Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keeps shutting down internet (HiJack Log)


  • This topic is locked This topic is locked
10 replies to this topic

#1 steveguru11

steveguru11

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 May 2009 - 08:19 PM

Every 3 or 4 hours the virus will do 3 things

1. kick me off my internet so that i cant recieve any bytes. So i have to use a program to clear and reset the NetBT.

2. The computer will just freeze up.

3. The coputer is extremly slow.

Please for the love of god HELP!!!




Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [DiskChk help] rundll32.exe "C:\Documents and Settings\All Users\proto.dll" run
O4 - HKCU\..\Run: [nvd32_r] rundll32.exe "C:\Documents and Settings\Adults\Application Data\unobi.dll" s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9b9758b025e6) (gupdate1c9b9758b025e6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 4926 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 08 May 2009 - 09:37 PM

Hello steveguru11,

Posted Image

Could you please post the entire HijackThis log? :thumbup2: It's important.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 steveguru11

steveguru11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 08 May 2009 - 11:12 PM

Here it is. I also posted the combofix log as well.

Thank you soooo much for helping me!!!!!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:11 PM, on 5/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [DiskChk help] rundll32.exe "C:\Documents and Settings\All Users\proto.dll" run
O4 - HKCU\..\Run: [nvd32_r] rundll32.exe "C:\Documents and Settings\Adults\Application Data\unobi.dll" s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9b9758b025e6) (gupdate1c9b9758b025e6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 4953 bytes


