Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system Monitor: Potentially Rootkit-masked Registry


  • This topic is locked This topic is locked
2 replies to this topic

#1 lilguy

lilguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 26 March 2009 - 11:02 AM

When I ran Spy Sweeper I found this! and It keeps coming up every time I run it. I ran my AntiVirus too and it found two Trojans too... but i don't know if if got everything or if things are still messed up. The only thing that the AntiVirus did is told me to run Windows update and it would stop it form infecting my computer, it did not tell me what kind they where.





DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 11:19:10.20 on Thu 03/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.905 [GMT -4:00]

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Matthew\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: Live TV Toolbar: {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - c:\program files\live_tv\tbLive.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Live TV Toolbar: {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - c:\program files\live_tv\tbLive.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Live TV Toolbar: {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - c:\program files\live_tv\tbLive.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Easy Dock]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\web2~1\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\fbgxe5q5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-1-21 2749736]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-22 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-16 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2008-11-7 1178728]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-2-21 252416]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-1-21 15656]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2007-9-22 52240]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-11-3 648456]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-03-25 22:54 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-25 20:01 <DIR> --d----- c:\program files\MSSOAP
2009-03-25 20:01 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-25 20:00 164 a------- c:\windows\install.dat
2009-03-24 16:30 <DIR> --d----- c:\program files\Live_TV
2009-03-24 14:32 <DIR> --d----- c:\program files\PicLensIE
2009-03-23 21:46 <DIR> a-d----- c:\programdata\TEMP
2009-03-17 09:48 <DIR> --d----- c:\users\matthew\.thumbnails
2009-03-16 13:19 10 a------- c:\windows\ATICIM.MIF
2009-03-16 09:53 <DIR> --d----- c:\users\matthew\Tracing
2009-03-16 09:50 <DIR> --d----- c:\program files\Microsoft
2009-03-16 09:50 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-16 09:45 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-16 09:42 <DIR> --d----- c:\windows\system32\log
2009-03-14 22:07 <DIR> --d----- c:\program files\iPod
2009-03-14 22:06 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-14 22:06 <DIR> --d----- c:\program files\iTunes
2009-03-14 22:06 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-14 22:06 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-14 22:06 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 22:05 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 22:05 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-11 20:46 <DIR> --d----- c:\program files\YafaRay
2009-03-11 14:30 <DIR> --d----- c:\users\matthew\.gimp-2.6
2009-03-11 14:30 <DIR> --d----- c:\users\matthew\.gegl-0.0
2009-03-11 14:29 <DIR> --d----- c:\program files\GIMP-2.0
2009-03-11 10:11 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 10:11 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-09 15:15 <DIR> --d----- C:\tmp
2009-03-03 13:08 <DIR> --d----- c:\windows\pss
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z06
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z05
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z04
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z03
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z02
2009-03-01 14:54 730,000,000 a------- C:\Windows.old.z01
2009-03-01 10:35 <DIR> --d----- c:\users\matthew\Roaming
2009-03-01 10:35 <DIR> --d----- c:\users\matthew\appdata\roaming\MySpace
2009-03-01 10:35 <DIR> --d----- c:\program files\MySpace
2009-02-28 00:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-02-28 00:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-02-28 00:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-02-28 00:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-02-28 00:05 <DIR> --d----- c:\programdata\ATI
2009-02-27 15:16 <DIR> --d----- c:\users\matthew\appdata\roaming\X-Chat 2
2009-02-27 15:16 <DIR> --d----- c:\program files\xchat
2009-02-27 02:24 <DIR> --d----- c:\program files\common files\EasyInfo
2009-02-25 15:24 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-25 15:24 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-25 15:24 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-24 13:12 <DIR> --d----- c:\users\matthew\IGC
2009-02-24 13:07 245,408 -----r-- c:\windows\system32\unicows.dll
2009-02-24 13:07 <DIR> --d----- c:\program files\IGC

==================== Find3M ====================

2009-03-14 21:54 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-14 21:54 86,016 a------- c:\windows\inf\infstor.dat
2009-03-14 21:54 51,200 a------- c:\windows\inf\infpub.dat
2009-03-08 07:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 07:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 07:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 07:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 07:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 07:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 07:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 07:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 07:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 07:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 07:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 07:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 07:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 07:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 07:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 07:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-05 17:10 1,553,784 a------- c:\windows\WRSetup.dll
2009-03-05 09:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-04 03:29 4,303,360 a------- c:\windows\system32\drivers\atikmdag.sys
2009-02-04 01:02 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-04 01:00 159,744 a------- c:\windows\system32\atitmmxx.dll
2009-02-04 01:00 348,160 a------- c:\windows\system32\atipdlxx.dll
2009-02-04 01:00 274,432 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 01:00 11,264 a------- c:\windows\system32\atimuixx.dll
2009-02-04 01:00 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-04 00:59 286,720 a------- c:\windows\system32\Ati2evxx.dll
2009-02-04 00:58 729,088 a------- c:\windows\system32\Ati2evxx.exe
2009-02-04 00:49 2,391,552 a------- c:\windows\system32\atidxx32.dll
2009-02-04 00:43 3,903,488 a------- c:\windows\system32\atiumdag.dll
2009-02-04 00:22 4,905,472 a------- c:\windows\system32\atiumdva.dll
2009-02-04 00:11 11,366,400 a------- c:\windows\system32\atioglxx.dll
2009-02-04 00:07 51,712 a------- c:\windows\system32\amdpcom32.dll
2009-02-04 00:07 131,072 a------- c:\windows\system32\atiadlxx.dll
2009-02-03 23:53 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-02-03 23:01 57,344 a------- c:\windows\system32\aticalrt.dll
2009-02-03 23:01 53,248 a------- c:\windows\system32\aticalcl.dll
2009-02-03 22:58 3,252,224 a------- c:\windows\system32\aticaldd.dll
2009-01-14 00:21 3,107,788 a------- c:\windows\system32\atiumdva.dat
2008-10-15 17:33 174 a--sh--- c:\program files\desktop.ini
2008-10-15 17:27 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:19:34.94 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 lilguy

lilguy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 April 2009 - 06:50 AM

I know that it takes a couple of days to get back to someone, but this will have been a week now as of today. No one has got back to me to tell me someone is working on it and not to worry or that everything is OK with my computer!! I want someone just to take my case off this site and I do not recommend it to anyone else. It would have been nice to be at least acknowledged at some point. Thank you for your time and sorry for any inconvenience.

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:38 PM

Posted 02 April 2009 - 10:07 AM

Our volunteer team members are extremely busy. We have tried to keep the waiting period as short as possibl. Considering the backlog, 1 week is not bad.
We have a couple of members that check the backlog routinely

I want someone just to take my case off this site and I do not recommend it to anyone else. It would have been nice to be at least acknowledged at some point. Thank you for your time and sorry for any inconvenience.


As you wish
Thread closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users