Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor virus


  • This topic is locked This topic is locked
60 replies to this topic

#1 Mag1c

Mag1c

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 10 March 2009 - 01:20 AM

Hi, BleepingComputer

I have a little problem with my Computer. I believe it's being used as a Botnet Zombie as well as Remote Administrator Tool RAT

I have been having really weird problems with my computer lately, It was been acting funny while connecting to the internet.

- A few weeks ago I guess I visited a website that had a script in it and downloaded something on my computer because I noticed ERROR popups on Internet Explorer. It kept popping up and my firewall kept asking to allow Internet Explorer to update. So I never thought anything of it, than 2 minutes later. My computer automatically brings up an error
Saying "Computer will shutdown in 60 seconds"

I than turned off my computer. Unplugged it from Internet. Logged onto my other computer Blocked outbound on firewall.
Downloaded and Reviewed Numerous Antispyware Malwarevirus etc

I came to a hault with:
  • - Malware Bytes
  • - Super Anti Spyware
  • - Spybot Search & Destroy
  • - Outpost Firewall Antispyware
  • - eset NOD32
  • - aVast
  • - Norton Internet Security 2009

I did scans with all of them booted into safemode after updating them. They picked up a few things here false positives.
I quarantained removed all of them. I than read up on ways to lock down your pc. I tried everyone and uninstalled all of them except
  • - eset nod32
  • - outpost firewall 2009
  • - malwarebytes
  • - spybot
  • - super antispyware
So I uninstalled Norton and avast

I searched google for how to secure my computer, and I found this website below and followed most of the guide etc...

link: http://computercare.ca/forum/showthread.php?p=2288#post2288

I followed that guide and found out that if I did have anything on my system it had the same rights as me.
So I instantly made another account as Limited User I than disabled the other account /changed so could not change password etc.... in Administrative Tools

I grabbed another program called: Sandboxie it's suppose to prevent stuff being downloaded without your permission/ change registry etc on any website Unless you other wise grant it permission.


Problems lately Internet getting throttled and I open up outpost firewall view open connections. take off every program thats running. still it's sending things through the internet. I believe it the virus is in my system its attached to svchost.exe

I also turned off System Restore because I never made any points and I found it quite useless. It always made things worse for me. So I disabled it like it said in the link above. So if people did have access to my computer they couldnt restore the computer so the Virus malware would be back on there etc....

I have defragged my HD and removed Un nessesary programs from Startup list. I used CCleaner to do so and fix registry as well.

I have updated all the windows updates and what not. I have run numerous in-depth scans with quite a few antivirus etc..

The only reason I have not reformatted yet is because I have a lot of files that I couldn't replace/backup. I also have a limit of about 10 gb permonth between 2 people on my internet usage which is the only internet service provider in my area.

So reformatting getting the main programs I need updating windows yadda yadda would be something I couldn't do or else my internet will be 200 or more again which I cant really deal with atm.



Anyhelp from you guys would be awesome! I will post HJT log and the other requested logs.


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:21 PM, on 09/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~2\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro3\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ctfmon.exe] ctfmon.exe /n (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ctfmon.exe] ctfmon.exe /n (User 'Default user')
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro3\ie_bar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~2\wl_hook.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~2\acs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 4858 bytes



DDS LOG:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Sholto at 23:32:37.15 on 09/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1521 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Outpost Firewall Pro *enabled*
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\op_mon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sholto.SALGUOD\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~2\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall pro3\feedback.exe" /dump:os_startup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ctfmon.exe] ctfmon.exe /n
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost firewall pro3\ie_bar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~2\wl_hook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sholto~1.sal\applic~1\mozilla\firefox\profiles\v0b7t3o0.default\
FF - prefs.js: browser.startup.homepage - www.google.ca