ComboFix 09-05-08.03 - Adults 05/08/2009 19:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1712 [GMT -7:00]
Running from: c:\documents and settings\Adults\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\recycler\S-4-4-67-100009298-100010822-100022992-1324.com
c:\windows\system32\drivers\gxvxcdunfdbtpqffsjnaltklwlkfswpcvytqi.sys
c:\windows\system32\drivers\gxvxclqoxtevttkrrqqaqjbivmhnokmqlruyg.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcekntrkigacadaxukvacrqyxvjoalvjdk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-09 01:23 . 2009-05-09 01:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-09 01:23 . 2009-05-09 01:23 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 06:47 . 2009-05-04 06:47 -------- d-----w C:\ERDNT
2009-05-03 21:52 . 2009-05-03 21:52 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-03 00:35 . 2009-05-03 00:34 27136 ----a-w c:\documents and settings\All Users\proto.dll
2009-05-03 00:32 . 2009-05-03 00:32 -------- d-----w c:\windows\system32\Service
2009-05-03 00:19 . 2009-05-03 00:19 -------- d-----w c:\documents and settings\kids\Local Settings\Application Data\Trend Micro
2009-05-03 00:14 . 2009-05-03 00:14 -------- d-----w c:\documents and settings\Adults\Local Settings\Application Data\Trend Micro
2009-05-03 00:02 . 2009-05-03 00:02 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2009-05-03 00:02 . 2009-05-03 00:02 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\free-downloads.net
2009-05-03 00:02 . 2009-05-03 00:02 50160 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 00:02 . 2009-05-04 06:08 77824 ----a-w c:\windows\system32\kdfapi.dll
2009-05-03 00:02 . 2009-05-04 06:08 53248 ----a-w c:\windows\system32\Kdfhok.dll
2009-05-03 00:02 . 2009-05-04 06:08 192512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-05-03 00:02 . 2009-05-04 06:08 387288 ----a-w c:\windows\system32\kdfmgr.exe
2009-05-03 00:02 . 2009-05-03 21:37 -------- d-----w c:\windows\kdefense
2009-05-03 00:02 . 2009-05-03 00:02 475872 ----a-w c:\windows\system32\kdfinj.dll
2009-05-02 23:26 . 2009-05-02 23:26 -------- d-----w c:\windows\LocalSSL
2009-05-02 23:26 . 2009-05-02 23:26 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-05-02 23:24 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-05-02 23:24 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-05-02 23:24 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-05-02 23:23 . 2009-05-03 18:58 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-05-02 23:15 . 2009-05-02 23:15 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-05-02 23:15 . 2009-05-02 23:15 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-05-02 23:15 . 2009-05-02 23:15 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-05-02 23:15 . 2009-05-02 23:15 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-05-02 23:15 . 2009-05-02 23:15 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-05-02 23:07 . 2009-03-22 00:15 36864 ----a-w c:\documents and settings\Adults\Application Data\unobi.dll
2009-05-02 23:07 . 2009-05-02 23:07 65536 --sh--r c:\windows\system32\rundll70.exe
2009-05-02 23:07 . 2009-05-02 23:07 65536 --sh--r c:\windows\system32\rundll59.exe
2009-05-02 22:03 . 2009-05-02 22:03 -------- d-----w c:\program files\SopCast
2009-04-30 22:25 . 2009-04-30 22:25 -------- d-----w c:\program files\ASIO4ALL v2
2009-04-30 22:25 . 2009-04-30 22:25 -------- d-----w c:\program files\VstPlugins
2009-04-30 22:25 . 2006-06-20 08:56 225280 ----a-w c:\windows\system32\rewire.dll
2009-04-30 22:23 . 2009-04-30 22:23 -------- d-----w c:\program files\Outsim
2009-04-30 22:20 . 2009-04-30 22:25 -------- d-----w c:\program files\Image-Line
2009-04-29 04:46 . 2009-04-29 04:46 -------- d-----w c:\documents and settings\eric\Application Data\MySpace
2009-04-29 03:42 . 2009-04-29 03:42 -------- d-----w c:\documents and settings\Adults\Application Data\MySpace
2009-04-29 03:42 . 2009-04-29 03:42 -------- d-----w c:\program files\MySpace
2009-04-29 03:13 . 2009-04-29 03:13 -------- d-----w c:\documents and settings\kids\Local Settings\Application Data\Apple
2009-04-28 20:41 . 2009-05-09 00:58 -------- d-----w c:\documents and settings\Adults\Application Data\LimeWire
2009-04-28 20:40 . 2009-04-28 20:41 -------- d-----w c:\program files\LimeWire
2009-04-23 21:12 . 2009-04-23 21:12 -------- d-----w c:\documents and settings\kids\Local Settings\Application Data\Apple Computer
2009-04-23 21:12 . 2009-04-23 21:12 -------- d-----w c:\documents and settings\kids\Local Settings\Application Data\Adobe
2009-04-22 21:31 . 2009-04-22 21:31 -------- d-----w c:\documents and settings\eric\Local Settings\Application Data\Conduit
2009-04-22 21:31 . 2009-04-22 21:31 -------- d-----w c:\documents and settings\eric\Local Settings\Application Data\free-downloads.net
2009-04-22 03:13 . 2009-04-22 03:13 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\free-downloads.net
