Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svnshost & icons in system tray that are clearly malware


  • Please log in to reply
3 replies to this topic

#1 .4ngryToasters

.4ngryToasters

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 16 December 2008 - 02:28 AM

So I came home from work today to find I have a virus (yay). First thing I did was disconnect my internet cable, ran Hijack This, and took a look at my task manager. I saw some suspicious processes under the names of svn~shost.exe (~ on top of the n, strange character to have in a running process) and a popup warning (clearly malware) that led me to svschost.exe

Here is my DDS report:

DDS (Version 1.0.1) - NTFSx86  
Run by Greg St.James at  1:58:27.23 on Tue 12/16/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.2558.1838 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\svschost.exe
C:\WINDOWS\system32\sv˝shost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Greg St.James\Desktop\Tool Box\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Greg St.James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [svschost.exe] c:\windows\system32\svschost.exe -check
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [00Hotkeys] "c:\program files\qliner hotkeys\HotKeys.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Wxema] rundll32.exe "c:\windows\Eyufuvonejec.dll",e
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\gregst~1.jam\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Image Zone Fast Start.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoWinKeys = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages =  scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregst~1.jam\applic~1\mozilla\firefox\profiles\6vfnsp7p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R2 ekrn;Eset Service;"c:\program files\eset\eset smart security\ekrn.exe" [2007-12-21 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-1-10 24652]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []
S2 McAfeeFramework;McAfee Framework Service;"c:\program files\network associates\common framework\FrameworkService.exe" /ServiceStart [2006-11-2 104000]

=============== Created Last 30 ================

2008-12-16 00:42	40,960	a-------	c:\windows\Eyufuvonejec.dll
2008-12-16 00:42	40,960	a-------	c:\windows\system32\system32xp.exe
2008-12-16 00:42	87,040	a-------	c:\windows\system32\sv˝shost.exe
2008-12-16 00:42	87,040	a-------	c:\windows\system32\svschost.exe
2008-12-13 21:29	21,504	a-------	c:\windows\jestertb.dll
2008-12-10 23:55	<DIR>	--d-----	c:\program files\Microsoft Common
2008-12-10 02:07	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\2DBoy
2008-12-07 13:27	30,984	a-------	c:\windows\system32\~.exe
2008-12-06 01:59	54,156	a---h---	c:\windows\QTFont.qfn
2008-12-06 01:59	1,409	a-------	c:\windows\QTFont.for

==================== Find3M  ====================

2008-12-12 17:56	78,883	a-------	c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:10	453,632	a-------	c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 08:01	283,648	a-------	c:\windows\system32\gdi32.dll
2008-10-16 05:20	667,648	a-------	c:\windows\system32\wininet.dll
2008-10-03 05:15	247,326	a-------	c:\windows\system32\strmdll.dll
2008-09-30 16:43	1,286,152	a-------	c:\windows\system32\msxml4.dll
2008-02-04 17:01	1,297,850	a-------	c:\program files\bit_che_1_0_59.exe
2008-02-04 16:51	878,192	a-------	c:\program files\BitTorrent-6.0.exe
2006-11-07 15:06	147	ac------	c:\program files\_DEISREG.ISR
1998-08-24 11:09	10,000	a-------	c:\windows\inf\unregpn.exe
1997-04-23 01:16	40,960	a-------	c:\program files\_ISREG32.DLL

============= FINISH:  1:58:49.25 ===============


Lastly here is a picture of the popup that's pestering me to click it (don't worry, I didn't even mouse over it, let alone click it)
http://i91.photobucket.com/albums/k313/4ng...ers/virus01.jpg

BC AdBot (Login to Remove)

 


#2 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 16 December 2008 - 06:58 PM

bump for help please

#3 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 December 2008 - 10:56 PM

I did a combo fix scan. It looks like it found something and deleted it, but the popups are still persisting. Here's the log it came up with, I hope someone can please help me.