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2007-12-9 11840]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-3-7 673920]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~2\acs.exe [2009-3-7 1238344]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-3-7 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-3-7 234640]
S3 AIDA32Driver;AIDA32Driver;\??\c:\docume~1\sholto\locals~1\temp\rar$ex00.797\aida32.sys --> c:\docume~1\sholto\locals~1\temp\rar$ex00.797\aida32.sys [?]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2009-3-7 33408]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2007-12-9 48448]
S3 ddsxeiservice;ddsxeiservice2;\??\c:\program files\sxe injected\ddsxei.sys --> c:\program files\sxe injected\ddsxei.sys [?]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-3-1 31704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\sholto\locals~1\temp\tccpuinfo.sys --> c:\docume~1\sholto\locals~1\temp\TCCpuInfo.sys [?]
S4 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\all users\application data\norton\Norton2009Reset.exe [2009-2-23 281625]
S4 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2007-12-9 63016]
S4 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2007-12-9 214056]

=============== Created Last 30 ================

2009-03-08 23:46 196,436 a---h--- c:\windows\system32\drivers\eklgfo.sys
2009-03-08 23:28 196,436 a---h--- c:\windows\system32\drivers\tkasi.sys
2009-03-08 22:47 <DIR> --d----- c:\program files\JapaBrz Csharp Crypter&Binder
2009-03-08 22:07 <DIR> --dsh--- c:\program files\HTV
2009-03-08 16:28 196,436 a---h--- c:\windows\system32\drivers\wffo.sys
2009-03-08 16:17 196,436 a---h--- c:\windows\system32\drivers\ebczhk.sys
2009-03-08 15:55 196,436 a---h--- c:\windows\system32\drivers\cjhgd.sys
2009-03-08 15:50 196,436 a---h--- c:\windows\system32\drivers\buch.sys
2009-03-08 02:08 <DIR> --d----- c:\program files\PokerStars.NET
2009-03-07 12:48 234,640 a------- c:\windows\system32\drivers\afwcore.sys
2009-03-07 12:48 49 a------- c:\windows\transp.gif
2009-03-07 12:48 673,920 a------- c:\windows\system32\drivers\SandBox.sys
2009-03-07 12:48 30,864 a------- c:\windows\system32\drivers\afw.sys
2009-03-07 12:47 <DIR> --d----- c:\windows\system32\Filt
2009-03-07 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-03-06 22:45 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\Xfire
2009-03-06 22:45 <DIR> --d----- c:\program files\Xfire
2009-03-06 14:09 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\Malwarebytes
2009-03-06 14:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 14:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 14:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-04 20:33 <DIR> --d-h--- C:\ProgramFiles
2009-03-03 23:50 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-03 23:50 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2009-03-03 23:49 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-03 22:52 <DIR> --d----- C:\3518c4c669f35a3628e24bfdaee4
2009-03-03 22:48 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-03 04:23 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\LimeWire
2009-03-03 02:24 <DIR> --d----- c:\program files\BreakPoint Software
2009-03-03 01:54 8,192 a------- C:\ventrilopwd.exe
2009-03-03 01:54 7,289 a------- C:\ventrilopwd.c
2009-03-01 09:22 <DIR> --d----- c:\program files\Trend Micro
2009-03-01 08:54 31,704 a------- c:\windows\system32\drivers\hssdrv.sys
2009-02-28 19:56 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\DAEMON Tools Pro
2009-02-28 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-02-28 15:11 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-02-27 04:33 <DIR> --d----- C:\websymbols
2009-02-27 04:14 1,374,232 a------- c:\windows\system32\D3DCompiler_36.dll
2009-02-27 03:57 <DIR> --d----- c:\windows\Logs
2009-02-27 02:59 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\id Software
2009-02-27 02:54 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-27 02:54 22,328 a------- c:\docume~1\sholto~1.sal\applic~1\PnkBstrK.sys
2009-02-27 02:54 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-02-27 02:54 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-27 02:54 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-02-27 02:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-02-27 02:23 <DIR> --d----- c:\windows\system32\scripting
2009-02-27 02:23 <DIR> --d----- c:\windows\l2schemas
2009-02-27 02:23 <DIR> --d----- c:\windows\system32\en
2009-02-27 01:39 <DIR> --d----- c:\program files\Alcohol Soft
2009-02-27 01:30 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-26 23:09 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-26 23:09 1,409 a------- c:\windows\QTFont.for
2009-02-26 23:00 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\SUPERAntiSpyware.com
2009-02-26 18:41 <DIR> --d----- c:\program files\CCleaner
2009-02-26 12:47 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-23 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-22 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-02-22 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-22 23:09 <DIR> --d----- C:\Sandbox
2009-02-22 23:08 2,198 a------- c:\windows\Sandboxie.ini
2009-02-22 23:08 <DIR> --d----- c:\program files\Sandboxie
2009-02-22 16:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-22 16:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-21 08:46 300,969 -c------ c:\windows\system32\dllcache\viz.wmv
2009-02-21 08:45 69,632 -c------ c:\windows\system32\dllcache\msscds32.ax
2009-02-21 08:44 144,384 -------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-21 07:59 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-02-21 07:52 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-02-21 07:52 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-21 07:52 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-21 07:52 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-21 07:52 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-21 07:47 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-02-21 07:47 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-21 07:47 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-02-21 07:47 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-02-21 07:47 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-21 07:46 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-02-20 23:17 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-11 02:24 268 a---h--- C:\sqmdata19.sqm
2009-02-11 02:24 244 a---h--- C:\sqmnoopt19.sqm
2009-02-11 02:23 268 a---h--- C:\sqmdata18.sqm
2009-02-11 02:23 244 a---h--- C:\sqmnoopt18.sqm

