Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with strange cpu activity


  • This topic is locked This topic is locked
28 replies to this topic

#1 logikz

logikz

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 24 December 2008 - 03:35 PM

Please help :D

Stuff gets changed around on my computer all the time. I am not using anything to access my computer remotely. I think its a legit way to remotely access your computer that is why virus scans dont detect it.

Attached Files


Edited by logikz, 24 December 2008 - 03:46 PM.


BC AdBot (Login to Remove)

 


#2 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 05 January 2009 - 02:15 AM

bump

#3 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 05 January 2009 - 02:43 AM

If this helps its a scan of myself.. I have a firewall and i have all these open ports set to block on the firewall.. Lots VPN stuff, i dont use VPN. Help me out!!
Also it says im running Microsoft Windows 2003 Server SP1.

I am running Windows XP Professional SP3.... Accuracy is at 100%

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2009-01-05 01:33 Central Standard Time

DNS resolution of 1 IPs took 0.05s.

Initiating SYN Stealth Scan against (192.167.0.2) [65535 ports] at 01:33

Discovered open port 1723/tcp on 192.167.0.2

Discovered open port 3389/tcp on 192.167.0.2

Discovered open port 1025/tcp on 192.167.0.2

SYN Stealth Scan Timing: About 20.03% done; ETC: 01:35 (0:01:59 remaining)

Discovered open port 38292/tcp on 192.167.0.2

SYN Stealth Scan Timing: About 49.06% done; ETC: 01:38 (0:02:36 remaining)

Discovered open port 1029/tcp on 192.167.0.2

SYN Stealth Scan Timing: About 88.79% done; ETC: 01:39 (0:00:38 remaining)

Discovered open port 1054/tcp on 192.167.0.2

Discovered open port 12174/tcp on 192.167.0.2

The SYN Stealth Scan took 382.22s to scan 65535 total ports.

Initiating service scan against 7 services on (192.167.0.2) at 01:39

The service scan took 95.03s to scan 7 services on 1 host.

For OSScan assuming port 1025 is open, 22 is closed, and neither are firewalled

Host (192.167.0.2) appears to be up ... good.

Interesting ports on (192.167.0.2):

Not shown: 64433 closed ports, 1095 filtered ports

PORT STATE SERVICE VERSION

1025/tcp open msrpc Microsoft Windows RPC

1029/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

1054/tcp open msrpc Microsoft Windows RPC

1723/tcp open pptp?

3389/tcp open microsoft-rdp Microsoft Terminal Service

12174/tcp open tcpwrapped

38292/tcp open landesk-cba?

Device type: general purpose

Running: Microsoft Windows 2003/.NET

OS details: Microsoft Windows 2003 Server SP1

TCP Sequence Prediction: Class=truly random

Difficulty=9999999 (Good luck!)

IPID Sequence Generation: Incremental

Service Info: OS: Windows



Nmap finished: 1 IP address (1 host up) scanned in 482.359 seconds

Raw packets sent: 72045 (3.171MB) | Rcvd: 68548 (3.153MB)

Edited by logikz, 05 January 2009 - 02:44 AM.


#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 06 January 2009 - 10:45 AM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer. I am looking over your log, and I will be back in a bit with some instructions.

While you are waiting, go to your control panel, then open the add / remove control panel and go thru the list of software installed. Anything you don't want, need, or use go ahead and uninstall it. Give me a list of anything you uninstall. Don't try to uninstall Microsoft products, we will take care of those later. Are you behind a router?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 06 January 2009 - 11:40 AM

uninstall uTorrent, Limewire and any other P2P software you have installed, as well as any software you used P2P programs to download. Also any other files downloaded via P2P. The reason for this is because it leaves an open pipe right into your computer.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Next run ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

So in the next post, I need the log from MBAM and ComboFix. Also tell me how you are connected to the net, any routers etc, and do you have other computers connected thru a LAN.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 07 January 2009 - 03:43 AM

I am running DSL thru a quest router, which i have connected to a wired lan device to one laptop and this computer. Thing I have tried include.. Complete reinstallation of computer. After this it seems as if nothing had changed, guest accounts were still renamed and disabled, admin account was still renamed and disabled. Other things like this would happen. I tried this multiple times before giving up. I have used online scanners that detect many things but fail at removing them. I have used Tom's Root Boot Disc to check if there is some sort of OS/2 or subsystem going on. I found there to be drives in the loop folder being named loop1 - loop 28. Which would probably seem to be the amount of times i tried format reinstall.

