Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer. Haven't Posted Log In Lonnnng Time.


  • This topic is locked This topic is locked
17 replies to this topic

#1 transoptic

transoptic

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 28 January 2009 - 05:01 PM

Hey my computer has been rapidly slowing down it's processing power.
I was hoping someone could see if my log needs cleaned up:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:30 PM, on 1/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\svehost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mstc.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Gill\Desktop\utorrent.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Wireless\WlanCU.exe
C:\Program Files\Gmail\gnotify.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsoft Updates] svehost.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Microsoft Domain Controller] C:\WINDOWS\system32\mstc.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Gill\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Gmail\gnotify.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Wireless\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 7382 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:05:45 AM

Posted 09 February 2009 - 10:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 09 February 2009 - 06:48 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Gill at 17:43:43.32 on Mon 02/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.720 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\svehost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\mstc.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Gill\Desktop\utorrent.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Wireless\WlanCU.exe
C:\Program Files\Gmail\gnotify.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Gill\Desktop\dds.com
C:\Documents and Settings\Gill\Desktop\dds.com

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/myway
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [uTorrent] "c:\documents and settings\gill\desktop\utorrent.exe"
uRun: [AdobeBridge]
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [RemoteControl] "c:\program files\powerdvd\PDVDServ.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Microsoft Updates] svehost.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Microsoft Domain Controller] c:\windows\system32\mstc.exe
mRun: [RegistryMechanic]
mRunServices: [Microsoft Updates] svehost.exe
StartupFolder: c:\docume~1\gill\startm~1\programs\startup\gmailn~1.lnk - c:\program files\gmail\gnotify.exe
StartupFolder: c:\docume~1\gill\startm~1\programs\startup\zoom.lnk - c:\program files\dachshund software\zoom\Zoom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\wireless\WlanCU.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: gmail.com\www
Trusted Zone: google.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gill\applic~1\mozilla\firefox\profiles\imh90c5n.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\gill\application

data\mozilla\firefox\profiles\imh90c5n.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-12-19 42512]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2005-9-11 438912]

=============== Created Last 30 ================

2009-01-28 15:46 <DIR> --d----- c:\program files\Trend Micro
2009-01-20 15:27 17,730 a------- c:\docume~1\gill\applic~1\FNTCACHE.BIN
2009-01-20 15:24 <DIR> --d----- c:\program files\YourWare Solutions
2009-01-20 15:23 <DIR> -cd----- C:\Downloads
2009-01-20 15:23 <DIR> --d----- c:\docume~1\gill\applic~1\GetRightToGo
2009-01-20 15:10 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-20 15:09 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-14 13:06 139,264 a------- c:\windows\system32\igfxres.dll

==================== Find3M ====================

2007-04-16 20:13 0 ac------ c:\documents and settings\gill\peek.sys
2006-04-28 18:25 96 ac------ c:\documents and settings\gill\START.BAT
2006-04-28 18:25 12 ac------ c:\documents and settings\gill\DCONFIG.DAT
2006-03-29 18:21 220 ac------ c:\documents and settings\gill\n.bat
2006-03-29 18:20 32,768 ac------ c:\documents and settings\gill\setup.exe
2006-03-28 17:14 2,560 ac------ c:\documents and settings\gill\dr.exe

============= FINISH: 17:44:09.07 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 09 February 2009 - 09:03 PM

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 09 February 2009 - 09:39 PM

Thanks for the reply. That's unfortunate to hear. I have my roommates computer that I use the internet from. But I will be sure to change all my passwords.

That being said, I do all my work from my computer, so I'd just like to clean it as best as possible.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 10 February 2009 - 01:00 PM

Okay.

Let's begin then.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-New Hijackthis log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 11 February 2009 - 11:40 AM

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-11 10:38:03
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A6E7CC8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A6E797C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A6E7560A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A6E75AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A6E80958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A6E83821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A6E8C38A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A6E8BD49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A6E85BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A6E86331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A6E944F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A6E7CB37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A6E78948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A6E8246B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A6E9379D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A6E92C4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A6E792FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A6E931DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A6E8E1F9