==================== Find3M ====================

2009-03-08 23:46 98,304 a------- c:\windows\DUMP5fc3.tmp
2009-03-08 03:53 98,304 a------- c:\windows\DUMP568c.tmp
2009-03-04 18:48 60,816 a---h--- c:\windows\system32\mlfcache.dat
2009-02-27 02:29 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-02-10 00:52 27,264 a--sh--- c:\windows\system32\fmze.sys
2008-02-17 08:10 27,264 a--sh--- c:\windows\system32\hnpf.sys
2008-01-08 21:32 28,288 a--sh--- c:\windows\system32\zektxg.sys

============= FINISH: 23:33:07.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 10 March 2009 - 04:40 PM

Bumped due to help needed as soon as possible.

Thank you sir

#3 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 11 March 2009 - 08:56 PM

So I just cleaned the entire inside of my computer and reapplied thermalpaste. I also ran more anti-virus scans and re-installed my firewall which is outpost 2009 so the if the virus has tryed disabling the firewall I reinstalled it so it would be working fine again.

If there anyone that can help me so my internet doesn't keep getting ringed up. I mean theres something connecting on my net possibly a dialer or somesort because I am on DSL.

Anything else I can do or lean how to use combofix/ read hjt logs?

I been having internet problems. Sometimes I cannot connect to the internet, but the network activity is going nuts. Also sometimes I just lag really bad for no reason. I got a dell xps, I dont seem to have a solution as of yet. But I am thinking of just buying a new computer.

Edited by Mag1c, 12 March 2009 - 05:21 PM.


#4 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 16 March 2009 - 03:25 AM

I been waiting for quite some days now, some help would be awesome!

Thanks

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:25 AM

Posted 22 March 2009 - 12:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 23 March 2009 - 05:26 PM

i will do this when i get home from work.

thanks

#7 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 23 March 2009 - 08:25 PM

Here is the requested log along with the attached log.
I am having the same problems as I last posted above.




DDS (Ver_09-03-16.01) - NTFSx86
Run by Sholto at 19:20:07.92 on 23/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1546 [GMT -6:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Outpost Firewall Pro *enabled*
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\acs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Agnitum\OUTPOS~2\op_mon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sholto.SALGUOD\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uWindow Title = PWNED
BHO: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~2\op_mon.exe /tray /noservice
mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ctfmon.exe] ctfmon.exe /n
dRunOnce: [KeyScrambler] c:\program files\keyscrambler2\getting_started.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {44627E97-789B-40d4-B5C2-58BD171129A1} - {A1A7E22D-1587-4230-8F16-081C68D21448} - c:\program files\agnitum\outpost firewall pro3\ie_bar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~2\wl_hook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sholto~1.sal\applic~1\mozilla\firefox\profiles\v0b7t3o0.default\
FF - prefs.js: browser.startup.homepage - www.google.ca

