Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Pop Ups Trojans Slow Computer Please Help


  • Please log in to reply
1 reply to this topic

#1 shaun77

shaun77

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 22 January 2008 - 03:05 PM

hi i seem to have alot of problems with my computer. I have tried everything i can think off clean my system (SpyBot S&D, Lavasoft Adaware, Onlineand offline virus scanners, both in regular and safemode.. but nothing working please help ............



panda scan

Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.888.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.com.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.adserver.easyad.info/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tech\Application Data\Mozilla\Firefox\Profiles\a7s6sqmx.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tech\Cookies\tech@bs.serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tech\Cookies\tech@serving-sys[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tech\Desktop\smit\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Tech\Desktop\smit\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Tech\Desktop\smit\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\fix\SDFix\apps\Process.exe
Virus:Trj/Spammer.ADX Disinfected C:\WINDOWS\Puy61.sys
Virus:Rootkit/Agent.HQL Disinfected C:\WINDOWS\system32\drivers\Puy61.sys
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Pro



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:40, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mp3 flag] C:\DOCUME~1\Tech\APPLIC~1\LISTAB~1\cast locks.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/sel...g/ESTPTest.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\127328.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPS - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7176 bytes



Any Help Would Be Apreciated

Edited by shaun77, 22 January 2008 - 06:40 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:47 AM

Posted 04 February 2008 - 10:54 AM

Hello shaun77 and welcome to the BC HijackThis forum. Let's see what else we can find.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users