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg \Registry\USER\S-1-5-21-1722042068-4272372366-3101731352-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Tvyy\Qrfxgbc\Qvtvgny_Yvtug_naq_Pbybe_PbybeZrpunavp_Ceb_i2_0_sbe_Cubgbfubc_vapy_Xrltra-FPBGPU\Qvtvgny.Yvtug.naq.Pbybe.PbybeZrpunavp.Ceb.i2.0.sbe.Cubgbfubc.vapy.Xrltra-FPBGPU\PbybeZrpunavp.Ceb.i2.0.sbe.Cubgbfubc.Xrltra.rkr 0x84 0x02 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-1722042068-4272372366-3101731352-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F495F893-8425-B38D-17E5-BEB553B557B4}@abfhoddlglihjdglnlgjkhgblooijllnif 0x61 0x62 0x64 0x62 ...
Reg \Registry\USER\S-1-5-21-1722042068-4272372366-3101731352-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F495F893-8425-B38D-17E5-BEB553B557B4}@bbfhoddlglihjdglnlhjnhnmknekmmikgaab 0x61 0x62 0x61 0x62 ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B8131DF5
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.bmp:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\prices.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\prices.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\t1900z01.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\t1900z01.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Gill\My Documents\My Pictures\t2488z01.gif:Q30lsldxJoudresxAaaqpcawXc
ADS ...

---- EOF - GMER 1.0.12 ----


ComboFix 09-02-10.03 - Gill 2009-02-11 10:01:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.969 [GMT -6:00]
Running from: c:\documents and settings\Gill\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\stem~1
c:\program files\Common Files\windows
c:\program files\outlook
c:\program files\winupdates
c:\windows\b.exe
c:\windows\installer.exe
c:\windows\mcroso~1.net
c:\windows\mcroso~1.net\M?crosoft.NET\
c:\windows\ms01193132400-2006.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lo2.txtt
c:\windows\system32\mstc.exe
c:\windows\system32\packet.dll
c:\windows\system32\Plugins
c:\windows\system32\Plugins\ml\ml_pmp_device_WM_Gill1.ini
c:\windows\system32\RCX10.tmp
c:\windows\system32\RCX11.tmp
c:\windows\system32\RCX12.tmp
c:\windows\system32\RCX13.tmp
c:\windows\system32\RCX14.tmp
c:\windows\system32\RCX15.tmp
c:\windows\system32\RCX16.tmp
c:\windows\system32\RCX17.tmp
c:\windows\system32\RCX18.tmp
c:\windows\system32\RCX19.tmp
c:\windows\system32\RCX1A.tmp
c:\windows\system32\RCX1B.tmp
c:\windows\system32\RCX1C.tmp
c:\windows\system32\RCX1D.tmp
c:\windows\system32\RCX1E.tmp
c:\windows\system32\setup.exe.tmp
c:\windows\system32\sks~1
c:\windows\system32\svehost.exe
c:\windows\system32\taskkill.exe
c:\windows\system32\wnscpsv.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_FAD
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NPF
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-01-28 15:46 . 2009-01-28 15:46 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 15:27 . 2009-02-11 09:45 19,549 --a------ c:\documents and settings\Gill\Application Data\FNTCACHE.BIN
2009-01-20 15:24 . 2009-01-20 15:24 <DIR> d-------- c:\program files\YourWare Solutions
2009-01-20 15:23 . 2009-01-20 15:23 <DIR> d----c--- C:\Downloads
2009-01-20 15:23 . 2009-01-20 15:25 <DIR> d-------- c:\documents and settings\Gill\Application Data\GetRightToGo
2009-01-20 15:10 . 2009-01-20 15:10 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-20 15:09 . 2009-01-20 15:09 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-14 13:06 . 2006-06-06 17:05 139,264 --a------ c:\windows\system32\igfxres.dll
2009-01-13 18:45 . 2009-01-13 18:45 <DIR> d-------- c:\program files\Intel
2009-01-12 15:44 . 2009-01-12 18:06 <DIR> d-------- c:\documents and settings\Gill\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 16:03 --------- d-----w c:\documents and settings\Gill\Application Data\uTorrent
2009-02-11 15:51 --------- d-----w c:\program files\WS_FTP Professional
2009-02-11 15:31 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-11 08:09 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-06 01:02 --------- d-----w c:\program files\POP Peeper
2009-01-27 01:18 --------- d-----w c:\program files\CloneDVD
2009-01-20 22:43 --------- d-----w c:\program files\Dachshund Software
2009-01-20 20:54 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-20 20:46 --------- dc----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 04:03 --------- d-----w c:\documents and settings\Gill\Application Data\Imagenomic
2008-12-30 21:04 --------- d-----w c:\program files\Winamp
2008-12-30 20:59 --------- d-----w c:\documents and settings\Gill\Application Data\Winamp
2008-12-19 08:58 --------- d-----w c:\documents and settings\Gill\Application Data\Lavasoft
2007-04-17 02:13 0 -c--a-w c:\documents and settings\Gill\peek.sys
2006-04-29 00:25 96 -c--a-w c:\documents and settings\Gill\START.BAT
2006-04-29 00:25 12 -c--a-w c:\documents and settings\Gill\DCONFIG.DAT
2006-03-30 00:21 220 -c--a-w c:\documents and settings\Gill\n.bat
2006-03-30 00:20 32,768 -c--a-w c:\documents and settings\Gill\setup.exe
2006-03-28 23:14 2,560 -c--a-w c:\documents and settings\Gill\dr.exe
2005-07-29 21:24 472 -csha-r c:\windows\R2lsbA\lZ5PvE.vbs
2006-08-31 00:50 56 -csh--r c:\windows\system32\E22085A1AE.sys
2006-08-31 00:50 1,890 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"uTorrent"="c:\documents and settings\Gill\Desktop\utorrent.exe" [2008-10-11 270128]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2009-01-20 1591808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"RemoteControl"="c:\program files\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

