Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have A Rogue


  • This topic is locked This topic is locked
11 replies to this topic

#1 andrews1469

andrews1469

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 23 August 2007 - 07:20 PM

For about 4 days now I have been having wierd popups that won't go away. After a while the problem escalated. The problem is when I log into my computer my icons and task bar dont show up. Even after booting up in safe mode, I still have the problem. I was able to open IE through a help bottun in the task manager. I got rogue remover and it didn't help. So here I am.

Attached Files


Edited by andrews1469, 23 August 2007 - 07:31 PM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 24 August 2007 - 09:53 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Please don't post your log twice, it won't get you help any faster.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 andrews1469

andrews1469
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 26 August 2007 - 02:52 PM

here's the comfix log and the new hijack this log is attached.

ComboFix 07-08-25.2 - "Owner" 2007-08-26 15:38:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.811 [GMT -4:00]


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 15:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 20:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 20:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-23 20:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 20:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 19:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-23 18:29 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-23 18:24 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-23 18:06 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-23 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-23 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-08-23 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-23 18:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-21 11:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\X10 Commander
2007-08-20 18:11 1,176,643 --a------ C:\WINDOWS\system32\dn703e91b4.dat
2007-08-19 16:32 <DIR> d-------- C:\Program Files\iTunes
2007-08-19 16:32 <DIR> d-------- C:\Program Files\iPod
2007-08-19 08:55 42 --a------ C:\WINDOWS\system32\n3pm.dll
2007-08-19 00:40 83,968 --a------ C:\WINDOWS\UnGins.exe
2007-08-18 11:28 <DIR> d-------- C:\Program Files\MP3 Normalizer
2007-08-18 10:20 <DIR> d-------- C:\Program Files\AutoUnpack
2007-08-18 10:14 <DIR> d-------- C:\Program Files\uTorrent
2007-08-18 10:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-08-18 09:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SlySoft
2007-08-18 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SlySoft
2007-08-18 09:36 <DIR> d-------- C:\Program Files\SlySoft
2007-08-17 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Elaborate Bytes
2007-08-17 23:35 <DIR> d-------- C:\Program Files\Elaborate Bytes
2007-08-17 23:29 <DIR> d-------- C:\DOOM
2007-08-17 18:43 <DIR> d-------- C:\Program Files\HOTLLAMA MEDIA
2007-08-17 18:42 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-08-17 18:07 <DIR> d-------- C:\Crank
2007-08-15 21:08 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-14 17:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Walgreens
2007-08-10 15:56 93,128 --------- C:\WINDOWS\system32\ElbyCDIO.dll
2007-08-07 20:33 <DIR> d-------- C:\Program Files\Connective Tools
2007-08-07 20:09 231,936 --a------ C:\WINDOWS\epsuninst.exe
2007-08-07 19:45 <DIR> d-------- C:\Program Files\SKTools
2007-08-07 15:48 25,160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-04 06:59 96,704 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-08-01 17:05 <DIR> d-------- C:\Program Files\ESTsoft
2007-08-01 17:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ESTsoft
2007-08-01 16:33 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-08-01 16:21 <DIR> d-------- C:\Program Files\Datahjaelp
2007-08-01 15:41 <DIR> d-------- C:\Program Files\FDRLab
2007-08-01 00:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-07-31 19:32 80 -r-hs---- C:\WINDOWS\system32\C64A909BC1.dll
2007-07-31 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-07-31 11:24 <DIR> d-------- C:\Program Files\QuickTime
2007-07-31 10:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-31 10:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-31 10:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-31 01:22 <DIR> d-------- C:\Program Files\ElcomSoft
2007-07-31 01:20 <DIR> d-------- C:\Program Files\Passware
2007-07-30 01:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\.BitTornado
2007-07-26 19:06 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 19:06 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 144,704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 19:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 19:03 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 19:03 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 19:03 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 19:03 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 19:03 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 19:03 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 19:03 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 19:03 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 19:03 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 19:03 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 19:03 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-26 19:03 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 19:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 16:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-08-23 21:52 --------- d-------- C:\Program Files\McAfee
2007-08-23 18:29 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-19 16:31 --------- d-------- C:\Program Files\Apple Software Update
2007-08-19 01:30 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-08-19 01:30 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-08-18 10:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-08-18 10:12 --------- d-------- C:\Program Files\MUSICMATCH
2007-08-18 10:11 --------- d-------- C:\Program Files\DivX
2007-08-14 08:48 --------- d-------- C:\Program Files\Pure Networks
2007-08-12 21:54 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 01:41 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\.BitTornado
2007-07-30 01:41 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\.BitTornado
2007-07-01 00:15 --------- d-------- C:\Program Files\LimeWire
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-16 23:30 223 --a------ C:\Program Files\tempwp.log
2007-06-16 23:23 179 --a------ C:\Program Files\INSTALL.LOG
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 07:01]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 22:44]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 04:44 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1166933793\EE\AOLHostManager.exe" [2004-11-03 17:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 21:42]
"CMCService"="C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" [2006-06-29 17:39]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-01-17 15:24]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 15:46 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-10 18:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 15:56]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE" [2006-04-05 23:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-08-18 09:56]
"RogueMonitor"="C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe" [2007-07-16 23:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 XUIF;X10 USB Wireless Transceiver;C:\WINDOWS\system32\Drivers\x10ufx2.sys


Contents of the 'Scheduled Tasks' folder
2007-08-25 03:10:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-12-24 18:55:53 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\system32\OOBE\oobebaln.exe
2007-07-15 05:16:10 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-01 05:00:23 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 15:40:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 15:41:36
C:\ComboFix-quarantined-files.txt ... 2007-08-26 15:41

--- E O F ---

Attached Files



#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 26 August 2007 - 03:35 PM

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Paste the following bold part into the Suspicious File Packer window:
C:\WINDOWS\system32\n3pm.dll
C:\WINDOWS\system32\C64A909BC1.dll

Allow SFP to pack the file. This will generate a CAB archive on your Desktop.

Reboot back into Normal Mode again.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Please let me know when you have submitted the files.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 andrews1469

andrews1469
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 26 August 2007 - 08:16 PM

OK, I submitted the SFP CAB File you requested.

#6 andrews1469

andrews1469
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 28 August 2007 - 09:37 AM

Also, I ran super anti spyware and it seemed to fix the problem for the most part. I know I'm probably not fully cleaned out...

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 29 August 2007 - 10:50 AM

Sorry about the delay in getting back to you, but my internet wasn't working properly. The files you uploaded look to be okay to me, but I would like you to run one more scanner before we pronounce you "clean".

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 andrews1469

andrews1469
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 29 August 2007 - 07:43 PM

ok, here's the report...

Attached Files



#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 30 August 2007 - 11:40 AM

You can now delete C:\QooBox ... it is only a backup folder and contains some infected files.
How do things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 andrews1469

andrews1469
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 30 August 2007 - 10:40 PM

Everything is running great... Thanks for all your help.

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 31 August 2007 - 04:19 AM

Great job! :thumbsup:
Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 09 September 2007 - 11:42 AM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users