The Mbam log came up clean, combofix did some things. Deregistered a bunch of services which I hope will help. Well on to the next step! Please give me a update on what you think, am i infected doc? I had before went onto this site and posted a combofix hijackthis log from my computer after a completely fresh install, no other drives, a disc from microsoft and ran those scans directly after doing so. The man told me I was infected. I've been fighting it for a while but i always get sent somewhere else. Heres the scan you requested.

I thank you so much for providing this service to me.

Attached Files



#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 07 January 2009 - 09:13 AM

OK, I have one question to ask. I am going thru those logs right now, but have you changed the default password on your router?

Also please post the MBAM log up. There is other information there I need to confirm.

I noticed in your combofix log that your Kaspersky AV signatures are outdated. When was the last time you did an update?

And I think I figured out what is your problem.

Please perform a scan with Trend Micro Housecall:
http://housecall.trendmicro.com/

[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]

1. Select your location and click the "Go" button if presented with this page.
2. Under "Scan your PC", please click "Scan now. It's free!"
3. Then again click "Scan now, it's free".
4. Read and put a Check next to "Yes, I accept the Terms of Use". Also put a check mark next to "I want to select a different HouseCall kernel".
5. Click the "Launching HouseCall>>" button.
6. This will give you to option to scan with Java-based or Browser plug-in:


* If Java support is disabled on your system or no Java runtime environment is installed, click "Starting HouseCall" under "Browser plug-in and using the HouseCall Kernel". Please be patient while Housecall downloads necessary components. You may receive a Security Warning "Do you want to install this software? Name: hcImpl.cab Publisher: Trend Micro..." Click "Install" when prompted.

* If Java support is confirmed, click "Starting HouseCall" under "Using Java-based HouseCall kernel". Please be patient while Housecall downloads necessary components. You may receive a Security Warning about the TrendMicro Java applet and asking if you want to run. Click "Yes" when prompted.

Again please be patient while Trend Micro HouseCall is updated or installed. This can take some time especially if you are using a dial-up connection.

7. Under "Scan complete computer for malware, grayware, and vulnerabilities" click the "Next>>" button. It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start. Once the scan is complete, it will take you to the summary page.
8. Under "Cleanup options" choose "Clean all detected infections automatically".
9. Click the "Clean now>>" button.
10. When presented with a notification "According to your instructions, all detected infections were cleaned...", click "OK".


I am not sure if you get a log with this scan, but if you don't copy down what it finds and post it up with the next post.


After the scan reboot your computer and run combofix again using the same instructions as last time. I am concerned about all the deregistered entries.

Edited by Hoov, 07 January 2009 - 11:34 AM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 07 January 2009 - 03:30 PM

Malwarebytes' Anti-Malware 1.32
Database version: 1626
Windows 5.1.2600 Service Pack 2

1/7/2009 2:24:27 AM
mbam-log-2009-01-07 (02-24-27).txt

Scan type: Quick Scan
Objects scanned: 47193
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Performing trendmicro scan right now. Yes i changed the default password on my qwest router. I am having trouble now connecting to my NH1005-WM Linksys LAN device. Should that password also be changed? If so, i would connect my PC to the Uplink and type 192.168.0.1?

Also, I believe this to be the same setup on a lot of my computers and my family's busniess computers. I have ran combofix on a Laptop i have directly after reformatting and reinstalling a fresh copy of windows xp. Lone behold, ALL the same entries were deregistered. It was setup like this locally, meaning someone came into my house and setup the computers to allow for remote access. They did it in such a way that it cannot be fixed by a simple format and reinstall.

Edited by logikz, 07 January 2009 - 03:50 PM.