2009-04-22 03:13 . 2009-04-22 03:13 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-22 01:39 . 2001-08-18 05:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-22 01:39 . 2008-04-13 17:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 01:39 . 2008-04-13 17:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 01:39 . 2008-04-13 23:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-22 01:26 . 2009-04-22 04:01 -------- d-----w c:\documents and settings\eric\Application Data\Apple Computer
2009-04-22 01:26 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-18 20:57 . 2009-04-18 20:57 -------- d-----w c:\documents and settings\Adults\Application Data\Serif
2009-04-18 20:51 . 2009-04-18 20:51 -------- d-----w c:\program files\Serif
2009-04-18 09:35 . 2009-04-18 09:35 -------- d-----w C:\WebArt Photo Collection
2009-04-18 09:35 . 2009-04-18 09:35 -------- d-----w C:\Tutorials
2009-04-18 09:34 . 2009-04-18 09:35 -------- d-----w C:\Images
2009-04-18 09:34 . 2009-04-18 09:35 -------- d-----w C:\Templates
2009-04-18 09:21 . 2009-04-18 09:34 -------- d-----w C:\Internet Explorer
2009-04-18 09:21 . 2009-04-18 09:21 -------- d-----w C:\Adobe Reader
2009-04-18 09:20 . 2009-04-18 09:20 -------- d-----w C:\Portfolio
2009-04-18 09:20 . 2009-04-18 09:20 -------- d-----w C:\Fonts
2009-04-18 09:20 . 2009-04-18 09:20 -------- d-----w C:\Fills
2009-04-18 06:43 . 2009-04-18 06:43 -------- d-----w c:\documents and settings\Adults\Application Data\enLighter
2009-04-18 06:43 . 2009-04-18 06:43 -------- d-----w c:\program files\enLighter Retriever
2009-04-18 00:37 . 2009-04-27 07:07 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-18 00:28 . 2009-04-18 00:28 -------- d-----w c:\program files\Adobe Media Player
2009-04-18 00:22 . 2009-04-18 00:22 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-17 23:27 . 2009-04-18 00:41 -------- d-----w c:\documents and settings\Adults\Application Data\Download Manager
2009-04-17 20:35 . 2004-03-29 23:23 90112 ----a-w c:\windows\unvise32.exe
2009-04-17 20:32 . 2009-05-02 20:19 -------- d-----w c:\program files\The Logo Creator v5
2009-04-17 20:23 . 2009-04-17 20:23 -------- d-----w C:\My Web Sites
2009-04-17 20:22 . 2009-04-17 20:22 -------- d-----w c:\program files\WinHTTrack
2009-04-17 01:36 . 2009-04-17 01:36 -------- d-----w c:\windows\system32\Adobe
2009-04-17 01:24 . 2009-02-25 01:42 116736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2009-04-17 01:24 . 2009-04-17 01:24 -------- d-----w c:\program files\MagicDisc
2009-04-17 00:58 . 2005-04-25 17:43 159616 ----a-w c:\windows\system32\drivers\Vax347b.sys
2009-04-17 00:58 . 2004-04-30 16:33 5248 ----a-w c:\windows\system32\drivers\Vax347s.sys
2009-04-15 03:51 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:51 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:51 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 03:51 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:51 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:51 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:51 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:51 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:51 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 03:50 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 01:27 . 2009-04-28 20:52 -------- d-----w c:\documents and settings\Adults\Local Settings\Application Data\Apple Computer
2009-04-11 00:26 . 2009-04-12 20:30 -------- d-----w c:\documents and settings\Adults\Application Data\Samsung
2009-04-11 00:17 . 2006-05-04 05:53 174592 ----a-w c:\windows\system32\framedyn.dll
2009-04-11 00:17 . 2003-02-22 01:42 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-04-11 00:12 . 2009-04-11 00:25 5632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-04-10 22:44 . 2009-04-10 22:44 -------- d-----w c:\documents and settings\eric\Local Settings\Application Data\Google
2009-04-10 21:10 . 2009-04-10 21:10 -------- d-----w c:\program files\Microsoft
2009-04-10 20:12 . 2009-04-28 20:52 -------- d-----w c:\documents and settings\Adults\Application Data\Apple Computer
2009-04-10 20:01 . 2009-04-11 00:13 -------- d-----w c:\windows\system32\Samsung_USB_Drivers
2009-04-10 20:01 . 2009-04-10 20:01 -------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-04-10 19:48 . 2009-04-10 19:48 -------- d-----w c:\windows\system32\LogFiles
2009-04-10 19:46 . 2009-04-10 19:46 -------- d-----w c:\windows\Sun
2009-04-10 19:42 . 2009-04-18 06:11 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-10 19:28 . 2009-04-18 01:44 -------- d-----w c:\documents and settings\Adults\Local Settings\Application Data\Adobe
2009-04-10 19:27 . 2009-04-18 06:05 -------- d-----w c:\program files\SAMSUNG
2009-04-10 01:38 . 2009-04-10 19:18 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-10 00:41 . 2009-04-10 00:41 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-10 00:40 . 2009-05-09 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-10 00:40 . 2009-04-10 00:41 -------- d-----w c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 23:24 . 2009-03-09 22:20 -------- d-----w c:\program files\Trend Micro
