Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32TrojanOlmarik


  • This topic is locked This topic is locked
2 replies to this topic

#1 jett12

jett12

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 01 April 2009 - 06:53 PM

Hi, my computer has been getting pop ups from a "SpySecure", and i cannot open Mal ware Bytes or any other programs besides ad-aware(which is not working). I've tried all i know, my super anti-spy ware, seek and destroy, and malware bytes all won't load. Please help me, I've got a project due tomorrow and I really need my computer :D

Win32TrojanOlmarik is what ad aware keeps popping up with, but its not removing it.

\\?\globalroot\systemroot\system32\uacmybwhtmx.dll

is where it says its finding the Trojan.


I tried to post in accordance with the rules, sorry if i missed something, and thanks in advance!



DDS (Ver_09-03-16.01) - NTFSx86
Run by Jett at 18:39:36.78 on Wed 04/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1375 [GMT -5:00]

AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jett\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {6c18ebf8-3a3e-4a82-94f0-433570c768e4} - c:\windows\system32\byXQKayv.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: : {d9fc4a48-4be6-44b0-8cfe-f4d7c32d89ed} - c:\windows\system32\mrhfybi.dll
BHO: {da7126fa-1266-4a7c-b819-4c12bb7f8eb7} - c:\windows\system32\khfCtTME.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [Google Update] "c:\documents and settings\jett\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [system tool] c:\windows\sysguard.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [nwiz] nwiz.exe /install
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [Diamondback] c:\program files\razer\diamondback\razerhid.exe
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Notify: hxmyueeq - mrhfybi.dll
AppInit_DLLs: ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jett\applic~1\mozilla\firefox\profiles\cb0zviry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ultimate-guitar.com/
FF - plugin: c:\documents and settings\jett\application data\mozilla\firefox\profiles\cb0zviry.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\jett\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-1 64160]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-9-19 13696]
R2 adrxeqef;CD-ROM Controller;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2008-6-16 13225]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-15 24652]
S3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [2007-10-9 27776]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [2007-10-9 14592]

=============== Created Last 30 ================

2009-04-01 18:18 21,937 a------- c:\windows\system32\AAWService_2009_04_01_18_18_12.dmp
2009-04-01 16:55 20,766 a------- c:\windows\system32\AAWService_2009_04_01_16_55_36.dmp
2009-04-01 16:35 <DIR> --d----- c:\docume~1\jett\applic~1\ydhzwfxe
2009-04-01 16:26 20,459 a------- c:\windows\system32\AAWService_2009_04_01_16_26_23.dmp
2009-04-01 15:51 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-01 15:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-01 15:46 <DIR> --d----- c:\windows\ERUNT
2009-04-01 15:44 0 a------- c:\windows\system32\AAWService_2009_04_01_15_44_45.dmp
2009-04-01 15:34 19,515 a------- c:\windows\system32\AAWService_2009_04_01_15_34_24.dmp
2009-04-01 15:30 18,249 a------- c:\windows\system32\AAWService_2009_04_01_15_30_29.dmp
2009-04-01 15:26 20,671 a------- c:\windows\system32\AAWService_2009_04_01_15_26_00.dmp
2009-04-01 15:08 20,766 a------- c:\windows\system32\AAWService_2009_04_01_15_08_17.dmp
2009-04-01 15:01 23,168 a------- c:\windows\system32\AAWService_2009_04_01_15_01_19.dmp
2009-04-01 14:59 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-01 14:55 18,673 a------- c:\windows\system32\AAWService_2009_04_01_14_55_08.dmp
2009-04-01 14:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-01 14:51 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-01 14:51 <DIR> --d----- c:\program files\Lavasoft
2009-04-01 14:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-01 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-31 00:23 202 a------- c:\windows\wininit.ini
2009-03-31 00:23 154 a------- c:\windows\wininit.tmp
2009-03-21 12:27 <DIR> --d----- c:\program files\UltraMon
2009-03-21 12:27 <DIR> --d----- c:\program files\common files\Realtime Soft
2009-03-21 12:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Realtime Soft
2009-03-14 02:37 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-03-14 02:37 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-03-14 02:37 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-03-14 02:37 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-03-14 02:37 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-03-14 02:37 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-03-14 02:37 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-03-14 02:35 <DIR> --d----- c:\program files\Crazybump
2009-03-04 02:18 <DIR> --d----- c:\docume~1\jett\applic~1\Thinstall

==================== Find3M ====================

2009-01-05 19:43 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-04-05 13:53 774,144 a------- c:\program files\RngInterstitial.dll
2007-11-06 14:43 22,328 a------- c:\docume~1\jett\applic~1\PnkBstrK.sys
2008-07-04 14:10 234,970 a--sh--- c:\windows\system32\tDfNqBeg.ini2
2008-07-08 02:19 263,133 a--sh--- c:\windows\system32\wFOYIkkj.ini2

============= FINISH: 18:40:16.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:04 AM

Posted 04 April 2009 - 02:58 PM

Hello jett12,

Sorry for the delay. We have many logs backed up.

If you still need help, post a fresh DDS log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:04 AM

Posted 11 April 2009 - 04:18 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users