#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 07 January 2009 - 04:03 PM

As for device passwords, as long as the device closest to the internet has it changed you are OK. As for the deregistered entries, that is weird. Did you purchase them all your computers from the same place?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 08 January 2009 - 02:03 AM

No actually I custom built my computer and as for the laptop that was purchased as a complete unit. What do these deregistered entries mean? And for you saying you think you figured it out, whatsup? A few small questions. WHen you completely reinstall windows after formatting your harddrive, your registery should also be defaulted correct? Would WMI have anything saved on it that would migrate from install to install? Shouldnt the Guest account be back to the default name on not still renamed? If you purchased a harddrive at a store that says 320 gigs. When i look at it from windows install it says it is 298gigs but 320,000,000,022 bytes just wording possibly?

ADWARE_BESTOFFERS
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup

SPYW_GOLDEYE.401
1 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
TITLE_OF_GRAYWARE
0 Infections

Transfering information about this grayware/spyware...
General information about this type of grayware/spyware.
There is currently no more information available for this grayware/spyware...
General information about this type of grayware/spyware.
Aliasnames: no more aliase names known
Platform: Not specified
First occurence: Not specified
General risk rate Very lowLowMediumHigh
General information about this type of grayware/spyware.

Some infections of this grayware/spyware could not be removed automatically!
Click here to receive instructions on how to remove this type of infection manually.
Cleanup options Clean all detected infections automatically
Select an individual action for each detected infection
Files infected by this grayware/spywareSelecting this line will take no action on the infection Selecting this column will clean the infectionWarning: Selecting this column will delete the infection (e.g. the infected file) from your hard diskFiles infected by this grayware/spywareThis will display all the files infected by the above grayware/malware.ReasonThis column indicates the reason why cleanup failed.The system denied access to the fileThe current pattern does not support cleanup
HTTP cookies
0 Detected
Cookies are generally used to save user-specific data from Internet transactions with a Web server via a browser. The cookies listed below are "profiling cookies" that are only used to monitor your Internet usage.
Cleanup options Remove all detected cookies
Select individual action for each detected cookie
Keep this cookieRemove this cookieCookiesThe cookies displayed here are classified as potentially malicious.ReasonThis column indicates the reason why cleanup failed.The system denied access to the cookieThe current pattern does not support removal
Detected vulnerabilities

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This update addresses a vulnerability in the XMLHTTP ActiveX control within Microsoft XML Core Services.;An attacker could exploit the vulnerability by creating a specially crafted Web page that allows remote code ex...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft XML Core Services 4.0
Microsoft XML Core Services 6.0
Malware exploiting this vulnerability: unknown
This update addresses a vulnerability in the XMLHTTP ActiveX control within Microsoft XML Core Services.;An attacker could exploit the vulnerability by creating a specially crafted Web page that allows remote code execution once an unsuspecting user with administrative user rights visits the said page or clicks a link in an email message. The attacker who successfully exploits the mentioned vulnerability could access and take full control of an affected system. To sucessfully exploit the vulnerability, however, user intervention is needed.
More information about this vulnerability and its elimination.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The...
More information about this vulnerability and its elimination.
Affected programs and services: Microsoft Office 2003 Service Pack 2
Microsoft Office Groove Server 2007
Microsoft Office SharePoint Server
Windows 2000 Service Pack 4
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows XP Service Pack 2
Malware exploiting this vulnerability: unknown
This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. The vulnerability could be exploited through attacks on Microsoft XML Core Services. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
More information about this vulnerability and its elimination.

MS08-054

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

MS08-061

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

MS08-063

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

MS08-066

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

MS08-067

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

MS08-068

Transfering more information about this vulnerability...
An error occurred while trying to retrieve more information about this vulnerability. There is currently no more information available.
More information about this vulnerability and its elimination.
Affected programs and services: unknown
Malware exploiting this vulnerability: unknown
More information about this vulnerability and its elimination.

Edited by logikz, 08 January 2009 - 03:12 AM.


