Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RTVscan is going crazy


  • This topic is locked This topic is locked
2 replies to this topic

#1 jstyle711

jstyle711

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 28 April 2009 - 10:37 AM

I went onto the IMEEM website and caught something. I get random popups, along with my RTVscan running at 50cpu usage. I caught this yesterday on my work computer along with my home computer so you may be recieveing two posts from me. Sorry, but hopefully my experience will help anyone else in the future.

Symantec detecs:
Bloodhound.exploit.196 - quarantined
Trojanmalscript!html - Left alone
Trojan.Fakeavalert - Reboot processing

Here is my DDS Log.


DDS (Ver_09-03-16.01) - NTFSx86
Run by jtran at 8:23:33.86 on Tue 04/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3318.2568 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\windows\system32\lkcitdl.exe
C:\windows\system32\lkads.exe
C:\windows\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\windows\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\windows\system32\nipalsm.exe
C:\windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\windows\system32\igfxpers.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Octoshape Streaming Services\jtran\OctoshapeClient.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\SolidWorks\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Windows Desktop Search\wds_sl.exe
C:\DOCUME~1\jtran\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\jtran\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: {8c3dad30-b9e0-41bb-b037-50c23fabf701} - c:\windows\system32\katovibu.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Octoshape Streaming Services] "c:\program files\octoshape streaming services\jtran\OctoshapeClient.exe" -inv:bootrun
uRun: [befitufolu] Rundll32.exe "c:\windows\system32\papewohu.dll",s
uRun: [CPM198a249b] Rundll32.exe "c:\windows\system32\pihuwali.dll",a
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe
mRun: [RAMON]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [1ab91707] rundll32.exe "c:\windows\system32\tajokigu.dll",b
mRun: [befitufolu] Rundll32.exe "c:\windows\system32\papewohu.dll",s
mRun: [CPM198a249b] Rundll32.exe "c:\windows\system32\pihuwali.dll",a
StartupFolder: c:\docume~1\jtran\startm~1\programs\startup\E-mail.lnk -
StartupFolder: c:\docume~1\jtran\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks\solidworks\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131999581546
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\vororeni.dll c:\windows\system32\pihuwali.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pihuwali.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\pihuwali.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\vororeni.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jtran\applic~1\mozilla\firefox\profiles\cyfto2ao.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2005-7-18 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2005-7-18 199783]
R2 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.dll [2005-7-27 10829]
R2 nidevldu;nidevldu;system32\nipalsm.exe --> system32\nipalsm.exe [?]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2005-9-28 141824]
R2 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfk.dll [2005-10-13 166912]
R2 niemrk;niemrk;c:\windows\system32\drivers\niemrk.dll [2005-10-7 346624]
R2 nifslk;nifslk;c:\windows\system32\drivers\nifslk.dll [2005-10-6 35328]
R2 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpk.dll [2005-10-6 19456]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2005-9-21 55296]
R2 niswdk;niswdk;c:\windows\system32\drivers\niswdk.dll [2005-10-8 476160]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 usb6xxxk;usb6xxxk;c:\windows\system32\drivers\usb6xxxk.dll [2005-10-7 19968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090427.002\naveng.sys [2009-4-28 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090427.002\navex15.sys [2009-4-28 876144]
R3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrk.dll [2005-10-6 170496]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2k.dll [2005-9-28 231936]
R3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrk.dll [2005-10-6 131072]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstsk.dll [2005-10-6 51200]
R3 niscdk;niscdk;c:\windows\system32\drivers\niscdk.dll [2005-10-6 497664]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsark.dll [2005-10-6 714752]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrk.dll [2005-10-7 489984]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2005-10-6 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2005-10-6 151683]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigk.dll [2005-10-7 233472]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftk.dll [2005-10-6 163328]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdk.dll [2005-10-6 42496]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrk.dll [2005-10-7 1058304]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2k.dll [2005-10-6 163328]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrk.dll [2005-10-10 110080]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiork.dll [2005-10-7 692736]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2005-10-12 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2005-10-12 37376]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2005-10-12 10752]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrk.dll [2005-10-7 422400]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrk.dll [2005-10-7 926720]

=============== Created Last 30 ================

2009-04-28 07:50 1,407,011 ---sh--- c:\windows\system32\ugikojat.ini
2009-04-24 11:25 <DIR> --d----- c:\program files\AIM6

==================== Find3M ====================

2009-04-28 07:50 104,960 a--sh--- c:\windows\system32\pihuwali.dll
2009-04-28 07:50 97,792 a--sh--- c:\windows\system32\tajokigu.dll
2009-04-27 14:07 98,304 a--sh--- c:\windows\system32\pufajahe.dll
2009-04-27 14:07 105,984 a--sh--- c:\windows\system32\nuzevuzi.dll
2009-04-27 14:07 58,368 a--sh--- c:\windows\system32\mikihavi.exe

============= FINISH: 8:26:00.83 ===============

Attached Files


Edited by jstyle711, 28 April 2009 - 12:27 PM.


BC AdBot (Login to Remove)

 


#2 jstyle711

jstyle711
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 01 May 2009 - 12:18 PM

i know you guys are busy and i just would like to tell you not to worry about this post anymore. I've just received some help from techsupportforum.com.

Please close this thread.

Sorry if I have caused you guys any inconvenience. Your help is always appreciated.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:23 PM

Posted 04 May 2009 - 12:48 AM

Thanks for informing us.
Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users