c:\documents and settings\Gill\Start Menu\Programs\Startup\
Gmail Notifier.lnk - c:\program files\Gmail\gnotify.exe [2005-07-15 479232]
Zoom.lnk - c:\program files\Dachshund Software\Zoom\Zoom.exe [2002-09-21 1446302]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.51.lnk - c:\wireless\WlanCU.exe [2004-12-15 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^Gill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Gill\\Desktop\\utorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"55235:TCP"= 55235:TCP:null

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2005-09-11 438912]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Microsoft Domain Controller - c:\windows\system32\mstc.exe
HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gmail.com\www
Trusted Zone: google.com\www
FF - ProfilePath - c:\documents and settings\Gill\Application Data\Mozilla\Firefox\Profiles\imh90c5n.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\Gill\Application Data\Mozilla\Firefox\Profiles\imh90c5n.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 10:05:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1722042068-4272372366-3101731352-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F495F893-8425-B38D-17E5-BEB553B557B4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abfhoddlglihjdglnlgjkhgblooijllnif"=hex:61,62,64,62,66,70,6b,6c,65,67,70,70,
66,6d,65,64,6f,64,6f,64,6a,65,61,61,6d,6f,6c,70,66,68,63,67,6b,63,00,77
"bbfhoddlglihjdglnlhjnhnmknekmmikgaab"=hex:61,62,61,62,6c,64,63,6d,61,6b,6b,6c,
65,62,6c,6c,62,67,6f,6a,6e,69,69,68,65,61,6d,6a,6e,6c,70,6c,61,6d,00,77

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,34,a7,fa,
9e,fc,c5,cc,70,3f,ef,84,80,4b,ac,11,db,32,ec,a8,c5,c0,4e,14,a5,be,e7,93,e3,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ewido anti-malware\ewidoctrl.exe
c:\windows\Integrator.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-11 10:09:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 16:09:07

Pre-Run: 7,925,755,904 bytes free
Post-Run: 10,512,412,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

231 --- E O F --- 2007-06-21 02:43:29

#8 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 11 February 2009 - 11:41 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:31 AM, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Gill\Desktop\utorrent.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Wireless\WlanCU.exe
C:\Program Files\Gmail\gnotify.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Gill\Desktop\gmer\gmer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Gill\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Gmail\gnotify.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Wireless\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7157 bytes

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 11 February 2009 - 04:33 PM

Hello.

That was alot of things Combofix removed, how's your computer running at the moment?

One question do you know what this folder and file is?

c:\windows\R2lsbA\lZ5PvE.vbs <- This file?