#11 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 08 January 2009 - 03:23 AM

ComboFix 09-01-07.02 - FryPan 2009-01-08 2:20:08.2 - NTFSx86

Running from: c:\documents and settings\FryPan\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
FW: Kaspersky Internet Security *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-08 02:12 . 2009-01-08 02:12 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-08 00:17 . 2009-01-08 01:43 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-07 15:05 . 2009-01-07 15:05 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-07 14:53 . 2009-01-08 02:14 <DIR> d-------- c:\documents and settings\FryPan\.housecall6.6
2009-01-05 09:02 . 2009-01-05 09:02 <DIR> d--h----- c:\windows\PIF
2009-01-05 01:45 . 2009-01-05 03:05 <DIR> d-------- c:\documents and settings\FryPan\Application Data\gtk-2.0
2009-01-05 01:27 . 2009-01-05 01:30 <DIR> d-------- c:\windows\NV2003336.TMP
2009-01-05 01:10 . 2009-01-05 01:10 <DIR> d--hs---- c:\documents and settings\FryPan\UserData
2009-01-03 09:16 . 2009-01-03 09:16 <DIR> d-------- c:\windows\FFXI App
2009-01-03 09:16 . 2009-01-03 09:56 <DIR> d-------- c:\program files\FFXI App
2008-12-24 14:50 . 2009-01-07 02:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 14:50 . 2008-12-24 14:50 <DIR> d-------- c:\documents and settings\FryPan\Application Data\Malwarebytes
2008-12-24 14:50 . 2008-12-24 14:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-24 14:50 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 14:50 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 00:10 . 2008-12-16 00:10 <DIR> d-------- c:\program files\Nmap
2008-12-16 00:10 . 2009-01-05 02:55 <DIR> d-------- c:\documents and settings\FryPan\.zenmap
2008-12-14 22:35 . 2008-12-14 22:35 3,131,158 --a------ c:\windows\system32\ds.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 08:21 622,624 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-01-08 08:21 4,256 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-01-08 08:16 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-08 08:15 34,116 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-08 08:15 3,960,352 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-08 06:20 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-08 05:49 --------- d-----w c:\documents and settings\FryPan\Application Data\uTorrent
2009-01-08 03:18 --------- d-----w c:\program files\CCleaner
2009-01-07 21:05 --------- d-----w c:\program files\Java
2009-01-07 08:36 --------- d-----w c:\program files\DivX
2009-01-05 07:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 15:22 --------- d-----w c:\documents and settings\FryPan\Application Data\OpenOffice.org2
2008-12-14 18:35 --------- d-----w c:\documents and settings\FryPan\Application Data\LimeWire
2008-12-05 07:01 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_ 2.32.08.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-08 06:18:08 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2009-01-08 06:18:08 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2009-01-08 06:18:09 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2009-01-08 06:18:11 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 21:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 21:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-08 06:18:12 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-08 06:18:09 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 21:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-01-09 21:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-12-24 21:38:24 386,048 ----a-w c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-01-09 21:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2008-12-30 19:44:16 296,336 ----a-w c:\windows\Downloaded Program Files\rufsi.dll
+ 2009-01-08 08:12:46 32,768 ----a-r c:\windows\Installer\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}\icon.exe
- 2008-06-10 06:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-07 21:05:08 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 06:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-07 21:05:08 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 07:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-07 21:05:08 148,888 ----a-w c:\windows\system32\javaws.exe
- 2003-04-18 21:46:22 1,233,920 ----a-w c:\windows\system32\msxml4.dll
+ 2006-11-04 20:14:00 1,245,696 ----a-w c:\windows\system32\msxml4.dll
- 2009-01-07 03:21:05 71,250 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-08 08:20:04 71,250 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-07 03:21:05 441,184 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-08 08:20:04 441,184 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-08 08:15:54 16,384 ----atw c:\windows\temp\Perflib_Perfdata_120.dat
+ 2006-11-04 20:17:02 1,245,696 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-04-28 16:14 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemExplorer]
--a------ 2008-03-06 20:01 1338880 d:\lx\System Explorer\SystemExplorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - AVP
*Deregistered* - Beep
*Deregistered* - BIOS
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - Kbdclass
*Deregistered* - kl1
*Deregistered* - klbg
*Deregistered* - KLIF
*Deregistered* - klim5
*Deregistered* - KSecDD
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LightScribeService
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - PLFlash DeviceIoControl Service
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SharedAccess
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - winmgmt
*Deregistered* - wscsvc
.
.
------- Supplementary Scan -------
.
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
FF - ProfilePath - c:\documents and settings\FryPan\Application Data\Mozilla\Firefox\Profiles\dfpjagct.default\
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 02:21:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-08 2:22:38
ComboFix-quarantined-files.txt 2009-01-08 08:22:34
ComboFix2.txt 2009-01-07 08:32:41