ComboFix 08-12-17.01 - Greg St.James 2008-12-17 22:35:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1920 [GMT -5:00]
Running from: c:\documents and settings\Greg St.James\Desktop\Tool Box\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common
c:\windows\Downloaded Program Files\setup.inf
c:\windows\jestertb.dll
c:\windows\system32\~.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-16 02:00 . 2008-12-16 02:00 132,096 --a------ c:\windows\elecagay.dll
2008-12-16 00:42 . 2008-12-16 00:42 87,040 --a------ c:\windows\system32\svschost.exe
2008-12-16 00:42 . 2008-12-16 00:42 87,040 --a------ c:\windows\system32\sv˝shost.exe
2008-12-16 00:42 . 2008-12-16 00:42 40,960 --a------ c:\windows\system32\system32xp.exe
2008-12-16 00:42 . 2008-12-16 00:42 40,960 --a------ c:\windows\Eyufuvonejec.dll
2008-12-12 01:57 . 2008-12-12 02:00 1,393 --a------ c:\windows\imsins.BAK
2008-12-10 02:07 . 2008-12-10 02:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy
2008-12-06 01:59 . 2008-12-14 12:56 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 01:59 . 2008-12-06 01:59 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 03:40 --------- d-----w c:\program files\DNA
2008-12-18 03:40 --------- d-----w c:\documents and settings\Greg St.James\Application Data\DNA
2008-11-26 05:10 --------- d-----w c:\program files\Bit Che
2008-11-18 04:45 --------- d-----w c:\documents and settings\Greg St.James\Application Data\BitTorrent
2008-11-11 05:09 --------- d-----w c:\documents and settings\Greg St.James\Application Data\qliner
2008-11-11 05:01 --------- d-----w c:\program files\AutoHotkey
2008-11-11 04:43 --------- d-----w c:\program files\Qliner Hotkeys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-04 22:01 1,297,850 ----a-w c:\program files\bit_che_1_0_59.exe
2008-02-04 21:51 878,192 ----a-w c:\program files\BitTorrent-6.0.exe
2006-11-07 20:06 147 -c--a-w c:\program files\_DEISREG.ISR
1997-04-23 06:16 40,960 ----a-w c:\program files\_ISREG32.DLL
2008-12-18 03:33 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-18 03:33 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-18 03:33 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-18 03:33 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-18 03:33 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-12 342336]
"svschost.exe"="c:\windows\system32\svschost.exe" [2008-12-16 87040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-02 98304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" [2006-12-01 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Wxema"="c:\windows\Eyufuvonejec.dll" [2008-12-16 40960]
"Hbokokituba"="c:\windows\elecagay.dll" [2008-12-16 132096]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Greg St.James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-01-02 184320]
HP Digital Imaging Monitor.lnk.disabled [2006-11-04 1808]
HP Image Zone Fast Start.lnk.disabled [2006-11-04 798]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-03 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\network associates\\common framework\\FrameworkService.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\day of defeat\\hl.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 tcp
"8081:UDP"= 8081:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 udp
"8082:TCP"= 8082:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 tcp
"8082:UDP"= 8082:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 udp
"35766:TCP"= 35766:TCP:utorrent

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

SSODL-Ntelme-{192CE521-99C2-4EC8-88EB-B34D24C412CB} - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Greg St.James\Application Data\Mozilla\Firefox\Profiles\6vfnsp7p.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 22:39:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?8?3?-??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1232)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\program files\network associates\common framework\Mctray.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sv˝shost.exe
c:\program files\HPQ\shared\hpqwmi.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-17 22:46:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 03:46:28

Pre-Run: 15,464,448,000 bytes free
Post-Run: 16,201,961,472 bytes free

185 --- E O F --- 2008-12-12 07:00:20

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:14 PM

Posted 25 December 2008 - 11:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

First,

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please note that rootkit scans often produce false positives. Do not take actionon any of the files found in this log without my supervision

Next,

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Please save the DDS.txt and the Attach.txt file to your desktop. Then post the contents of the DDS.txt file as a reply to this topic, and in the same reply attach the Attach.txt and the Ark.txt, from the previous gmer run, to your reply. More information on how to attach a file can be found here.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

If I do not hear back from you within 5 days, I will unfortunately need to close this topic. You are more than welcome to open a new topic if you continue to have problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users