Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

various trojans trojan downloader, ispy, adwaredotnet,


  • This topic is locked This topic is locked
8 replies to this topic

#1 capinoy

capinoy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 10 February 2009 - 12:16 AM

hi, guys i have a Win XP Media edition pc that is 3.2 ghz with 512mb memory. lately this pc has been very slow at starting up and When I try to go to malwarebytes i constantly get a page cannot be displayed. when i use my laptop it is fine. both on the same network. I had Windows anti tirgger virus but removed that but it is still giving me problems. here is a copy of the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:00 PM, on 2/9/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\mabidwe.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\perfs.exe
C:\WINDOWS\System32\routing.exe
C:\WINDOWS\System32\soxpeca.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Spyware Terminator\SpyWareTerminator.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [prunnet] "C:\WINDOWS\System32\prunnet.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [gadcom] "C:\Documents and Settings\LocalService\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Twain] C:\Documents and Settings\LocalService\Application Data\Twain\Twain.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SpeedRunner] C:\Documents and Settings\LocalService\Application Data\SpeedRunner\SpeedRunner.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SfKg6wIP] C:\Documents and Settings\LocalService\Application Data\Microsoft\rxrbjtc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk (User 'Default user')
O4 - .DEFAULT User Startup: TrueAssistant.lnk (User 'Default user')
O4 - Startup: TA_Start.lnk
O4 - Startup: TrueAssistant.lnk
O4 - Global Startup: HP Digital Imaging Monitor.lnk
O4 - Global Startup: Quicken Scheduled Updates.lnk
O4 - Global Startup: SBC Self Support Tool.lnk
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) - file://c:\Program Files\There\ThereClient\ThereVoiceTrainer.dll
O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://c:\Program Files\There\ThereClient\ThereLauncher.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\System32\afinding.exe (file missing)
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\System32\afisicx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\System32\mabidwe.exe
O23 - Service: MsService - Unknown owner - C:\WINDOWS\system\proxy.exe (file missing)
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\System32\noytcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\System32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\System32\routing.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\System32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\System32\soxpeca.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\System32\tdydowkc.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\System32\wserving.exe (file missing)
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINDOWS\System32\wsldoekd.exe

--
End of file - 10012 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 11 February 2009 - 03:34 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 capinoy

capinoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 11 February 2009 - 03:15 PM

Fenz,

Thanks for your response. Actually I had malwarebytes installed but when I try to do a scan it would go for about 10-15 minutes then would get one of those errors that says do you want to send this to microsoft? I could not even update malwarebytes, nor even download it from there site. I could not ping it or browse to it. I only downloaded it from download.com. To be honest I think I have it fixed. I used some of the tips on this site that other users used when they had similar issues. I used combofix, smitfaud? etc. It did find alot and cleaned alot. I also used spyware terminator. Now after using all of those. Malwarebytes is showing clean and when I go online and go to google or yahoo etc. I do not get re-directed to other sites, and now I can ping malwarebytes and spybot. Should I remove spyware terminiator? If I broke a prime directive on this site by doing self cleaning I apologize. I knew the people here helping are overwhelmed and I was not sure when you guys would get back to me. If you still want the logs I'll be glad to send them that way you can tell me if anything needs to be done.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 11 February 2009 - 10:15 PM

Well, run ComboFix again.. Let it self-updated, then post the log here for my review.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 capinoy

capinoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 12 February 2009 - 12:52 AM

fenzodahl512,

Here is the log from combofix:

ComboFix 09-02-11.02 - Administrator 2009-02-11 21:06:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.193 [GMT -8:00]
Running from: C:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-10 14:33 . 2009-02-10 14:33 1,600,778 --a------ C:\SmitfraudFix.zip
2009-02-10 14:12 . 2009-02-11 21:05 2,921,425 -ra------ C:\ComboFix.exe
2009-02-10 14:02 . 2009-02-10 14:07 345 --a------ c:\windows\gmer.ini
2009-02-10 14:01 . 2009-02-10 14:01 747,873 --a------ C:\gmer.zip
2009-02-09 20:34 . 2009-02-09 20:34 <DIR> d-------- c:\program files\Trend Micro
2009-02-05 20:47 . 2009-02-05 20:47 120,270,634 --a------ C:\2409.reg
2009-02-05 20:10 . 2009-02-11 21:01 <DIR> d-------- c:\program files\Crawler
2009-02-05 19:10 . 2009-02-10 15:59 <DIR> d-------- c:\program files\Spyware Terminator
2009-02-05 19:10 . 2009-02-10 15:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-02-05 19:10 . 2009-02-11 20:56 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-02-05 19:10 . 2009-02-05 19:10 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-05 19:02 . 2009-02-05 19:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 19:02 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 19:02 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-05 18:52 . 2009-02-05 18:52 52,736 --a------ c:\windows\system32\yayawofx.dll.ren
2009-02-05 18:52 . 2009-02-05 18:52 52,736 --a------ c:\windows\system32\rqRLcYRl.dll
2009-02-02 17:29 . 2009-02-02 17:29 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-01 20:52 . 2009-02-05 18:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-01 20:52 . 2009-02-05 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 13:46 . 2009-01-31 13:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 13:46 . 2009-01-31 13:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 08:32 --------- d-----w c:\documents and settings\LocalService\Application Data\Twain
2009-01-31 22:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-11 03:12 --------- d-----w c:\program files\Microsoft Works
2009-01-10 23:02 --------- d-----w c:\program files\BroadJump
2009-01-10 22:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-10 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-10 22:58 --------- d-----w c:\documents and settings\Administrator\Application Data\interMute
2009-01-10 22:57 --------- d-----w c:\program files\Symantec
2009-01-10 22:57 --------- d-----w c:\program files\Norton AntiVirus
2009-01-10 22:50 246 ----a-w c:\program files\Common Files\lavu750
2009-01-10 15:54 --------- d-----w c:\program files\Panda Software
2009-01-10 15:52 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2008-11-28 06:32 57,786 ----atw c:\windows\system32\MSINET.OCX.nb5.tmp
2008-04-04 03:01 246 ----a-w c:\program files\Common Files\lavu920
2007-07-03 01:48 6,112 ----a-w c:\documents and settings\All Users\Application Data\YPInfo.bin
2007-04-15 19:58 467 ----a-w c:\program files\Common Files\lavu69
2006-12-29 15:47 142 ----a-w c:\program files\Common Files\profsy.html
2005-03-17 04:18 438 ----a-w c:\documents and settings\Administrator\Application Data\tvmdmns.dll
2007-06-30 21:33 32 --sha-w c:\windows\{DED9E2F7-0BA5-4084-8FC4-ECFB5CDAB802}.dat
.

------- Sigcheck -------

2005-03-01 16:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-01 16:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2002-08-29 00:04 1920512 71ff7ec0eeea4896dd219c661c90db29 c:\windows\$NtUninstallQ811493$\ntkrnlpa.exe
2005-03-01 16:36 1955840 62c353c0449fd961ef7814973fc2fd30 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2004-06-17 00:03 1954688 ed0d7a5f1138ccfd3ecaf8f6ac691f13 c:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\ntkrnlpa.exe
2004-08-03 21:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntkrnlpa.exe
2004-08-03 21:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ntkrnlpa.exe
2004-10-21 23:29 1955840 efa7883018f42295d927121808ae6cee c:\windows\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\sp1qfe\ntkrnlpa.exe
2005-03-01 16:36 1928704 0f260f3e39839d1384c44aa3941d24ff c:\windows\system32\ntkrnlpa.exe
2003-07-30 11:00 1947904 0e8efb15746878a9b256e75267337233 c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\ntkrnlpa.exe

2005-03-01 16:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-01 17:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2002-08-29 00:04 1891840 25a90eb7d1eee12ab198dc9421bfa353 c:\windows\$NtUninstallQ811493$\ntoskrnl.exe
2005-03-01 17:33 2040832 a15a2ee0be2f71fc1752a05660b8ebdc c:\windows\Driver Cache\i386\ntoskrnl.exe
2004-06-17 09:22 2051584 f240dc474f8edb2d95514d831df069e5 c:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\ntoskrnl.exe
2004-08-03 22:19 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntoskrnl.exe
2004-08-03 22:19 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\ntoskrnl.exe
2004-10-22 00:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae c:\windows\SoftwareDistribution\Download\c9057d3faf4a326a2fefff7bde9fec31\sp1qfe\ntoskrnl.exe
2005-03-01 16:36 1900032 6a500835e7be7f7459e3b73e1cee1834 c:\windows\system32\ntoskrnl.exe
2003-07-30 04:00 2042240 b9080d97dbd631aadf9128f7316958d2 c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-10_14.28.43.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-10 22:04:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-12 04:55:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-10 22:04:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-12 04:55:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-12 04:55:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-24 15:04:34 53,436 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-10 22:47:41 53,436 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-24 15:04:34 381,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-10 22:47:41 381,692 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 24576]
"NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2003-11-12 48128]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-12-17 151597]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2009-02-05 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 139264]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-02-05 2267136]
"nwiz"="nwiz.exe" [2003-08-19 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 c:\windows\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\System32\Macromed\Flash\FlashUtil9e.exe" [2007-11-20 218496]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
TrueAssistant.lnk - c:\program files\TrueAssistant\TrueAssistant.exe [2004-08-30 333312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-30 57344]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2004-08-19 217088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ibn57.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"
"AntiVirusDisableNotify"="0x00000000"