Pre-Run: 67,308,077,056 bytes free
Post-Run: 67,299,717,120 bytes free

223


Fresh combofix

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 08 January 2009 - 09:12 AM

What do these deregistered entries mean? And for you saying you think you figured it out, whatsup? A few small questions. WHen you completely reinstall windows after formatting your harddrive, your registery should also be defaulted correct? Would WMI have anything saved on it that would migrate from install to install? Shouldnt the Guest account be back to the default name on not still renamed? If you purchased a harddrive at a store that says 320 gigs. When i look at it from windows install it says it is 298gigs but 320,000,000,022 bytes just wording possibly?


When you format a Harddrive, nothing is normally carried from one installation to the next except possible a rootkit. The guest account should be named the guest account. Did you do a new install from the original Windows installation disk?

As for the harddrive size, it's a math thing, read this, http://compreviews.about.com/od/storage/a/ActualHDSizes.htm

As for deregistered, Deregistered refers to services no longer registered in the SCM but the driver/service is still active in memory for the current boot session. I just got some information about this. Go into the Admin tools and then into services and enable (set on automatic) and start Windows Management Instrumentation service. Also make sure Windows Management Instrumentation Driver Extension is on manual, and start it.

As for me saying I figured it out. I found evidence of a worm, but the trendmicro scan makes me wonder.

Download Sysclean Package & save it to your desktop.

1. Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files - (Pattern files are usually named "lptxxx.zip",
where xxx is the pattern file number)
4. Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com.
DO NOT scan yet.

Reboot your computer in SAFE MODE using the "F8" method.
To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
1. Open the Sysclean folder and double-click on "sysclean.com" to start the scanning process.
2. Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
3. Click the Advanced button.
4. The scan options appear. Select the Scan all local fixed drives.
5. Click the Scan button on the TrendMicro™ System Cleaner console.
6. It will take some time to complete. Be patient and let it clean whatever it finds.
7. Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
8. To view the log, click the View button on the TrendMicro™ System Cleaner console. The TrendMicro™ Sysclean Package - Log window appears.
The Files Detected section shows the viruses that were detected by System Cleaner.
The Files Clean section shows the viruses that were cleaned.
The Clean Fail section shows the viruses that were not cleaned.
9. Exit when done, reboot normally and re-enable your anti-virus program.

Instructions with screenshots are here if you need them.

This tool generates a log file (sysclean.log) in the same folder where the scan is completed.
When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations.
The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

After running Sysclean, and enabling WMI, run combofix per the same instructions as before, and post its log also.

Edited by Hoov, 08 January 2009 - 10:18 AM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:18 AM

Posted 08 January 2009 - 11:35 AM

As well as the above, please run DDS according to the instructions here and paste / attach the logs as instructed.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 10 January 2009 - 11:14 PM

Ok here are the logs. Yes, when i reinstalled I used a disc straight from microsoft. Here are the logs you have requested. Some strange things that have happened with what i have tried in the past. I have used a hidden partition finder program, it located a hidden partition encoded in russian. I unencoded it and this Metafiles folder popped up on my dekstop containing a bunch of weird bleep. lots of .dlls packed files and text documents that were more than strange. I then rebooted after removing the folder and computer crashed. I researched some of these and they had to do with Ryan's VMWare. I think this is taking place not in windows but thru a dual boot system with unix. I have used unix lightly before, but not on this computer. When I installed Tom's Root Boot Disc I found that there was about 80 loop drives on my computer for some reason. I was told on other forums that this was strange being it my first install with Tom's Root Boot.
Oh ya, the WMI 2nd one you said be be set at manual wouldnt start in safe mode.
Anyways, I hope you got some good ideas XD

Thanks again for all the help!

Attached Files


Edited by logikz, 10 January 2009 - 11:20 PM.


#15 logikz

logikz
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 10 January 2009 - 11:17 PM

Combofix logs too big, 2 posts comng

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users