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2007-12-9 11840]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-3-7 673920]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~2\acs.exe [2009-3-7 1238344]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-3-12 582992]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-3-7 30864]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-3-7 234640]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-3-12 206608]
S3 AIDA32Driver;AIDA32Driver;\??\c:\docume~1\sholto\locals~1\temp\rar$ex00.797\aida32.sys --> c:\docume~1\sholto\locals~1\temp\rar$ex00.797\aida32.sys [?]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2009-3-7 33408]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2007-12-9 48448]
S3 ddsxeiservice;ddsxeiservice2;\??\c:\program files\sxe injected\ddsxei.sys --> c:\program files\sxe injected\ddsxei.sys [?]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-3-1 31704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\sholto\locals~1\temp\tccpuinfo.sys --> c:\docume~1\sholto\locals~1\temp\TCCpuInfo.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-3-12 206608]
S4 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\all users\application data\norton\Norton2009Reset.exe [2009-2-23 281625]
S4 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2007-12-9 63016]
S4 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2007-12-9 214056]

=============== Created Last 30 ================

2009-03-23 04:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-19 01:48 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-19 01:48 1,409 a------- c:\windows\QTFont.for
2009-03-18 16:46 <DIR> --d----- c:\windows\SHELLNEW
2009-03-17 20:33 <DIR> --d----- C:\UBCD4Win
2009-03-16 16:58 <DIR> --d--r-- c:\program files\Skype
2009-03-16 00:09 <DIR> --d----- C:\Hijackthis
2009-03-15 03:18 4,146 a------- c:\windows\Cmicnfg3.ini.cfl
2009-03-15 03:18 6,914,048 a------- c:\windows\system\CMICNFG3.cpl
2009-03-15 03:18 917,504 a------- c:\windows\system\CMDS3D3.dll
2009-03-15 03:18 712,704 a------- c:\windows\system\AUDIO3D3.dll
2009-03-15 03:18 712,704 a------- c:\windows\system\a3d.dll
2009-03-15 03:18 262,144 a------- c:\windows\system32\CMRMDRV3.exe
2009-03-15 03:18 32,768 a------- c:\windows\system32\CMUdaProp3.dll
2009-03-15 03:18 28,672 a------- c:\windows\system32\CMRMDRV3.dll
2009-03-15 03:18 528 a------- c:\windows\system\Cmicnfg3.ini
2009-03-15 03:18 <DIR> --d----- c:\program files\C-Media PCI Audio Device
2009-03-15 03:17 274,432 a------- c:\windows\CmiPCIUninstall.exe
2009-03-15 03:17 1,405,696 a------- c:\windows\system32\drivers\cmudax3.sys
2009-03-15 03:17 36,864 a------- c:\windows\system32\cmudax3.DLL
2009-03-15 03:17 <DIR> --d----- c:\program files\C-Media PCI Audio
2009-03-15 03:12 <DIR> --d----- C:\Mystique Sound Driver
2009-03-15 02:37 <DIR> --d----- C:\rootreveal
2009-03-15 02:31 118,784 a------- c:\windows\system32\MSSTDFMT.DLL
2009-03-15 02:31 <DIR> --d----- c:\program files\SpywareBlaster
2009-03-15 01:44 <DIR> a-dshr-- C:\autorun.inf
2009-03-14 21:35 <DIR> --d----- c:\program files\OpenAL
2009-03-14 21:35 3,418 a------- c:\windows\Cmicnfg3.ini.cfg
2009-03-14 21:35 12 a------- c:\windows\cmudax3.ini
2009-03-14 18:16 <DIR> --d----- c:\program files\KeyScrambler
2009-03-12 13:09 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-12 13:06 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2009-03-10 00:36 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-08 23:46 196,436 a---h--- c:\windows\system32\drivers\eklgfo.sys
2009-03-08 23:28 196,436 a---h--- c:\windows\system32\drivers\tkasi.sys
2009-03-08 22:07 <DIR> --dsh--- c:\program files\HTV
2009-03-08 16:28 196,436 a---h--- c:\windows\system32\drivers\wffo.sys
2009-03-08 16:17 196,436 a---h--- c:\windows\system32\drivers\ebczhk.sys
2009-03-08 15:55 196,436 a---h--- c:\windows\system32\drivers\cjhgd.sys
2009-03-08 15:50 196,436 a---h--- c:\windows\system32\drivers\buch.sys
2009-03-08 02:08 <DIR> --d----- c:\program files\PokerStars.NET
2009-03-07 12:48 234,640 a------- c:\windows\system32\drivers\afwcore.sys
