back here.
K thanks for warning and I will. ComboFix 08-11-04.02 – Owner 2008-11-04 16:48:41.2 – NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\documents and settings\Owner\mspass.exe
c:\documents and settings\Owner\PasswordFox.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\mspass.exe
c:\documents and settings\Owner\PasswordFox.exe
c:\windows\svchosts\
.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.
2008-11-04 15:35 . 2008-11-04 15:35<DIR>d——–c:\program files\Trend Micro
2008-11-02 09:34 . 2008-11-02 14:4923–a——c:\windows\BlendSettings.ini
2008-10-31 23:19 . 2008-11-04 16:1258,320–a——c:\windows\svchosts
2008-10-27 00:30 . 2008-10-27 00:30<DIR>d——–c:\program files\Atomic Alarm Clock
2008-10-27 00:19 . 2008-10-31 23:18<DIR>d——–c:\documents and settings\Owner\Application Data\DAEMON Tools Pro
2008-10-27 00:19 . 2008-10-27 00:19717,296–a——c:\windows\system32\drivers\sptd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 00:50———d—–wc:\documents and settings\Owner\Application Data\DMCache
2008-11-05 00:17———d—–wc:\program files\Common Files\Symantec Shared
2008-11-04 23:57———d—–wc:\documents and settings\All Users\Application Data\Babylon
2008-11-03 04:59———d–h–wc:\program files\InstallShield Installation Information
2008-11-02 03:29———d—–wc:\documents and settings\Owner\Application Data\MegauploadToolbar
2008-10-31 10:22———d—–wc:\documents and settings\Owner\Application Data\Babylon
2008-09-29 05:50———d—–wc:\documents and settings\Owner\Application Data\IDM
2008-09-26 05:31———d—–wc:\program files\Internet Download Manager
2008-09-25 14:26———d—–wc:\documents and settings\All Users\Application Data\Symantec
2008-09-25 14:01805—-a-wc:\windows\system32\drivers\SYMEVENT.INF
2008-09-25 14:0160,800—-a-wc:\windows\system32\S32EVNT1.DLL
2008-09-25 14:01123,952—-a-wc:\windows\system32\drivers\SYMEVENT.SYS
2008-09-25 14:0110,671—-a-wc:\windows\system32\drivers\SYMEVENT.CAT
2008-09-25 14:01———d—–wc:\program files\Symantec
2008-09-22 07:27———d—–wc:\program files\Sun
2008-09-22 07:26———d—–wc:\program files\Java
2008-09-22 06:04———d—–wc:\documents and settings\Owner\Application Data\Symantec
2008-09-22 06:03———d—–wc:\program files\Norton Internet Security
2008-09-22 06:02———d—–wc:\program files\Windows Sidebar
2008-09-22 05:56———d—–wc:\program files\McAfee.com
2008-09-22 05:56———d—–wc:\documents and settings\All Users\Application Data\McAfee
2008-09-22 05:53———d—–wc:\documents and settings\All Users\Application Data\SiteAdvisor
2008-09-15 11:571,846,016—-a-wc:\windows\system32\win32k.sys
2008-09-13 19:57———d—–wc:\program files\Folder Lock
2008-09-10 10:01———d—–wc:\program files\Microsoft Works
2008-09-10 06:17———d—–wc:\program files\myBabylon
2008-09-10 06:17———d—–wc:\program files\Conduit
2008-09-10 06:17———d—–wc:\program files\Babylon
2008-09-03 00:0061,440—-a-wc:\windows\xspeech.dll
2008-08-28 08:580—-a-wc:\documents and settings\Owner\Application Data\wklnhst.dat
2008-08-26 07:24826,368—-a-wc:\windows\system32\wininet.dll
2008-08-14 09:572,185,984—-a-wc:\windows\system32\ntoskrnl.exe
2008-08-14 09:182,062,976—-a-wc:\windows\system32\ntkrnlpa.exe
2008-08-09 04:23218,624—-a-wc:\windows\system32\uxtheme.dll
2008-08-09 04:23218,624—-a-wc:\windows\system32\uxtheme(3).dll