2009-04-22 15:37 . 2009-04-05 04:18 50160 ----a-w c:\documents and settings\eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 01:26 . 2009-04-22 01:25 -------- d-----w c:\program files\iTunes
2009-04-22 01:25 . 2009-04-22 01:25 -------- d-----w c:\program files\iPod
2009-04-22 01:25 . 2009-04-22 01:20 -------- d-----w c:\program files\Common Files\Apple
2009-04-22 01:24 . 2009-04-22 01:23 -------- d-----w c:\program files\QuickTime
2009-04-22 01:21 . 2009-04-22 01:21 -------- d-----w c:\program files\Apple Software Update
2009-04-21 20:32 . 2009-03-07 09:30 50160 ----a-w c:\documents and settings\Adults\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 20:13 . 2009-05-04 06:20 194898 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-04-18 06:13 . 2009-03-10 22:44 -------- d-----w c:\program files\Citrix
2009-04-18 06:12 . 2009-04-06 21:01 -------- d-----w c:\program files\Windows Lotto Pro 2000
2009-04-18 06:10 . 2009-03-10 04:07 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-18 06:10 . 2009-03-10 00:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 01:49 . 2009-04-04 00:53 -------- d-----w c:\program files\Common Files\Adobe
2009-04-17 01:22 . 2009-03-09 02:40 -------- d-----w c:\program files\MagicISO
2009-04-17 00:58 . 2009-03-15 21:38 -------- d-----w c:\program files\Alcohol Soft
2009-04-09 00:44 . 2009-03-09 23:11 228888 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-05 03:48 . 2009-04-05 03:48 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-04-05 03:42 . 2009-04-05 03:42 -------- d-----w c:\program files\OLYMPUS
2009-04-05 03:41 . 2009-04-05 03:41 -------- d-----w c:\program files\MSXML 4.0
2009-04-04 07:32 . 2009-03-18 06:24 89431 ----a-w c:\documents and settings\Diablo II\bncache.dat
2009-04-04 00:56 . 2009-04-04 00:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-04 00:56 . 2009-04-04 00:56 -------- d-----w c:\program files\Java
2009-04-04 00:55 . 2009-04-04 00:55 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-03 19:40 . 2009-04-02 01:56 28264 ----a-w c:\documents and settings\kids\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 05:17 . 2009-04-01 05:17 -------- d-----w c:\program files\CometEditor
2009-03-26 22:23 . 2009-04-22 01:21 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2009-04-22 01:21 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-19 15:08 . 2009-03-19 15:08 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-19 09:50 . 2009-03-19 09:50 -------- d-----w c:\program files\Web Page Maker
2009-03-18 06:26 . 2009-03-18 05:58 41955 ----a-w c:\windows\DIIUnin.dat
2009-03-18 06:26 . 2009-03-18 06:03 237568 ----a-w c:\documents and settings\Diablo II\BNUpdate.exe
2009-03-18 06:25 . 2009-03-16 19:53 -------- d-----w c:\program files\Diablo II
2009-03-18 06:23 . 2009-03-09 02:52 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-03-18 06:23 . 2009-03-09 02:52 17212 ----atw c:\windows\system32\SIntf32.dll
2009-03-18 06:23 . 2009-03-09 02:52 12067 ----atw c:\windows\system32\SIntf16.dll
2009-03-18 06:21 . 2009-03-18 05:58 95232 ----a-w c:\documents and settings\Diablo II\SmackW32.dll
2009-03-18 06:21 . 2009-03-18 05:58 36864 ----a-w c:\documents and settings\Diablo II\Diablo II.exe
2009-03-18 06:21 . 2009-03-18 05:58 180224 ----a-w c:\documents and settings\Diablo II\ijl11.dll
2009-03-18 06:21 . 2009-03-18 05:45 200704 ----a-w c:\documents and settings\Diablo II\binkw32.dll
2009-03-18 05:58 . 2009-03-18 05:58 94208 ----a-w c:\windows\DIIUnin.exe
2009-03-18 05:58 . 2009-03-18 05:58 2829 ----a-w c:\windows\DIIUnin.pif
2009-03-15 21:34 . 2009-03-15 21:34 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-11 05:08 . 2009-03-11 05:08 17801 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-11 01:09 . 2009-03-11 01:09 -------- d-----w c:\program files\VideoLAN
2009-03-11 00:11 . 2009-03-11 00:11 -------- d-----w c:\program files\Creative
2009-03-10 20:51 . 2009-03-10 20:37 -------- d-----w c:\program files\Microsoft Expression
2009-03-10 20:47 . 2009-03-10 20:47 -------- d-----w c:\program files\Microsoft Works
2009-03-10 20:47 . 2009-03-10 20:47 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-03-10 20:45 . 2009-03-10 20:45 -------- d-----w c:\program files\Microsoft.NET
2009-03-10 20:39 . 2009-03-10 20:39 -------- d-----w c:\program files\Common Files\Nikon
2009-03-10 01:37 . 2006-12-23 21:11 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-09 23:44 . 2009-03-09 23:44 129 ----a-w c:\documents and settings\Adults\Local Settings\Application Data\fusioncache.dat
2009-03-08 21:36 . 2009-03-08 21:26 5490375 ----a-w c:\documents and settings\Diablo II\LODPatch_112a.exe
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-03-09 396288]
"DiskChk help"="c:\documents and settings\All Users\proto.dll" [2009-05-03 27136]
"nvd32_r"="c:\documents and settings\Adults\Application Data\unobi.dll" [2009-03-22 36864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-16 95536]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-05-02 492808]

