1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

win32.trojanspy.goldun

Discussion in 'Virus & Other Malware Removal' started by Pullstart, Mar 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Pullstart

    Pullstart Thread Starter

    Joined:
    Jan 30, 2004
    Messages:
    124
    hello [email protected] tsg, I'm posting for a friend
    Logfile of HijackThis v1.99.1
    Scan saved at 7:34:03 PM, on 17/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Norton Ghost\Agent\PQV2iSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Bob\Desktop\maint. files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/sear...7AYSF7KodyqtbCI8nOPgQV2NkzWbaRhf++YGVlqinQnTY
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
    O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "D:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    StartupList report, 17/03/2007, 7:37:12 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Bob\Desktop\maint. files\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Norton Ghost\Agent\PQV2iSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Bob\Desktop\maint. files\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Bob\Start Menu\Programs\Startup]
    Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    High Definition Audio Property Page Shortcut = HDAShCut.exe
    SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe
    SoundMAX = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
    Logitech Utility = Logi_MwX.Exe
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    ElbyCheckElbyCDFL = "D:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    (Default) =
    Norton Ghost 9.0 = C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    EPSON Stylus Photo R340 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
    Freedom = C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Steam = "C:\Program Files\Steam\Steam.exe" -silent

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\sspipes.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    Pop-Up Blocker BHO - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
    (no name) - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    Form Filler BHO - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}
    (no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll - {849CC480-5983-4D30-A12C-774E8E8D8291}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    AppleSoftwareUpdate.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
    CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

    [UnoCtrl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
    CODEBASE = http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab

    [MSN Games - Installer]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MineSweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    End of report, 6,821 bytes
    Report generated in 0.031 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    thanks in advance,disregard computer spec signature
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Please do this:

    Download haxfix.exe
    and save it to your desktop.
    • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    • Checkmark "Create a desktop icon"
    • Click "Next"
    • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
    • Click "Finish"

    A red "dos window" (dos box) will open with options:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    E. Exit Haxfix

    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
    • Copy the contents of that logfile and paste it into this thread.
     
  3. Pullstart

    Pullstart Thread Starter

    Joined:
    Jan 30, 2004
    Messages:
    124
    HAXFIX logfile - by Marckie

    version 4.38
    18/03/2007 13:09:00.07

    --- Checking for Haxdoor ---

    checking for a3d files
    a3d files found
    ps.a3d

    checking for matching notify keys
    matching notify keys found
    sepp

    checking for matching services
    matching services found
    ASPI32
    seppgs
    seppgm

    checking for matching safeboot services
    matching safeboot services found
    seppgs.sys
    seppgm.sys

    checking for other Haxdoor-files
    no other Haxdoor-files found


    --- Checking for Goldun ---


    checking for SSODL keys
    no ssodl keys found

    checking for notify keys
    no notify keys found

    checking for services
    no services found

    checking for other Goldun-files
    no other Goldun-files found

    checking iexplore.exe
    iexplore.exe is not infected


    Finished!
    disregard computer spec signature
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Run Haxfix again....

    A red "dos window" (dos box) will open with options:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    E. Exit Haxfix

    • Select option 2 Run Auto Fix by typing 2 and then pressing Enter
    • Haxfix will start scanning the computer.
      If an infection is found, you'll get a message to close all other open windows.
      · Close all open windows except the red dos window from haxfix and then press Enter
      · The computer will reboot
      · After reboot a logfile will open > (c:\haxfix.txt)
      Post the contents of that logfile

     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/552545

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice