Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit(s), no internet, seems like they're gone but my computer acts like its in safemode (Hijackthis log included)


  • This topic is locked This topic is locked
2 replies to this topic

#1 bobic

bobic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 09 June 2009 - 08:19 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 133808, on 692009
Platform Windows XP SP3 (WinNT 5.01.2600)
MSIE Internet Explorer v8.00 (8.00.6001.18702)
Boot mode Normal

Running processes
CWINDOWSSystem32smss.exe
CWINDOWSsystem32winlogon.exe
CWINDOWSsystem32services.exe
CWINDOWSsystem32lsass.exe
CWINDOWSsystem32Ati2evxx.exe
CWINDOWSsystem32Ati2evxx.exe
CProgram FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
CProgram FilesJavajre6binjqs.exe
CProgram FilesCommon FilesLightScribeLSSrvc.exe
CProgram FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
CNexonMapleStorynpkcmsvc.exe
CProgram FilesRealVNCVNC4WinVNC4.exe
CWINDOWSExplorer.EXE
CProgram FilesSynapticsSynTPSynTPLpr.exe
CProgram FilesSynapticsSynTPSynTPEnh.exe
CProgram FilesHPQQuick Launch ButtonsEabServr.exe
CProgram FilesHPQuickPlayQPService.exe
CProgram FilesScanSoftOmniPageSE2.0OpwareSE2.exe
CProgram FilesJavajre6binjusched.exe
CProgram FilesGoogleGmail Notifiergnotify.exe
CWINDOWSsystem32ctfmon.exe
CProgram FilesSUPERAntiSpywareSUPERAntiSpyware.exe
CProgram FilesDNAbtdna.exe
CProgram FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = google.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = httpgo.microsoft.comfwlinkLinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = httpgo.microsoft.comfwlinkLinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = httpgo.microsoft.comfwlinkLinkId=54896
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = httpie.redirect.hp.comsvsrdrTYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R3 - URLSearchHook Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - CProgram FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - CProgram FilesGoogleGoogleToolbarNotifier5.1.1309.3572swg.dll
O2 - BHO Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - CProgram FilesJavajre6binjp2ssv.dll
O2 - BHO JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - CProgram FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run [IMJPMIG8.1] CWINDOWSIMEimjp8_1IMJPMIG.EXE Spoil RemAdvDef Migration32
O4 - HKLM..Run [PHIME2002ASync] CWINDOWSsystem32IMETINTLGNTTINTSETP.EXE SYNC
O4 - HKLM..Run [PHIME2002A] CWINDOWSsystem32IMETINTLGNTTINTSETP.EXE IMEName
O4 - HKLM..Run [ATIPTA] atiptaxx.exe
O4 - HKLM..Run [SynTPLpr] CProgram FilesSynapticsSynTPSynTPLpr.exe
O4 - HKLM..Run [SynTPEnh] CProgram FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run [hpWirelessAssistant] CProgram FileshpqHP Wireless AssistantHP Wireless Assistant.exe
O4 - HKLM..Run [eabconfg.cpl] CProgram FilesHPQQuick Launch ButtonsEabServr.exe Start
O4 - HKLM..Run [Cpqset] CProgram FilesHPQDefault Settingscpqset.exe
O4 - HKLM..Run [NeroFilterCheck] CProgram FilesCommon FilesNeroLibNeroCheck.exe
O4 - HKLM..Run [NBKeyScan] CProgram FilesNeroNero8Nero BackItUpNBKeyScan.exe
O4 - HKLM..Run [QPService] CProgram FilesHPQuickPlayQPService.exe
O4 - HKLM..Run [QuickTime Task] CProgram FilesQuickTimeQTTask.exe -atboottime
O4 - HKLM..Run [OpwareSE2] CProgram FilesScanSoftOmniPageSE2.0OpwareSE2.exe
O4 - HKLM..Run [SunJavaUpdateSched] CProgram FilesJavajre6binjusched.exe
O4 - HKLM..Run [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] CProgram FilesGoogleGmail Notifiergnotify.exe
O4 - HKLM..Run [SBAMTray] CProgram FilesSunbelt SoftwareVIPRESBAMTray.exe
O4 - HKCU..Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] CProgram FilesCommon FilesNeroLibNMBgMonitor.exe
O4 - HKCU..Run [ctfmon.exe] CWINDOWSsystem32ctfmon.exe
O4 - HKCU..Run [BitTorrent DNA] CProgram FilesDNAbtdna.exe
O4 - HKUSS-1-5-21-1645522239-2139871995-725345543-1004..Run [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] CProgram FilesCommon FilesNeroLibNMBgMonitor.exe (User '')
O4 - HKUSS-1-5-21-1645522239-2139871995-725345543-1004..Run [ctfmon.exe] CWINDOWSsystem32ctfmon.exe (User '')
O4 - HKUSS-1-5-21-1645522239-2139871995-725345543-1004..Run [BitTorrent DNA] CProgram FilesDNAbtdna.exe (User '')
O4 - HKUSS-1-5-18..RunOnce [RunNarrator] Narrator.exe (User '')
O4 - HKUS.DEFAULT..RunOnce [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item Add to Google Photos Screensa&ver - resCWINDOWSsystem32GPhotos.scr200
O8 - Extra context menu item E&xport to Microsoft Excel - resCPROGRA~1MICROS~2Office12EXCEL.EXE3000
O9 - Extra button Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - CProgram FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - CProgram FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - CWINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - CWINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram FilesMessengermsmsgs.exe
O16 - DPF {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - CProgram FilesYahoo!Commonyinsthelper.dll
O18 - Protocol skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - CPROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify !SASWinLogon - CProgram FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service Apple Mobile Device - Apple Inc. - CProgram FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service Ati HotKey Poller - ATI Technologies Inc. - CWINDOWSsystem32Ati2evxx.exe
O23 - Service ATI Smart - Unknown owner - CWINDOWSsystem32ati2sgag.exe
O23 - Service Background Intelligent Transfer Service (BITS) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Bonjour Service - Apple Inc. - CProgram FilesBonjourmDNSResponder.exe
O23 - Service Computer Browser (Browser) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Cryptographic Services (CryptSvc) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service DCOM Server Process Launcher (DcomLaunch) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service DHCP Client (Dhcp) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Logical Disk Manager (dmserver) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service DNS Client (Dnscache) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Wired AutoConfig (Dot3svc) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Extensible Authentication Protocol Service (EapHost) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Error Reporting Service (ERSvc) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service COM+ Event System (EventSystem) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Google Update Service (gupdate1c9a4dd475c9fb0) (gupdate1c9a4dd475c9fb0) - Google Inc. - CProgram FilesGoogleUpdateGoogleUpdate.exe
O23 - Service Google Software Updater (gusvc) - Google - CProgram FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service Help and Support (helpsvc) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service HID Input Service (HidServ) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Health Key and Certificate Management Service (hkmsvc) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - CProgram FilesHPQSharedhpqwmi.exe
O23 - Service hpqwmiex - Hewlett-Packard Development Company, L.P. - CProgram FilesHewlett-PackardSharedhpqwmiex.exe
O23 - Service HTTP SSL (HTTPFilter) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service InstallDriver Table Manager (IDriverT) - Macrovision Corporation - CProgram FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - CProgram FilesJavajre6binjqs.exe
O23 - Service Server (lanmanserver) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Workstation (lanmanworkstation) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - CProgram FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service TCPIP NetBIOS Helper (LmHosts) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Process Monitor (LVPrcSrv) - Logitech Inc. - CProgram FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service Network Access Protection Agent (napagent) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Nero BackItUp Scheduler 3 - Nero AG - CProgram FilesNeroNero8Nero BackItUpNBService.exe
O23 - Service Network Connections (Netman) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Network Location Awareness (NLA) (Nla) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service NMIndexingService - Nero AG - CProgram FilesCommon FilesNeroLibNMIndexingService.exe
O23 - Service npkcmsvc - INCA Internet Co., Ltd. - CNexonMapleStorynpkcmsvc.exe
O23 - Service Removable Storage (NtmsSvc) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Remote Access Auto Connection Manager (RasAuto) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Remote Access Connection Manager (RasMan) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Remote Procedure Call (RPC) (RpcSs) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - CProgram FilesSunbelt SoftwareVIPRESBAMSvc.exe
O23 - Service Task Scheduler (Schedule) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Secondary Logon (seclogon) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service System Event Notification (SENS) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Windows FirewallInternet Connection Sharing (ICS) (SharedAccess) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Shell Hardware Detection (ShellHWDetection) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service System Restore Service (srservice) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service SSDP Discovery Service (SSDPSRV) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Windows Image Acquisition (WIA) (stisvc) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Telephony (TapiSrv) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Terminal Services (TermService) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Themes - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Distributed Link Tracking Client (TrkWks) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Universal Plug and Play Device Host (upnphost) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service User Privilege Service (usprserv) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Viewpoint Manager Service - Viewpoint Corporation - CProgram FilesViewpointCommonViewpointService.exe
O23 - Service Windows Time (W32Time) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service WebClient - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Windows Management Instrumentation (winmgmt) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - CProgram FilesRealVNCVNC4WinVNC4.exe
O23 - Service Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Security Center (wscsvc) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Automatic Updates (wuauserv) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - CWINDOWSsystem32svchost.exe (file missing)
O23 - Service Wireless Zero Configuration (WZCSVC) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)
O23 - Service Network Provisioning Service (xmlprov) - Unknown owner - CWINDOWSSystem32svchost.exe (file missing)

--
End of file - 14068 bytes

Thank you in advance :thumbup2:

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2009 - 10:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia

Posted 22 June 2009 - 09:47 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users