backdoored by x-copy9 link ON THIS SITE

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Wednesday 22.1.2025 / 21:44

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > backdoored by x-copy9 link on this site

Browse by topic

Forums

Start a new thread

backdoored by x-copy9 link ON THIS SITE

Jump to:

Posted

Message

narcismo

Member

27. September 2006 @ 19:59

Link to this message

hiLogfile of HijackThis v1.99.1
Scan saved at 11:52:49 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.co...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/29e58afed3c0...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/dow...lscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654306906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1140654255531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housec...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\program files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

jackthis log.... i did'nt see anything unusual(some files missing), but i'm no expert.

bit defender log
BitDefender Online Scanner

Scan report generated at: Wed, Sep 27, 2006 - 17:54:05

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time
00:40:59

Files
209075

Folders
3687

Boot Sectors
4

Archives
1065

Packed Files
9197

Results

Identified Viruses
2

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3

Engines Info

Virus Definitions
456090

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Delete

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Xcopy9 2.0.2.0(1).rar.bac_a02080=>(Quarantine-4)=>Setup.exe
Infected with: Backdoor.RBot.EOG

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Xcopy9 2.0.2.0(1).rar.bac_a02080=>(Quarantine-4)=>Setup.exe
Deleted

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Xcopy9 2.0.2.0(1).rar.bac_a02080=>(Quarantine-4)
Updated

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\Xcopy9 2.0.2.0(1).rar.bac_a02080
Update failed

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\XCopy9 v2.0.2.0.rar.bac_a02080=>(Quarantine-4)=>Setup.exe
Infected with: Backdoor.RBot.EOG

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\XCopy9 v2.0.2.0.rar.bac_a02080=>(Quarantine-4)=>Setup.exe
Deleted

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\XCopy9 v2.0.2.0.rar.bac_a02080=>(Quarantine-4)
Updated

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\XCopy9 v2.0.2.0.rar.bac_a02080
Update failed

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y1SNED0X\sp2-adtegrity-728[1].swf=>[SWF command]
Infected with: Trojan.SwfDL.A

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y1SNED0X\sp2-adtegrity-728[1].swf=>[SWF command]
Deleted

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y1SNED0X\sp2-adtegrity-728[1].swf
Update failed
looks like any probs were quarantined by TREND MICRO: HOUSE CALL
PS is KILL BOX infected or just showing up as a hijacker?

[ + quote]

This message has been edited since posting. Last time this message was edited on 27. September 2006 @ 20:05

narcismo

Member

27. September 2006 @ 20:03

Link to this message

ewido finds nothing but cookies. :-) as does trend micro.

[ + quote]

Dunker

Senior Member

27. September 2006 @ 20:26

Link to this message

I see you have soem adware/spyware running:

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

[ + quote]

-Do you believe you own your computer and shouldn't be told what you can run and do? Then say *NO* to Microsoft Vista!
-Since half the questions here involve media problems, here ya go: Only use Verbatim or Taiyo-Yuden discs (get your TYs from Rima.com, not Supermediastore or meritline). Forget the rest, no matter what "brand" they sell under. Always burn at 4x speed regardless of the speed rating of this discs or your drive. If you have burn problems with these then you have to update your drive's firmware. For double-layer discs, only use Verbatim DVD+R DL and burn them at 2.4x speed.

narcismo

Member

27. September 2006 @ 20:35

Link to this message

Whaaassup DUNKER! did'nt notice that. i was focused on the o2's and 03's. what do u think i should do w/that path?

if anything?
but yeah, just running some online malware progs.

[ + quote]

This message has been edited since posting. Last time this message was edited on 27. September 2006 @ 20:47

narcismo

Member

27. September 2006 @ 20:53

Link to this message

after a trojan or virus is deleted....what does 'UP-DATE-FAILED" mean?

still seems the virus/trojan is gone! am i right?

[ + quote]

This message has been edited since posting. Last time this message was edited on 27. September 2006 @ 20:55

Dunker

Senior Member

27. September 2006 @ 21:58

Link to this message

Hope everything's back to normal. Looks like you got all the trojans but keep an eye on your system because once a system is compromised, it's never totally trustworthy. Maybe I'm missing something but I don't see killbox.exe running, but it's a legit program that terminates locked processes (like trojans often do to protect themselves). I don't know what "update failed" means and BD doesn't even say on their site. Just let HijackThis! delete the dm.screensavers.com item, but be sure to uninstall any screensavers you got from them.

I also meant to say that, unless you subscribe to Rhapsody, delete anything by Real (as in RealNetworks, RealPlayer, RealJukebox). These guys are the founders of spyware, and their products are still just that. Uninstalling any Real products via Add/Remove Programs and then deleting the O16 key will take care of it.

Good luck!

[ + quote]

narcismo

Member

28. September 2006 @ 16:05

Link to this message

thanks 4 the heads-up. i'll get it handled. "real-anything" is also right behind it.
the kill box msg. must have been from a diff scan, i've noticed some progs don't like it, while others ignore it.
i doubt it a problem.

[ + quote]

This message has been edited since posting. Last time this message was edited on 28. September 2006 @ 16:13

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > backdoored by x-copy9 link on this site


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.