Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Instances of IE Open


  • This topic is locked This topic is locked
12 replies to this topic

#1 Stephen H

Stephen H

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 28 March 2009 - 10:05 AM

I know i'm infected with something, but nothing I have can pick it up. Something is causing another instance of IE to open. No IE window will open, but occasionally I'll hear music or people talking like it's accessed a video on website. A simple end task from task manager will close the instance down, but it keeps coming back. Below is my hijack log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:51 AM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Downloaded Programs\logmein\x86\LogMeInSystray.exe
C:\Downloaded Programs\boinc\boinctray.exe
C:\Program Files\DNA\btdna.exe
C:\Downloaded Programs\logmein\x86\LMIGuardian.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Downloaded Programs\boinc\boincmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Downloaded Programs\logmein\x86\RaMaint.exe
C:\Downloaded Programs\logmein\x86\LogMeIn.exe
C:\Downloaded Programs\logmein\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloaded Programs\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Stephen\Desktop\Spyware stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Downloaded Programs\logmein\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Downloaded Programs\boinc\boinctray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1957994488-343818398-725345543-1009\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'boinc_master')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Downloaded Programs\boinc\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Downloaded Programs\boinc\boinc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\LogMeIn.exe

--
End of file - 5131 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 28 March 2009 - 12:25 PM

Hello Stephen H,

Posted Image

Go to Start > Run and paste in the following line:

regedit /e c:\reg.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components"

Click OK.

Go to Start > Run and paste in the following:

c:\reg.txt

Click OK.

A notepad should open, please paste the contents of the notepad into your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 28 March 2009 - 08:46 PM

Thanks Tea for helping out! Here is the log you requested.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 28 March 2009 - 10:11 PM

Hello,

Thanks for that. :thumbup2:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 28 March 2009 - 11:24 PM

Bad news tea, I cannot run Malabytes program. I already had it installed, I tried running it previously before I posted here. When i open the .exe, mbam.exe will show under processes, but no windows come up. I tried uninstalling it, but it hangs on the uninstaller. I even tried running it in safe mode prior to posting here. I did redownload the program, but the same thing happens when I double click on the installer. mbam-setup.exe shows on processes, but no window appears. What shall I try next?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 28 March 2009 - 11:30 PM

Hi,

Let's do this then:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If it gives you problems then rename ComboFix.exe to Stephen.exe and run it that way. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 March 2009 - 10:58 AM

I had to use combofix in safe mode, wouldn't let me use it any other way. Things are a lot better, I can MBAM now! Here are the results of combofix and Hijack this.


ComboFix 09-03-28.04 - Stephen 2009-03-29 10:48:26.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1690 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\dfdfSe434344tephen2.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\Stephen\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Stephen\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\mantec~1
c:\windows\system32\drivers\UACprubrvwq.sys
c:\windows\system32\UACiiyfrgrq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnletbfqq.dll
c:\windows\system32\UACodrelrrs.log
c:\windows\system32\UACptxtqhti.dll
c:\windows\system32\UACrciiettb.dll
c:\windows\system32\UACtjlqbuyf.dll
c:\windows\system32\UACunomkgjk.log
c:\windows\system32\UACuxdoeten.dat
c:\windows\system32\UACwkedqlll.log
c:\windows\system32\vrujujqq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-29 10:35 . 2009-03-29 10:35 <DIR> d-------- c:\documents and settings\Administrator
2009-03-26 21:15 . 2009-03-26 21:15 0 --a------ c:\windows\PROTOCOL.INI
2009-03-24 14:04 . 2009-03-24 14:04 713 --a------ c:\windows\eReg.dat
2009-03-23 20:24 . 2009-03-23 20:24 <DIR> d-------- C:\WOLF3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 15:53 --------- d-----w c:\program files\boincdata
2009-03-29 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-03-29 04:38 --------- d-----w c:\program files\DNA
2009-03-29 04:38 --------- d-----w c:\documents and settings\Stephen\Application Data\DNA
2009-03-28 16:41 --------- d-----w c:\documents and settings\Stephen\Application Data\BitTorrent
2009-02-17 15:24 --------- d-----w c:\documents and settings\Stephen\Application Data\Malwarebytes
2009-02-17 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-11 03:15 --------- d-----w c:\documents and settings\Stephen\Application Data\Move Networks
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2007-09-22 04:07 19,384 -c--a-w c:\documents and settings\Stephen\Application Data\GDIPFONTCACHEV1.DAT
2006-03-22 04:47 32 ----a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyCatcher Reminder"="c:\program files\SpyCatcher\SpyCatcher.exe" [2007-10-16 103864]
"LogMeIn GUI"="c:\downloaded programs\logmein\x86\LogMeInSystray.exe" [2007-04-17 63048]
"boinctray"="c:\downloaded programs\boinc\boinctray.exe" [2008-09-19 58112]