2009-03-07 12:48 49 a------- c:\windows\transp.gif
2009-03-07 12:48 673,920 a------- c:\windows\system32\drivers\SandBox.sys
2009-03-07 12:48 30,864 a------- c:\windows\system32\drivers\afw.sys
2009-03-07 12:47 <DIR> --d----- c:\windows\system32\Filt
2009-03-07 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-03-06 22:45 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\Xfire
2009-03-06 22:45 <DIR> --d----- c:\program files\Xfire
2009-03-06 14:09 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\Malwarebytes
2009-03-06 14:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 14:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 14:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-04 20:33 <DIR> --d-h--- C:\ProgramFiles
2009-03-03 23:50 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-03 23:50 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2009-03-03 23:49 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-03 22:52 <DIR> --d----- C:\3518c4c669f35a3628e24bfdaee4
2009-03-03 22:48 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-03 04:23 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\LimeWire
2009-03-03 02:24 <DIR> --d----- c:\program files\BreakPoint Software
2009-03-03 01:54 8,192 a------- C:\ventrilopwd.exe
2009-03-03 01:54 7,289 a------- C:\ventrilopwd.c
2009-03-01 09:22 <DIR> --d----- c:\program files\Trend Micro
2009-03-01 08:54 31,704 a------- c:\windows\system32\drivers\hssdrv.sys
2009-02-28 19:56 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\DAEMON Tools Pro
2009-02-28 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-02-28 15:11 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-02-27 04:33 <DIR> --d----- C:\websymbols
2009-02-27 04:14 1,374,232 a------- c:\windows\system32\D3DCompiler_36.dll
2009-02-27 03:57 <DIR> --d----- c:\windows\Logs
2009-02-27 02:59 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\id Software
2009-02-27 02:54 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-27 02:54 22,328 a------- c:\docume~1\sholto~1.sal\applic~1\PnkBstrK.sys
2009-02-27 02:54 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-02-27 02:54 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-27 02:54 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-02-27 02:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\id Software
2009-02-27 02:23 <DIR> --d----- c:\windows\system32\scripting
2009-02-27 02:23 <DIR> --d----- c:\windows\l2schemas
2009-02-27 02:23 <DIR> --d----- c:\windows\system32\en
2009-02-27 01:39 <DIR> --d----- c:\program files\Alcohol Soft
2009-02-27 01:30 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-26 23:00 <DIR> --d----- c:\docume~1\sholto~1.sal\applic~1\SUPERAntiSpyware.com
2009-02-26 18:41 <DIR> --d----- c:\program files\CCleaner
2009-02-26 12:47 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-23 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-22 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-02-22 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-02-22 23:09 <DIR> --d----- C:\Sandbox
2009-02-22 23:08 2,198 a------- c:\windows\Sandboxie.ini
2009-02-22 23:08 <DIR> --d----- c:\program files\Sandboxie
2009-02-22 16:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-22 16:04 <DIR> --d----- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2009-03-15 03:17 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-03-15 03:17 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-03-11 19:06 98,304 a------- c:\windows\DUMP7399.tmp
2009-03-08 23:46 98,304 a------- c:\windows\DUMP5fc3.tmp
2009-03-08 03:53 98,304 a------- c:\windows\DUMP568c.tmp
2009-03-04 18:48 60,816 a---h--- c:\windows\system32\mlfcache.dat
2009-02-27 02:29 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-02-10 00:52 27,264 a--sh--- c:\windows\system32\fmze.sys
2008-02-17 08:10 27,264 a--sh--- c:\windows\system32\hnpf.sys
2008-01-08 21:32 28,288 a--sh--- c:\windows\system32\zektxg.sys

============= FINISH: 19:21:07.14 ===============

Attached Files



#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:25 AM

Posted 24 March 2009 - 11:09 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!'

