DDS and Gmer logs from apparently infected Win2k machine

#1 Gullible Jones

New Member

Group: Members
Posts: 3
Joined: 10-July 11
Gender:Male

Posted 10 July 2011 - 10:35 AM

Continued from this thread: http://www.bleepingcomputer.com/forums/topic408745.html

DDS log

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 5.00.3700.1000

Run by Administrator at 11:14:51 on 2011-07-10

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.367.250 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\VTTimer.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\SoftPerfect Personal Firewall\fw.exe

C:\PROGRA~1\VIRTUA~1\CitiVAN.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\WINNT\system32\OBroker.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mDefault_Page_URL = hxxp://www.msn.com

uURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx

BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - c:\program files\virtual account numbers\CitiVANHelper.dll

BHO: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll

TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - c:\program files\virtual account numbers\CitiVANToolbar.dll

TB: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

mRun: [Synchronization Manager] mobsync.exe /logon

mRun: [VTTimer] VTTimer.exe

mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

mRun: [SoftPerfect Personal Firewall] "c:\program files\softperfect personal firewall\fw.exe"

mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

uPolicies-explorer: NoSMMyPictures = 0 (0x0)

uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)

uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)

mPolicies-explorer: NoSMMyPictures = 0 (0x0)

mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)

mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{956228B2-CC9A-452D-BB88-17409918D136} : DhcpNameServer = 192.168.0.1

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\kagesza9.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\kagesza9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\program files\virtual account numbers\components\SlimOrbAddonCitiVAN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

.

============= SERVICES / DRIVERS ===============

.

R0 tffsport;M-Systems DiskOnChip 2000;c:\winnt\system32\drivers\tffsport.sys [2010-7-30 72784]

R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]

R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2010-7-21 49776]

S2 Nmpdrv_N;PogoProducts Nmpdrv_N USB Controller Service;c:\winnt\system32\drivers\Nmpdrv_N.sys [2010-8-16 10554]

S3 03037309;03037309;c:\winnt\system32\drivers\31865425.sys [2011-7-9 94512]

S3 68840207;68840207;c:\winnt\system32\drivers\43092449.sys [2011-7-10 94512]

S3 96853250;96853250;c:\winnt\system32\drivers\37133393.sys [2011-7-10 94512]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\winnt\system32\drivers\hitmanpro35.sys [2011-5-8 14792]

S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2010-7-21 9038]

.

=============== Created Last 30 ================

.

2011-07-10 05:21:42 94512 ----a-w- c:\winnt\system32\drivers\43092449.sys

2011-07-10 05:19:54 94512 ----a-w- c:\winnt\system32\drivers\37133393.sys

2011-07-10 05:19:10 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-07-10 05:19:05 39984 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2011-07-10 05:19:02 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-10 05:18:59 21048 ----a-w- c:\winnt\system32\drivers\mbam.sys

2011-07-10 05:18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-10 02:32:16 94512 ----a-w- c:\winnt\system32\drivers\31865425.sys

2011-07-08 01:26:08 210944 ------w- c:\winnt\system32\Msvcrt10.dll

2011-07-08 01:26:06 65536 ------w- c:\winnt\system32\adistres.dll

2011-07-08 01:26:06 20584 ------w- c:\winnt\system32\PdfPorts.dll

2011-07-08 01:25:59 225280 ------w- c:\program files\internet explorer\plugins\NPDocBox.dll

2011-07-08 01:25:57 103312 ------w- c:\program files\internet explorer\plugins\nppdf32.dll

2011-07-08 01:25:57 101200 ------w- c:\winnt\system32\pdfshell.dll

2011-07-08 01:25:42 -------- d-----w- c:\winnt\system32\Adobe

2011-06-30 00:49:13 -------- d-s---w- c:\winnt\Cookies

2011-06-29 12:40:39 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-06-29 12:40:39 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

.

==================== Find3M ====================

.

2011-07-10 02:13:41 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2011-05-10 02:45:11 348160 ----a-w- c:\winnt\system32\msvcr71.dll

2011-05-10 02:45:11 1060864 ----a-w- c:\winnt\system32\mfc71.dll

2011-05-09 01:58:12 134464 ----a-w- c:\winnt\system32\LnkProtect.dll

.

============= FINISH: 11:15:11.12 ===============

Attached File(s)

attach.txt (2.15K)
Number of downloads: 1
Ark.txt (694bytes)
Number of downloads: 2

#2 HelpBot

Bleepin' Binary Bot

Group: Bots
Posts: 5,607
Joined: 05-October 07
Gender:Male

Posted 29 July 2011 - 05:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/408754 and follow the instructions there. If you do not still need help, this is all you need to do. If you do need help please continue below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
- Please do this even if you have previously posted logs for us.
- If you were unable to produce the logs originally please try once more.
- If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
- If you are unsure about any of these characteristics just post what you can and we will guide you.
Please tell us if you have your original Windows CD/DVD available.
Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

Bleepin' Binary Bot

Group: Bots
Posts: 5,607
Joined: 05-October 07
Gender:Male

Posted 03 August 2011 - 05:50 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!