c:\documents and settings\Stephen\Start Menu\Programs\Startup\
BOINC Manager.lnk - c:\downloaded programs\boinc\boincmgr.exe [2008-09-19 4190976]
Scheduler.lnk - c:\program files\SpyCatcher\Scheduler daemon.exe [2008-06-22 86133]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SpyCatcher Protector.lnk - c:\program files\SpyCatcher\Protector.exe [2008-06-22 91576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 16:49 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\downloaded programs\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Stephen\\Desktop\\magic\\Magic\\Manalink.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\games\\bg2\\BGMain.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Downloaded Programs\\Filezilla\\FileZilla.exe"=
"c:\\games\\Magic\\Magic\\Manalink.exe"=
"c:\\Downloaded Programs\\Trillian\\Trillian\\trillian.exe"=
"c:\\Downloaded Programs\\itunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R2 BOINC;BOINC;c:\downloaded programs\boinc\boinc.exe [2008-09-19 721664]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\downloaded programs\logmein\x86\rainfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-09-15 47640]
R3 ip100xp;IC Plus IP100 10/100 Fast Ethernet Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [2005-01-01 26752]
S0 yvzd;yvzd;c:\windows\system32\drivers\umfk.sys --> c:\windows\system32\drivers\umfk.sys [?]
S3 CrystalCpuInfo;CrystalCpuInfo;\??\c:\program files\OCCT\CpuInfo.sys --> c:\program files\OCCT\CpuInfo.sys [?]
S3 gAGP440p;gAGP440p;\??\c:\docume~1\Stephen\LOCALS~1\Temp\gAGP440p.sys --> c:\docume~1\Stephen\LOCALS~1\Temp\gAGP440p.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8106a23-be5d-11dc-a0ec-00508d7f88cb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf6041-d02e-11dd-a143-00508d7f88cb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 10:53:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-03-29 10:55:33
ComboFix-quarantined-files.txt 2009-03-29 15:55:02

Pre-Run: 47,083,823,104 bytes free
Post-Run: 49,911,971,840 bytes free

130 --- E O F --- 2009-03-14 15:02:54


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:02 AM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Downloaded Programs\logmein\x86\RaMaint.exe
C:\Downloaded Programs\logmein\x86\LogMeIn.exe
C:\Downloaded Programs\logmein\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Downloaded Programs\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Stephen\Desktop\Spyware stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Downloaded Programs\logmein\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [boinctray] "C:\Downloaded Programs\boinc\boinctray.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1957994488-343818398-725345543-1009\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'boinc_master')
O4 - Startup: BOINC Manager.lnk = C:\Downloaded Programs\boinc\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Downloaded Programs\boinc\boinc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Downloaded Programs\logmein\x86\LogMeIn.exe

--
End of file - 3743 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 29 March 2009 - 04:05 PM

Hello,

Well no wonder......that was nasty rootkit you had there. :)

Still a couple of things to do, but the worst is way over now. :thumbup2:

I need a file analyzed. Please navigate to the following file:

c:\windows\system32\drivers\umfk.sys

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 29 March 2009 - 09:01 PM

File c:\windows\system32\drivers\umfk.sys is not found. I did a search of the whole hard drive for that file, but I cannot find an instance of it. After I ran combofix and hijack this, I did run Mbam again. I checked the log, but I didn't see that file listed. Here is the mbam log, maybe it make some sense to you.


Malwarebytes' Anti-Malware 1.34
Database version: 1801
Windows 5.1.2600 Service Pack 2

3/29/2009 12:22:30 PM
mbam-log-2009-03-29 (12-22-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207246
Time elapsed: 1 hour(s), 24 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiiyfrgrq.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACptxtqhti.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtjlqbuyf.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{658189C6-D17E-4027-8697-791D4EE5BEA8}\RP50\A0027803.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{658189C6-D17E-4027-8697-791D4EE5BEA8}\RP50\A0027804.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{658189C6-D17E-4027-8697-791D4EE5BEA8}\RP50\A0027805.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 29 March 2009 - 09:24 PM

Hello,

Well it's not going to hurt my feelings if it's not there.....that's a good thing! :thumbup2: What MBAM found is perfectly all right too, just the remnants of the rootkit you had that were quarantined in ComboFix, and we'll take care of System Restore right now also:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

I'm sure MBAM won't pick anything up now. It's all gone. :) How is it running?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Stephen H

Stephen H
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 30 March 2009 - 09:27 AM

We're looking good! Nothing found.


Malwarebytes' Anti-Malware 1.34
Database version: 1801
Windows 5.1.2600 Service Pack 2

3/30/2009 9:25:51 AM
mbam-log-2009-03-30 (09-25-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223117
Time elapsed: 38 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 30 March 2009 - 05:36 PM

Hello,

Excellent. :thumbup2: You need an AntiVirus. I saw you had AVG7 at first, but that could not have been doing you much good as outdated as it was. AVG, Avira OR Avast are good FREE antivirus. Personally I use Avira. It's lightweight and easy to deal with.

Your Java is out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_13.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know how you come out. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:24 PM

Posted 04 April 2009 - 06:23 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users