Please upload it to VirusTotal/VirScan

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\R2lsbA\lZ5PvE.vbs
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    ADS::
    C:\Documents and Settings\All Users\Application Data\TEMP
    C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.bmp
    C:\Documents and Settings\Gill\My Documents\My Pictures\portrait.jpg
    C:\Documents and Settings\Gill\My Documents\My Pictures\prices.jpg
    C:\Documents and Settings\Gill\My Documents\My Pictures\t1900z01.gif
    C:\Documents and Settings\Gill\My Documents\My Pictures\t2488z01.gif
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"=-
    "5353:TCP"=-
    "55235:TCP"=- 
    Regnull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E20DD46F-0CC4-5960-1B1F69E13D145F9C}\{B130274E-D0E8-282B-E7F07B1EE1210709}\{71D795F0-66AF-00D6-EF71DCAC5CDD95C3}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}*]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run F-Secure Online Scan

Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
Post back with:
-VirScan/Virustotal scan log
-Combofix log
-F-Secure scan log
-How's your computer running now?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 11 February 2009 - 06:02 PM

Thanks for the help.

My computer seems to run A LOT more smoothly, but not 100%. Maybe 80%. (starting around 30%)




I uploaded the file:

VirSCAN.org Scanned Report :
Scanned time : 2009/01/03 13:22:23 (CST)
Scanner results: 36% Scanner(14/39) found malware!
File Name : noT.vbs
File Size : 472 byte
File Type : ASCII English text, with CRLF line terminators
MD5 : 387edbb90a5275d1b464eb31f3162c40
SHA1 : 40c7e89572e2bee9f8bd24a0163c500205d0cfb8
Online report : http://virscan.org/report/ae2d06331acaea48...a44d109004.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090102023151 2009-01-02 2.95 AdWare.Isearch!IK
AhnLab V3 2009.01.04.00 2009.01.04 2009-01-04 0.98 -
AntiVir 7.9.0.45 7.1.1.65 2009-01-02 1.70 ADSPY/Isearch
Antiy 2.0.18 20090103.1949622 2009-01-03 0.12 AdWare/Win32.MDH.af[:not_virus]
Arcavir 1.0.5 200812131407 2008-12-13 1.20 Worm.Banwarum.F
Authentium 5.1.1 200901031102 2009-01-03 1.06 -
AVAST! 3.0.1 090103-0 2009-01-03 0.00 VBS:Malware-gen
AVG 7.5.52.442 270.10.2/1873 2009-01-03 1.82 -
BitDefender 7.81008.2404735 7.22948 2009-01-04 2.20 Adware.Isearch.D
CA (VET) 9.0.0.143 31.6.6289 2009-01-02 5.27 -
ClamAV 0.94.2 8832 2009-01-03 0.00 -
Comodo 3.0 869 2009-01-03 0.84 -
CP Secure 1.1.0.715 2009.01.03 2009-01-03 6.29 -
Dr.Web 4.44.0.9170 2009.01.03 2009-01-03 3.79 -
ewido 4.0.0.2 2008.12.31 2008-12-31 3.28 Trojan.Small
F-Prot 4.4.4.56 20090103 2009-01-03 1.06 -
F-Secure 5.51.6100 2009.01.03.02 2009-01-03 0.05 -
Fortinet 2.81-3.117 9.889 2009-01-03 0.17 -
GData 19.2236/19.170 20090103 2009-01-03 2.92 VBS:Malware-gen [Engine:B]
ViRobot 20081230 2008.12.30 2008-12-30 0.46 -
Ikarus T3.1.01.45 2009.01.03.72101 2009-01-03 3.57 AdWare.Isearch
JiangMin 11.0.706 2008.12.21 2008-12-21 1.38 -
Kaspersky 5.5.10 2009.01.03 2009-01-03 0.02 -
KingSoft 2008.9.8.18 2009.1.3.20 2009-01-03 0.58 -
McAfee 5.3.00 5483 2009-01-03 2.84 -
Microsoft 1.4205 2009.01.03 2009-01-03 4.07 Adware:Win32/CMDService
mks_vir 2.01 2009.01.02 2009-01-02 2.60 -
Norman 5.93.01 5.93.00 2009-01-02 5.99 VBS/CommAd.A
Panda 9.05.01 2009.01.03 2009-01-03 2.59 Adware/CommAd
Trend Micro 8.700-1004 5.744.23 2009-01-03 0.02 -
Quick Heal 10.00 2008.11.17 2008-11-17 0.82 VBS/CommAd.A
Rising 20.0 21.10.22.00 2008-12-31 0.24 -
Sophos 2.82.1 4.37 2009-01-04 1.97 -
Sunbelt 4755 4755 2008-12-22 0.43 -
Symantec 1.3.0.24 20090102.006 2009-01-02 0.22 -
nProtect 20090102.01 2840358 2009-01-02 3.40 Adware.Isearch.D
The Hacker 6.3.1.2 v00204 2009-01-01 0.44 -
VBA32 3.12.8.10 20090103.0341 2009-01-03 1.42 -
VirusBuster 4.5.11.10 10.100.14/757540 2009-01-03 0.96 -

