| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 84970 | 2007-11-25 05:12:00 | laptop having issues | Cho (12330) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 614955 | 2007-11-25 05:12:00 | i have a hjts log here Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:49:15 p.m., on 25/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\FreezeScreenSaver.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UltraVNC\WinVNC.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\svcswin.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\uTorrent\uTorrent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BPK\bpk.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Microsoft Device Manager] C:\WINDOWS\svcswin.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [bpk] C:\Program Files\BPK\bpk.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe -- End of file - 8401 bytes dont know if anything there is needing removed. althogh the only thing that probably needs removed is the bpk entry. any guidance is welcome. trying to figure out what is uploading a lot of data. and dropping all packets no related to the trojan / virus |
Cho (12330) | ||
| 614956 | 2007-11-25 05:26:00 | You've got adware. Looks like bpk.exe belongs to a keylogger. Hopefully, you havent been to anything like bank sites. DON'T go to any bank sites, until you fix this You've also got a trojan. Run HJT again, tick these entries then tick fix checked Close browser/s C:\WINDOWS\system32\FreezeScreenSaver.exe <- delete this file in safe mode C:\WINDOWS\svcswin.exe <- delete this in safe mode. C:\Program Files\BPK\bpk.exe <- See if Perfect Keylogger appears in add/remove programs. If it does uninstall it. Then delete bpk.exe in safe mode. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Safe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" Nasty O4 - HKLM\..\Run: [Microsoft Device Manager] C:\WINDOWS\svcswin.exe If you dont use Nero Home, tick this O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" Nasty O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [bpk] C:\Program Files\BPK\bpk.exe Safe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) 23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe Is trojan remover up to date?? Did you do a scan? Run it now, and do another scan, then select all options under the utilities menu. And get rid of Utorrent. Thats most probably how you got these files in the first place. And get The Vundo removal tool (www.symantec.com) And this (www.symantec.com) Download both run both. See what they pick up |
Speedy Gonzales (78) | ||
| 614957 | 2007-11-25 05:48:00 | Trojan remover should remove the entries belonging to that bpk.exe If it doesnt, taken from the Symantec site Its called spyware.perfect, which is spyware and also a keystroke recorder 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit Then click OK. (The Registry Editor opens.) 3. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run 4. In the right page, delete the following entry: "bpk" = "[instalation folder]\bpk.exe" (ticking this in the HJT should remov e the entry 5. Navigate to the subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Uninstall\Perfect Keylogger 6. In the right page, delete the following entries: "DisplayName" = "BlazingTools Perfect Keylogger" "UninstallString: "[instalation folder]\bpkun.exe" 7. Navigate to the following subkeys and delete them: HKEY_CLASSES_ROOT\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A} HKEY_CLASSES_ROOT\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A} HKEY_CLASSES_ROOT\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A} HKEY_CLASSES_ROOT\SS.SS HKEY_CLASSES_ROOT\SS.SS.1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\XP Password Logger 1.0 HKEY_LOCAL_MACHINE\SOFTWARE\BPK HKEY_LOCAL_MACHINE\SOFTWARE\BT\XP Password Logger HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\kbfiltr 8. Exit the Registry Editor. FreezeScreenSaver.exe is adware |
Speedy Gonzales (78) | ||
| 614958 | 2007-11-26 01:35:00 | ah cool will follow that. i did notice utorrent transfering data when it was just sitting idle. is it utorrent itself or a bug thats exploitable in it. not that we download anymore anyway, 5gb cap sucks. :D | Cho (12330) | ||
| 614959 | 2007-11-26 01:50:00 | I would say its something someone downloaded using Utorrent I take it, you were scanning files (for viruses etc), or whatever you downloaded BEFORE running / using them with Avast?? And had the P2P shield option in Avast enabled? It doesnt matter WHAT P2P program you use for torrents. You've got a 99.9% chance of getting infected. |
Speedy Gonzales (78) | ||
| 614960 | 2007-11-26 02:09:00 | BPK is definitely a keylogger. Get rid of it ASAP!!!!! I had bpk.exe on my system some years ago, only found out it was there when my firewall asked if it could connect to the internet I tracked it down and found it would have tried to have uploaded several hundred megabytes of screenshots and keylogs to *somewhere* Would have loved to have sent them a 50 megaton nuke instead but unfortunately the internet doesn't work that way... |
Agent_24 (57) | ||
| 614961 | 2007-11-26 02:09:00 | for some reason my bro uninstalled avast sometime ago as it was iterfeering with one of his progs. i can only assume that he installed the key logger himslef. so he knows what people are doing on his laptop. but meh, paranoid over anything security wise. seem to have removed everything now just running the symantec programs now. just have to wait till they are finished. Thanks for the help. only noticed something was amis as it was using all the upload bandwidth, and could not use the net. since removing the nastyness, there is not data transfer happening when doing nothing now. much appreciated. One reason why i was using linux on my desktop. stuff cant run without my say so. Thanks again :D |
Cho (12330) | ||
| 1 | |||||