2008-08-09 03:1635,363—-a-wc:\windows\system32\windrvNT.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{34ea1c70-42cc-42c5-aa29-ec58b95a343e}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:541555480–a——c:\program files\myBabylon\tbmyBa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{34ea1c70-42cc-42c5-aa29-ec58b95a343e}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{34EA1C70-42CC-42C5-AA29-EC58B95A343E}”= “c:\program files\myBabylon\tbmyBa.dll” [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=”c:\windows\system32\ctfmon.exe” [2004-08-04 15360]
“SkinClock”=”c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe” [2008-09-11 1739264]
“IDMan”=”c:\program files\Internet Download Manager\IDMan.exe” [2008-07-15 931248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RemoteControl”=”c:\program files\CyberLink\PowerDVD\PDVDServ.exe” [2005-01-12 32768]
“NvCplDaemon”=”c:\windows\system32\NvCpl.dll” [2005-09-18 7204864]
“NvMediaCenter”=”c:\windows\system32\NvMcTray.dll” [2005-09-18 86016]
“readericon”=”c:\program files\Digital Media Reader\readericon45G.exe” [2005-08-27 139264]
“Recguard”=”c:\windows\SMINST\RECGUARD.EXE” [2002-09-13 212992]
“Reminder”=”c:\windows\Creator\Remind_XP.exe” [2005-02-25 966656]
“GrooveMonitor”=”c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2007-08-24 33648]
“TkBellExe”=”c:\program files\Common Files\Real\Update_OB\realsched.exe” [2008-08-08 185896]
“SunJavaUpdateSched”=”c:\program files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“QuickTime Task”=”c:\program files\QuickTime\qttask.exe” [2008-08-03 98304]
“Babylon Client”=”c:\program files\Babylon\Babylon-Pro\Babylon.exe” [2008-02-14 3165920]
“ccApp”=”c:\program files\Common Files\Symantec Shared\ccApp.exe” [2008-01-25 51048]
“osCheck”=”c:\program files\Norton Internet Security\osCheck.exe” [2008-02-06 718704]
“SoundMan”=”SOUNDMAN.EXE” [2005-09-26 c:\windows\soundman.exe]
“nwiz”=”nwiz.exe” [2005-09-18 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Power2GoExpress”=”NA” [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk – c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.clmp3enc”= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
“vidc.ffds”= ffdshow.ax
“msacm.ac3filter”= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE”=
“c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\Messenger\\msmsgs.exe”=
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
*Newly Created Service* – CATCHME
*Newly Created Service* – COMHOST
*Newly Created Service* – GTNDIS5
*Newly Created Service* – PROCEXP90
.
Contents of the ‘Scheduled Tasks’ folder
2008-08-03 c:\windows\Tasks\ISP signup reminder 1.job
– c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 11:00]
2008-11-04 c:\windows\Tasks\Norton Internet Security – Run Full System Scan – Owner.job
– c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 16:50:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes … scanning hidden autostart entries …
scanning hidden files … scan completed successfully
hidden files: **************************************************************************
.
Completion time: 2008-11-04 16:51:13
ComboFix-quarantined-files.txt 2008-11-05 00:51:10
ComboFix2.txt 2008-11-05 00:18:56
Pre-Run: 118,219,685,888 bytes free
Post-Run: 118,208,221,184 bytes free
152— E O F —2004-10-28 10:06:16
The folder came back. o.o
Delete it manually.
c:\windows\svchosts
Lemme know if it’s refusing to die.
all right I did. So I should just check every once in a while if it pops back up?
thank you for everything man
EDIT: any idea how I got it, or where or how to avoid it.
It shouldn’t come back. But yeah, check again one or twice.
Your welcome.