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 11 February 2009 - 06:06 PM

Hello.

Yup that file is bad indeed. Please delete the following folder: c:\windows\R2lsbA<- Delete this folder and empty your recycling bin afterwards.

Continue with the rest of my instructions and post the logs when you are finish.

I need to go now and probably be back later on or maybe not.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 11 February 2009 - 06:34 PM

Well thank you for the support you've provided so far.



Regarding, the folder, I can't see it in my C:/windows folder, even when I turn on show hidden files/folders.
I can navigate to it if I paste the path directly into explorer, but it doesn't show up in the parent folder. How will I delete it?



Combofix log:

ComboFix 09-02-11.02 - Gill 2009-02-11 17:06:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.411 [GMT -6:00]
Running from: c:\documents and settings\Gill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gill\Desktop\CFScript.txt
* Created a new restore point
.
ADS - TEMP: deleted 222 bytes in 2 streams.
ADS - portrait.bmp: deleted 4412 bytes in 2 streams.
ADS - portrait.jpg: deleted 4420 bytes in 2 streams.
ADS - prices.jpg: deleted 5332 bytes in 2 streams.
ADS - t1900z01.gif: deleted 4672 bytes in 2 streams.
ADS - t2488z01.gif: deleted 4536 bytes in 2 streams.

((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-11 10:22 . 2009-02-11 10:26 345 --a------ c:\windows\gmer.ini
2009-01-28 15:46 . 2009-01-28 15:46 <DIR> d-------- c:\program files\Trend Micro
2009-01-20 15:27 . 2009-02-11 09:45 19,549 --a------ c:\documents and settings\Gill\Application Data\FNTCACHE.BIN
2009-01-20 15:24 . 2009-01-20 15:24 <DIR> d-------- c:\program files\YourWare Solutions
2009-01-20 15:23 . 2009-01-20 15:23 <DIR> d----c--- C:\Downloads
2009-01-20 15:23 . 2009-01-20 15:25 <DIR> d-------- c:\documents and settings\Gill\Application Data\GetRightToGo
2009-01-20 15:10 . 2009-01-20 15:10 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-20 15:09 . 2009-01-20 15:09 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-14 13:06 . 2006-06-06 17:05 139,264 --a------ c:\windows\system32\igfxres.dll
2009-01-13 18:45 . 2009-01-13 18:45 <DIR> d-------- c:\program files\Intel
2009-01-12 15:44 . 2009-01-12 18:06 <DIR> d-------- c:\documents and settings\Gill\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 23:02 --------- d-----w c:\documents and settings\Gill\Application Data\uTorrent
2009-02-11 16:25 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-11 15:51 --------- d-----w c:\program files\WS_FTP Professional
2009-02-11 08:09 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-06 01:02 --------- d-----w c:\program files\POP Peeper
2009-01-27 01:18 --------- d-----w c:\program files\CloneDVD
2009-01-20 22:43 --------- d-----w c:\program files\Dachshund Software
2009-01-20 20:54 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-20 20:46 --------- dc----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 04:03 --------- d-----w c:\documents and settings\Gill\Application Data\Imagenomic
2008-12-30 21:04 --------- d-----w c:\program files\Winamp
2008-12-30 20:59 --------- d-----w c:\documents and settings\Gill\Application Data\Winamp
2008-12-19 08:58 --------- d-----w c:\documents and settings\Gill\Application Data\Lavasoft
2007-04-17 02:13 0 -c--a-w c:\documents and settings\Gill\peek.sys
2006-04-29 00:25 96 -c--a-w c:\documents and settings\Gill\START.BAT
2006-04-29 00:25 12 -c--a-w c:\documents and settings\Gill\DCONFIG.DAT
2006-03-30 00:21 220 -c--a-w c:\documents and settings\Gill\n.bat
2006-03-30 00:20 32,768 -c--a-w c:\documents and settings\Gill\setup.exe
2006-03-28 23:14 2,560 -c--a-w c:\documents and settings\Gill\dr.exe
2005-07-29 21:24 472 -csha-r c:\windows\R2lsbA\lZ5PvE.vbs
2006-08-31 00:50 56 -csh--r c:\windows\system32\E22085A1AE.sys
2006-08-31 00:50 1,890 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-11_10.08.00.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-11 16:22:35 565,311 ----a-w c:\windows\gmer.dll
+ 2006-11-28 21:23:32 573,440 ----a-w c:\windows\gmer.exe
+ 2009-02-11 16:22:35 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"uTorrent"="c:\documents and settings\Gill\Desktop\utorrent.exe" [2008-10-11 270128]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2009-01-20 1591808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"RemoteControl"="c:\program files\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]