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 25 March 2009 - 08:27 PM

Hi, Bleeping Computer Staff

I have recently added a program called "Trend Micro RUBotted" which has found a bot over a period of a few days. Also my internet sometimes keeps active even if I don't have anything running. I still see the internet connecting when I am doing nothing online. I have run numerous anti-virus scans and picked up a couple of spyware.

Also, I have gotten a new keyboard which I have installed the logitech G15 software. Also installed Microsoft Office 2007. I have turned off automatic windows updates temporary.

I have run ComboFix and attached the log below.

Thanks

Attached Files



#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:25 AM

Posted 25 March 2009 - 09:25 PM

Does RUBotted create a log? If it does, can you post it?

I am concerned about this,

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
FW: Outpost Firewall Pro *enabled*

You should only have one each firewall and antivirus running at a time. The others should be totally turned off. They inter fear with each other and cause false positives.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 26 March 2009 - 03:35 PM

Does RUBotted create a log? If it does, can you post it?

I am concerned about this,

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
FW: Outpost Firewall Pro *enabled*

You should only have one each firewall and antivirus running at a time. The others should be totally turned off. They inter fear with each other and cause false positives.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


I think that combofix reported false active anti-virus. I have un-installed all those previous anti-virus with CCleaner and ran the registry cleaner etc...
Also, I will run an Malwarebytes scan when I get home from work.

#12 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 27 March 2009 - 07:42 PM

Here is the mbam log.

Also, I have scanned with Super Anti-Spyware last night and it picked up some trojans and what not. I didn't save the log and I quarantain and deleted the files though.
Whats next? the log below is clean. But somethings ringing up my internet usage and connecting to the internet still.

Malwarebytes' Anti-Malware 1.35
Database version: 1906
Windows 5.1.2600 Service Pack 3

27/03/2009 6:39:52 PM
mbam-log-2009-03-27 (18-39-52).txt

Scan type: Quick Scan
Objects scanned: 89230
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:25 AM

Posted 27 March 2009 - 08:25 PM

I need to ask you to do something. Stop adding programs and running scans unless you ask me first. Every time you scan with something, or install a new program, the whole situation changes. And it is frustrating trying to keep track of what is going on. I have close to 100 people I am helping clean up their computer. Some very active, some not so active, and some take long breaks in between. So every time someone goes out on their own, I have to try and figure out what is going on all over again. And because I am not sitting in front of the computer, it is not always easy to figure out what is going on.

Please run combofix again and post the results. Also can you tell me what Antivirus and firewall you are using? We are going to clean out the rest of them.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 Mag1c

Mag1c
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 29 March 2009 - 02:26 AM

Does RUBotted create a log? If it does, can you post it?

No it doesn't run like an anti-virus. It run's just along and detects suspicious activitiy
28/03/2009 23:52:52 Detected DNS query of malicious domain
23/03/2009 1:40:54 Detected DNS query of malicious domain



AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
FW: Outpost Firewall Pro *enabled*

The only firewall and AV I am using is Outpost Firewall, NOD 32 Anti-virus ( I think avira didn't un-install properly and is still hung up though.)


Here is the next combofix log...

the TRUBOTTED wanted me to run housecall after finding bots. But it wouldn't work when I tried it last week so I think that would help though.

I have NOT ran anymore scans of anything nor installed anything new.

Attached Files


Edited by Mag1c, 29 March 2009 - 02:44 AM.


#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:07:25 AM

Posted 29 March 2009 - 09:47 AM

OK, I need you to uninstall Norton cleanly. Use these instructions. Then manually uninstall Avira.

After that, check out your computer and see if it is still acting weird. If it is, are there any symptoms you have not mentioned? Even something seemingly minor.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users