CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 934
Comments: 25
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[READY]Locksky.ER Please help

 
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
dpbklyn

Cadet
Cadet


Joined: Jun 08, 2007
Posts: 9
Location: USA
PostPosted: Wed Jul 02, 2008 12:06 pm    Post subject: Locksky.ER Please help
Reply with quote

Hello all, I solved the Virtumonde problem with the help of your protocols, but Locksky is being very stubburn! please take a look at these logs, and thank you (again) for your help!

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:49 AM, on 6/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {20041BE0-471E-4070-8D8D-B10B1C9B63AD} - C:\WINDOWS\system32\opnomJaY.dll (file missing)
O2 - BHO: {145e9cb3-d978-a9ba-7184-86500ac212e4} - {4e212ca0-0568-4817-ab9a-879d3bc9e541} - C:\WINDOWS\system32\fplkec.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [phhlhpht] rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\pdphhhlhhd.dll" WLEntryPoint
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [dltptdtp] rundll32.exe "C:\WINDOWS\system32\tlhdhththdp.sys" WLEntryPoint
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214784105489
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\Software\..\Telephony: DomainName = 2kg.take2games.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O20 - Winlogon Notify: elofqh - C:\WINDOWS\SYSTEM32\elofqh.dll
O20 - Winlogon Notify: vtUlJcYR - vtUlJcYR.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: __c00AB724 - C:\WINDOWS\system32\__c00AB724.dat (file missing)
O20 - Winlogon Notify: __c00AF0BD - C:\WINDOWS\
O20 - Winlogon Notify: __c00B4B04 - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Indexing Service cisvcTapiSrv (cisvcTapiSrv) - Unknown owner - C:\WINDOWS\system32\3076q.exe (file missing)
O23 - Service: Indexing Service cisvcTapiSrv cisvcTapiSrvNla (cisvcTapiSrvNla) - Unknown owner - C:\WINDOWS\system32\3076n.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorlanmanserver (RpcLocatorlanmanserver) - Unknown owner - C:\WINDOWS\system32\1028o.exe (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Print Spooler Spooler HotKey Poller (Spooler HotKey Poller) - Unknown owner - C:\WINDOWS\system32\1025j.exe (file missing)

--
End of file - 4793 bytes


dp
Back to top
View users profile Send private message
Prince_Serendip

Site Moderator


Joined: Sep 07, 2002
Posts: 17111

1st Responders MIRT Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Rootkit Responders

PostPosted: Thu Jul 03, 2008 11:24 pm    Post subject:
Reply with quote

You're Ready for cleaning. Thumbs Up

At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you.


_________________
image
Microsoft MVP Consumer Security 2006, 2007 & 2008
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
224ppm 0.471s (0.165s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer