Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP is infected, Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 countryman08

countryman08

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 19 January 2009 - 10:52 PM

Hi there, Recently my computer has had popups and I have been informed by my spyware program that a malware virus has been trying to access a file, I quarentine it but it keeps coming back somehow. whenever I access the internet, I look at my history also and it shows strange websites such as abcjump.com, primosearch, blueseek, and many called "Jump" when trying to go to them they are ip addresses but i recieve a 04 error. I have included my Hijack this scan results and wanted to see if someone could help? Also If you see anything else that seems to be unsettling let me know, my computer has been shutting down and I have gotten the blue screen of death for the last two weeks.


DDS (Ver_09-01-18.01) - NTFSx86
Run by Owner at 22:44:10.26 on Mon 01/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1087 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
FW: *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\rei\ReiFTPWatchDog.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.YOUR-19BD6A952B\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
uStart Page = hxxp://medlineplus.gov/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6453
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: snappyads browser enhancer: {f748e3ad-5db5-4256-d7c3-159a87cfecfa} - c:\windows\system32\mmojjnrqdzmxbbz.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PC Pitstop Optimize Reminder] "c:\program files\pcpitstop\optimize2\Reminder.exe"
mRun: [ocfwmtaekn] "c:\windows\system32\regsvr32.exe" /s "c:\windows\system32\mmojjnrqdzmxbbz.dll"
mRun: [ReimageAgent] c:\program files\reimage\REI_Agent.exe
mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: reimage.com\cdnrep
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: d00ce0b6511 - c:\windows\system32\ds32gt32.dll
AppInit_DLLs: c:\windows\system32\ds32gt32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R3 cpuz128;cpuz128;\??\c:\docume~1\owner~1.you\locals~1\temp\cpuz_x32.sys --> c:\docume~1\owner~1.you\locals~1\temp\cpuz_x32.sys [?]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-23 24652]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-12-13 1086840]

=============== Created Last 30 ================

2009-01-19 00:15 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-19 00:11 19,569 a------- c:\windows\003203_.tmp
2009-01-18 09:54 <DIR> --d----- c:\windows\3311ZZYWWUUTSRQP
2009-01-15 23:37 <DIR> --d----- c:\program files\CCleaner
2009-01-15 23:20 <DIR> --d----- c:\program files\reimage
2009-01-15 23:12 <DIR> --d----- C:\ReimageUndo
2009-01-15 23:12 230 a------- c:\windows\reimage.ini
2009-01-15 23:11 <DIR> --d----- C:\rei
2009-01-15 23:03 85,208 a------- c:\windows\system32\cont_snappyads-remove.exe
2009-01-15 23:03 47,584 a------- c:\windows\system32\tcoloxzmbmvvm.exe
2009-01-15 23:03 <DIR> --d----- c:\program files\Snappyads Games Collection
2009-01-15 22:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-01-14 22:39 379,904 a------- c:\windows\system32\mmojjnrqdzmxbbz.dll
2009-01-14 11:01 <DIR> --d----- C:\5a20848636ddc3d3ad52a8
2009-01-06 13:55 681,472 a------- c:\windows\system32\nso18.dll
2008-12-21 16:33 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-21 16:28 <DIR> --d----- c:\program files\Photo Viewer

==================== Find3M ====================

2009-01-19 00:21 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-14 01:18 164 a------- C:\install.dat
2008-12-12 00:42 1,706 a--sh--- c:\windows\system32\GroupPolicy000.dat
2008-12-11 16:51 20,632 a------- c:\windows\system32\novamns6.dll
2008-12-11 16:51 18,584 a------- c:\windows\system32\novamis6.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-13 17:11 1,553,272 a------- c:\windows\WRSetup.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2007-10-21 11:01 358 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat

============= FINISH: 22:44:56.67 ===============


Please help if you are able?

Brian

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:53 PM

Posted 20 January 2009 - 01:19 PM

Hello, countryman08

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:53 PM

Posted 21 January 2009 - 01:03 PM

Due to getting help in another forum this thread is now closed.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users