Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 GP-X

GP-X

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 16 March 2009 - 12:39 PM

I am getting constant redirects etc on my searches or any new tabs opened on my firefox browsers to random sites. Also, Iexplorer.exe is running in the background. When i went to attempt to remove whatever it is.. both my windows defender and spybot are unable to run or complete a scan to locate it.

EDIT: I noticed any scan program i run will crash on the yk51x86.sys if thats helpful

DDS (Ver_09-03-16.01) - NTFSx86
Run by Robert at 13:03:10.37 on Mon 03/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1333 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\EVGA Precision\Bundle\OSDServer\RTSS.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [EVGAPrecision] "c:\program files\evga precision\EVGAPrecision.exe" /s
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\documents and settings\robert\start menu\programs\startup\Xfire.lnk.disabled
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\n7ioaa34.default\

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-15 28544]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2007-8-23 17912]
R3 RTCore32;RTCore32;c:\program files\evga precision\RTCore32.sys [2005-5-25 4608]
S0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys --> c:\windows\system32\drivers\xmasscsi.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-11 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-7-11 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-7-11 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-7-11 23680]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]

=============== Created Last 30 ================

2009-03-15 23:54 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-15 23:54 <DIR> --d----- c:\program files\Panda Security
2009-03-15 21:29 24 a------- c:\windows\LogonStudio.ini
2009-03-15 21:27 187,392 a------- c:\windows\system32\JPGUtils.dll
2009-03-15 21:27 198,656 a------- c:\windows\system32\comdlg32.ocx
2009-03-15 21:27 <DIR> --d----- c:\program files\WinCustomize
2009-03-15 21:27 <DIR> --d----- c:\program files\common files\Stardock
2009-03-12 17:33 <DIR> --d----- c:\windows\NV6683292.TMP
2009-03-12 00:01 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-03-12 00:01 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-03-12 00:01 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-03-11 18:40 <DIR> --d----- c:\program files\Bethesda Softworks
2009-03-10 13:56 6,688 a------- c:\windows\movexe.exe
2009-03-09 17:19 <DIR> --d----- C:\WELedit
2009-02-26 14:46 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-21 00:12 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-02-21 00:12 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-02-21 00:12 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-02-21 00:12 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-02-19 22:22 <DIR> --d-h--- c:\program files\InstallJammer Registry
2009-02-18 14:44 1,253,376 a------- c:\windows\system32\NvPVEnc.ax
2009-02-18 14:44 401,408 a------- c:\windows\system32\nvcuvid.dll

==================== Find3M ====================

2009-03-15 21:59 2,772,480 a------- c:\windows\system32\logonuiX.exe
2009-03-11 15:10 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-11 15:10 202,352 a------- c:\windows\system32\PnkBstrB.exe
2009-02-25 21:45 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-02-16 23:17 453,152 a------- c:\windows\system32\nvuninst.exe
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-02 19:37 88,440 a------- c:\docume~1\robert\applic~1\GDIPFONTCACHEV1.DAT
2009-01-31 19:25 4,096 a------- c:\windows\d3dx.dat
2009-01-29 22:07 1,546,752 a------- c:\windows\system32\xa5165781.exe
2009-01-29 22:07 1,546,752 a------- c:\windows\system32\xa5165562.exe
2009-01-24 22:58 52,736 a------- c:\windows\ipuninst.exe
2009-01-16 18:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-11-22 12:15 22,328 a------- c:\docume~1\robert\applic~1\PnkBstrK.sys

============= FINISH: 13:04:01.12 ===============

Attached Files


Edited by GP-X, 16 March 2009 - 05:37 PM.


BC AdBot (Login to Remove)

 


#2 GP-X

GP-X
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 March 2009 - 10:55 AM

Turned out the problem was the UAC rootkit. A quick run of combofix solved the issue :thumbup2:

Anyways, thanks anyways but im all set now. Might as well close the topic :)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:11 AM

Posted 19 March 2009 - 12:27 PM

Thanks for informing us. Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users