c:\documents and settings\Adults\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 576000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll70.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"DEFG,|-|q-|x-|>"= DEFG,|-|q-|x-|>:Nod32 Runtime
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [5/2/2009 4:26 PM 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/2/2009 4:24 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [5/2/2009 4:15 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [5/2/2009 4:24 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [5/2/2009 4:15 PM 335376]
S2 gupdate1c9b9758b025e6;Google Update Service (gupdate1c9b9758b025e6);c:\program files\Google\Update\GoogleUpdate.exe [4/9/2009 5:41 PM 133104]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [5/2/2009 4:24 PM 497008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-10 00:40]

2009-05-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-10 00:40]

2009-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-562591055-725345543-1003.job
- c:\documents and settings\Adults\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 04:36]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Adults\Application Data\Mozilla\Firefox\Profiles\5f4s8jit.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 19:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-562591055-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-09 19:34
ComboFix-quarantined-files.txt 2009-05-09 02:34

Pre-Run: 6,927,179,776 bytes free
Post-Run: 7,105,712,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

298 --- E O F --- 2009-04-29 10:01

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 09 May 2009 - 12:04 AM

Hello,

You're welcome. :)

That was a nasty rootkit. :thumbup2: Still some baddies showing in the logs though.......

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running please? :step4:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 steveguru11

steveguru11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 09 May 2009 - 02:39 AM

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/8/2009 11:52:48 PM
mbam-log-2009-05-08 (23-52-48).txt

Scan type: Quick Scan
Objects scanned: 76178
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvd32_r (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Adults\Application Data\unobi.dll (Trojan.Agent) -> Delete on reboot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:45 AM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adults\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [DiskChk help] rundll32.exe "C:\Documents and Settings\All Users\proto.dll" run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9b9758b025e6) (gupdate1c9b9758b025e6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 4742 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 09 May 2009 - 02:58 AM

How is it running please?

:thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 steveguru11

steveguru11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 09 May 2009 - 03:03 AM

its freezing up about every 15 mins

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-09 01:01:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xBA66A4FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xBA675D50]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E511F8
Device \FileSystem\Fastfat \Fat 89622500
Device \FileSystem\Fastfat \Fat 88AB4D30

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- Modules - GMER 1.0.15 ----

Module _________ BA5CC000-BA5E4000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 09 May 2009 - 05:14 AM

I didn't ask you to run that. :thumbup2: What else have you done that I don't know about please? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 steveguru11

steveguru11
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 09 May 2009 - 06:30 AM

thats is the only other thing. im sorry. just trying to give you as much info as possible.
I ran malwarebytes again and it found 3 more.




Malwarebytes' Anti-Malware 1.36
Database version: 2098
Windows 5.1.2600 Service Pack 3

5/9/2009 4:19:45 AM
mbam-log-2009-05-09 (04-19-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220714
Time elapsed: 2 hour(s), 25 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\All Users\proto.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diskchk help (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\Hotfix-KB5504305 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\proto.dll (Trojan.Agent) -> Delete on reboot.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:01 AM, on 5/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9b9758b025e6) (gupdate1c9b9758b025e6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 4389 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 09 May 2009 - 06:16 PM

Hello,

Thanks. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\Documents and Settings\All Users\proto.dll
C:\Documents and Settings\Adults\Application Data\unobi.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:36 AM

Posted 20 May 2009 - 10:44 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users