c:\documents and settings\Gill\Start Menu\Programs\Startup\
Gmail Notifier.lnk - c:\program files\Gmail\gnotify.exe [2005-07-15 479232]
Zoom.lnk - c:\program files\Dachshund Software\Zoom\Zoom.exe [2002-09-21 1446302]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.51.lnk - c:\wireless\WlanCU.exe [2004-12-15 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^Gill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Gill\\Desktop\\utorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2005-09-11 438912]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gmail.com\www
Trusted Zone: google.com\www
FF - ProfilePath - c:\documents and settings\Gill\Application Data\Mozilla\Firefox\Profiles\imh90c5n.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\Gill\Application Data\Mozilla\Firefox\Profiles\imh90c5n.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 17:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1722042068-4272372366-3101731352-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F495F893-8425-B38D-17E5-BEB553B557B4}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abfhoddlglihjdglnlgjkhgblooijllnif"=hex:61,62,64,62,66,70,6b,6c,65,67,70,70,
66,6d,65,64,6f,64,6f,64,6a,65,61,61,6d,6f,6c,70,66,68,63,67,6b,63,00,77
"bbfhoddlglihjdglnlhjnhnmknekmmikgaab"=hex:61,62,61,62,6c,64,63,6d,61,6b,6b,6c,
65,62,6c,6c,62,67,6f,6a,6e,69,69,68,65,61,6d,6a,6e,6c,70,6c,61,6d,00,77

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-02-11 17:13:42
ComboFix-quarantined-files.txt 2009-02-11 23:12:24
ComboFix2.txt 2009-02-11 16:09:36

Pre-Run: 9,969,770,496 bytes free
Post-Run: 9,959,387,136 bytes free

154 --- E O F --- 2007-06-21 02:43:29

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 11 February 2009 - 08:25 PM

Hello.

Where is the F-Secure scan log??

I see why you can't remove it. Let's remove it using a batch scipt.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo off

    attrib -s -h -r -a "c:\windows\R2lsbA" /s
    Rd /s /q "c:\windows\R2lsbA"

    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on fix.bat, and Black DOS window shall appear and then disappear. This is normal please do not panic.

It should be gone now. Post back with the F-Secure scan log in your next post with a new DDS log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 transoptic

transoptic
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 12 February 2009 - 04:46 PM

Result: 6 malware found
AdWare.Win32.CASClient (spyware)

* System

Trojan-Downloader.Win32.VB (virus)

* System

Trojan-Downloader.Win32.VB.aok (virus)

* C:\WINDOWS\STUP3.EXE

Trojan-Downloader.Win32.VB.cwp (virus)

* C:\DOCUMENTS AND SETTINGS\GILL\SETUP.EXE

Trojan-Dropper.Win32.Delf (virus)

* System

W32/Packed_FSG.D (virus)

* C:\PROGRAM FILES\ADOBE\ADOBE PHOTOSHOP CS4\ADOBE.PHOTOSHOP.CS4-NOPE.EXE (Submitted)

Statistics
Scanned:

* Files: 37627
* System: 5607
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 6
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-12
* F-Secure AVP: 7.0.171, 2009-02-12
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 12 February 2009 - 06:07 PM

Hello.

Post back with the F-Secure scan log in your next post with a new DDS log


Also how is your computer running now? Any problems?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users