Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, Ive Tried Everything.. Some Vmm Ware?


  • Please log in to reply
2 replies to this topic

#1 logikz

logikz

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 03 October 2007 - 07:41 AM

ok, here is my hijackthis log and combofix scans. Trouble is, everytime i reinstall windows, even after a fresh format, my pagefile never leaves, and i am stuck with these strange windows services, not to mention a whole ton of open ports. Please help me clean the baddies.

Active Connections

Proto Local Address Foreign Address State
TCP fri:epmap fri:0 LISTENING
TCP fri:microsoft-ds fri:0 LISTENING
TCP fri:2869 fri:0 LISTENING
TCP fri:3729 mpa.one.microsoft.com:3730 ESTABLISHED
TCP fri:3730 mpa.one.microsoft.com:3729 ESTABLISHED
TCP fri:3731 mpa.one.microsoft.com:3732 ESTABLISHED
TCP fri:3732 mpa.one.microsoft.com:3731 ESTABLISHED
TCP fri:netbios-ssn fri:0 LISTENING
TCP fri:3773 209.211.201.96:http TIME_WAIT
TCP fri:3802 209.211.201.83:http TIME_WAIT
TCP fri:3803 209.211.201.83:http TIME_WAIT
TCP fri:3847 www.bleepingcomputer.com:http TIME_WAIT
TCP fri:3848 www.bleepingcomputer.com:http TIME_WAIT
UDP fri:microsoft-ds *:*
UDP fri:isakmp *:*
UDP fri:1040 *:*
UDP fri:1737 *:*
UDP fri:1903 *:*
UDP fri:1904 *:*
UDP fri:3160 *:*
UDP fri:3161 *:*
UDP fri:3163 *:*
UDP fri:4500 *:*
UDP fri:1900 *:*
UDP fri:netbios-ns *:*
UDP fri:netbios-dgm *:*
UDP fri:1900 *:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:39 AM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Hijadf\sijases.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (filesize 501136 bytes, MD5 D787E3123FAD2BD58AB45B9A5C360ACD)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE (filesize 577536 bytes, MD5 ED8DA2697F1C720EF26AE4B291A04497)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (filesize 33280 bytes, MD5 DA285490BBD8A1D0CE6623577D5BA1FF)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe (filesize 20992 bytes, MD5 C921A733FA3F1E4C3505D436DBC5EA47)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" (filesize 132496 bytes, MD5 D4F0F7437327DBAA264338BAAFB5E5AF)
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (filesize 1258744 bytes, MD5 4816244C7486BF1D747A5B30023B67E5)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (filesize 81920 bytes, MD5 931C59D23F8F0441DB73285F122D6704)
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (filesize 501136 bytes, MD5 D787E3123FAD2BD58AB45B9A5C360ACD)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (filesize 501136 bytes, MD5 D787E3123FAD2BD58AB45B9A5C360ACD)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 557568 bytes, MD5 CEBED017C4965FC4407CCD986AE0A528)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 557568 bytes, MD5 CEBED017C4965FC4407CCD986AE0A528)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (filesize 1498032 bytes, MD5 F5C2F0308D0AA91457059EC7227A06F7)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (filesize 1498032 bytes, MD5 F5C2F0308D0AA91457059EC7227A06F7)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191397250021
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1191397237052
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5512 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 03 October 2007 - 08:56 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 03, 2007 8:54:06 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 3/10/2007
Kaspersky Anti-Virus database records: 426738
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 17532
Number of viruses found: 3
Number of infected objects: 20
Number of suspicious objects: 4
Duration of the scan process: 00:23:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\cert8.db Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\history.dat Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\key3.db Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\parent.lock Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\search.sqlite Object is locked skipped
C:\Documents and Settings\fry\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\fry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzvdfuux.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\fry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\fry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\fry\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\fry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.ldb Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.mdb Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\JET6BC5.tmp Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_5e4.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Compressed\NetTools.exe/file015/file2/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Compressed\NetTools.exe/file015/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Compressed\NetTools.exe/file015 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Compressed\NetTools.exe Inno: infected - 3 skipped
D:\Compressed\SolarWinds-Cirrus-V3-Enterprise-Eval.zip/SolarWinds-Cirrus-V3.5-Eval.msi/Data1.cab/tftp_server.exe Suspicious: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
D:\Compressed\SolarWinds-Cirrus-V3-Enterprise-Eval.zip/SolarWinds-Cirrus-V3.5-Eval.msi/Data1.cab Suspicious: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
D:\Compressed\SolarWinds-Cirrus-V3-Enterprise-Eval.zip/SolarWinds-Cirrus-V3.5-Eval.msi Suspicious: not-a-virus:Server-FTP.Win32.Tftp.500 skipped
D:\Compressed\SolarWinds-Cirrus-V3-Enterprise-Eval.zip ZIP: suspicious - 3 skipped
D:\downloads\Nero 8 Ultra Edition\Nero 8 Ultra Edition.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\downloads\Nero 8 Ultra Edition\Nero 8 Ultra Edition.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\downloads\Nero 8 Ultra Edition\Nero 8 Ultra Edition.iso/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\downloads\Nero 8 Ultra Edition\Nero 8 Ultra Edition.iso ISO image: infected - 3 skipped
D:\Programs\Programs\My Music\Programs\NetTools.exe/file015/file2/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\My Music\Programs\NetTools.exe/file015/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\My Music\Programs\NetTools.exe/file015 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\My Music\Programs\NetTools.exe Inno: infected - 3 skipped
D:\Programs\Programs\NetTools.exe/file015/file2/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\NetTools.exe/file015/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\NetTools.exe/file015 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\Programs\NetTools.exe Inno: infected - 3 skipped
D:\Programs\ZoneLabs.ZoneAlarm.Internet.Security.Suite.v7.0.302.Incl.Keymaker\NetTools.exe/file015/file2/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\ZoneLabs.ZoneAlarm.Internet.Security.Suite.v7.0.302.Incl.Keymaker\NetTools.exe/file015/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\ZoneLabs.ZoneAlarm.Internet.Security.Suite.v7.0.302.Incl.Keymaker\NetTools.exe/file015 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
D:\Programs\ZoneLabs.ZoneAlarm.Internet.Security.Suite.v7.0.302.Incl.Keymaker\NetTools.exe Inno: infected - 3 skipped

Scan process completed.

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:10 AM

Posted 12 October 2007 - 03:48 PM

Hi logikz, :blink:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

P.S. PLease don't attach logs but use the Add Reply button.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users