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-02-05 142592]
R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys [2008-03-01 7040]
S0 Ibn57;Ibn57;c:\windows\System32\Drivers\Ibn57.sys --> c:\windows\System32\Drivers\Ibn57.sys [?]
S0 Xnra39;Xnra39; [x]
S1 cbidf2kk;cbidf2kk;c:\windows\System32\drivers\cbidf2kk.sys --> c:\windows\System32\drivers\cbidf2kk.sys [?]
S2 239C2639CDF1FBE4;239C2639CDF1FBE4;\??\c:\documents and settings\Administrator\Desktop\239C2639CDF1FBE4\239C2639CDF1FBE4 --> c:\documents and settings\Administrator\Desktop\239C2639CDF1FBE4\239C2639CDF1FBE4 [?]
S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2008-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2009-01-10 c:\windows\Tasks\PCHealth Scheduler for Upload Library.job
- c:\windows\PCHealth\UploadLB\Binaries\UploadM.exe [2003-07-30 04:00]

2008-03-08 c:\windows\Tasks\WebReg 20040718231048.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 08:43]

2008-02-26 c:\windows\Tasks\wrSpySweeper_LA1202AE213FC4FE8A7DD54ABEC4614D8.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-01-25 20:58]

2008-02-26 c:\windows\Tasks\wrSpySweeper_LA1202AE213FC4FE8A7DD54ABEC4614D8.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-01-25 20:58]

2008-02-26 c:\windows\Tasks\wrSpySweeper_LA1202AE213FC4FE8A7DD54ABEC4614D8.job
- A:\ []
.
.
------- Supplementary Scan -------
.
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\ctbr.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} - file://c:\docume~1\ADMINI~1\LOCALS~1\Temp\ThereInstallHelper.dll
DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} - file://c:\program files\There\ThereClient\ThereVoiceTrainer.dll
DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} - file://c:\program files\There\ThereClient\ThereLauncher.dll
.
.
------- File Associations -------
.
inifile=jhtyuytrhgbnfjrg.exe %1
txtfile=jhtyuytrhgbnfjrg.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 21:08:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\239C2639CDF1FBE4]
"ImagePath"="\??\c:\documents and settings\Administrator\Desktop\239C2639CDF1FBE4\239C2639CDF1FBE4"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\System32\dssenh.dll
.
Completion time: 2009-02-11 21:17:26
ComboFix-quarantined-files.txt 2009-02-12 05:17:23
ComboFix2.txt 2009-02-10 22:29:53

Pre-Run: 177,938,014,208 bytes free
Post-Run: 177,928,777,728 bytes free

192

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 12 February 2009 - 01:08 AM

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    jhtyuytrhgbnfjrg.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Ibn57
Xnra39
cbidf2kk
239C2639CDF1FBE4
mrtRate

Rootkit::
c:\documents and settings\Administrator\Desktop\239C2639CDF1FBE4\239C2639CDF1FBE4

File::
C:\2409.reg
c:\windows\system32\yayawofx.dll.ren
c:\windows\system32\rqRLcYRl.dll
c:\program files\Common Files\lavu750
c:\program files\Common Files\lavu920
c:\program files\Common Files\lavu69
c:\program files\Common Files\profsy.html
c:\documents and settings\Administrator\Application Data\tvmdmns.dll
c:\windows\system32\MSINET.OCX.nb5.tmp
c:\windows\System32\Drivers\Ibn57.sys
c:\windows\System32\drivers\cbidf2kk.sys
c:\documents and settings\Administrator\Desktop\239C2639CDF1FBE4\239C2639CDF1FBE4
Folder::
c:\documents and settings\LocalService\Application Data\Twain

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • SystemLook.

Edited by fenzodahl512, 12 February 2009 - 01:09 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 capinoy

capinoy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 14 February 2009 - 02:16 PM

Fenz,

I was going to attempt to do what you recommended last but for some reason the pc took a dump and decided to take a very very long time to login. I mean I was at the 30 minute mark just waiting. i even rebooted multiple times afterwards just to see if it was just that one time but nope. I ended up doing a restore, but that restored my data an some potential problems. I did a malware bytes quick scan and it found nothing. i even ran a spyware terminator scan and it found nothing. seems to be running fine. should I post a final log of something just for you to look at one more time? I have a feeling there might be something there that the 2 programs are not seeing. What log should I send Hijackthis? When you get a chance can you let me know?

thansk

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 February 2009 - 02:43 PM

Ok.. Just do below...


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. RSIT log.txt
2. RSIT info.txt
3. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 25 February 2009 - 07:47 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users