Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help , mysterious svchost.exe shows as hidden process


  • This topic is locked This topic is locked
3 replies to this topic

#1 djsmuv

djsmuv

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 22 July 2009 - 12:01 PM

gmer shows this a rootkit

so. Heres my dds scan and combofix scan


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 13:55:17.56 on Wed 07/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.551 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator.zzzz-8f896kp6zl\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.zzz\applic~1\mozilla\firefox\profiles\8yq7jhqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1005904]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-9-27 215040]
S2 bsllmyfj;kfvdmypqx;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 jipwalam;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S2 jniamknfm;Universal Center;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]

=============== Created Last 30 ================

2009-07-22 13:54 359,929 a------- C:\dds.scr
2009-07-22 13:43 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-22 13:38 <DIR> a-dshr-- C:\cmdcons
2009-07-22 13:37 219,648 a------- c:\windows\PEV.exe
2009-07-22 13:37 161,792 a------- c:\windows\SWREG.exe
2009-07-22 13:37 98,816 a------- c:\windows\sed.exe
2009-07-22 13:37 <DIR> --ds---- C:\ComboFix
2009-07-22 12:08 35,948,758 a------- C:\newreg.reg
2009-07-22 10:50 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-22 06:29 <DIR> --d----- C:\WINDOWS.0

==================== Find3M ====================

2004-10-15 13:01 21,952 a---h--- c:\program files\folder.htt
2004-10-15 13:01 271 ---sh--- c:\program files\desktop.ini

============= FINISH: 13:55:31.34 ===============


Combo Fix

ComboFix 09-07-21.05 - Administrator 07/22/2009 13:39.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.668 [GMT -4:00]
Running from: c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Application Data\.#
c:\recycler\S-1-5-21-1960408961-839522115-854245398-500
c:\recycler\S-1-5-21-790525478-2000478354-839522115-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\185acab.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 20:13 . 2009-07-22 20:13 24819340 ----a-w- C:\Brettoriginalreg.reg
2009-07-22 20:11 . 2009-07-22 20:11 -------- d-----w- c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL.000\Local Settings\Application Data\Mozilla
2009-07-22 16:08 . 2009-07-22 16:08 -------- d-sh--w- c:\documents and settings\Administrator.ZEFFY2-1B88BAC6\PrivacIE
2009-07-22 16:08 . 2009-07-22 16:08 35948758 ----a-w- C:\newreg.reg
2009-07-22 15:28 . 2009-07-22 15:28 12528 ----a-w- c:\documents and settings\Administrator.ZEFFY2-1B88BAC6\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 15:06 . 2009-07-22 15:06 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-07-22 15:06 . 2009-07-22 14:53 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-07-22 15:06 . 2009-07-22 15:06 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY
2009-07-22 14:55 . 2009-07-22 14:55 64832 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-22 14:55 . 2009-07-22 14:55 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY
2009-07-22 14:55 . 2009-07-22 14:53 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-22 14:55 . 2009-07-22 14:52 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-07-22 14:55 . 2009-07-22 14:55 -------- d-----w- c:\program files\MSBuild
2009-07-22 14:55 . 2009-07-22 14:55 -------- d-----w- c:\program files\Reference Assemblies
2009-07-22 14:53 . 2009-07-22 14:53 -------- d-sh--w- c:\documents and settings\Default User.WINDOWS.0\IETldCache
2009-07-22 14:52 . 2009-07-22 14:53 -------- d-s---w- c:\documents and settings\Default User.WINDOWS.0\Local Settings\Application Data\Microsoft
2009-07-22 14:52 . 2009-07-22 14:52 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.0\DRM
2009-07-22 14:50 . 2009-07-22 14:50 -------- d-----w- c:\program files\MSXML 4.0
2009-07-22 10:33 . 2009-07-22 14:58 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.0
2009-07-22 10:33 . 2009-07-22 14:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0
2009-07-22 10:29 . 2009-07-22 16:06 -------- d-----w- C:\WINDOWS.0
2009-07-21 16:30 . 2009-07-21 16:30 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-07-06 23:36 . 2009-07-06 23:36 314712 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-06 23:36 . 2009-07-06 23:36 25440 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 23:36 . 2009-07-06 23:36 1630560 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 23:36 . 2009-07-06 23:36 2353480 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-04 05:41 . 2004-08-04 07:56 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-06-29 23:45 . 2009-06-29 23:45 169312 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-29 23:45 . 2009-06-29 23:45 348496 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-29 23:45 . 2009-06-29 23:45 298336 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-29 23:45 . 2009-06-29 23:45 84832 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-29 23:43 . 2009-06-29 23:43 246128 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-29 23:43 . 2009-06-29 23:43 40288 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-29 23:43 . 2009-06-29 23:43 85352 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-29 23:43 . 2009-06-29 23:43 664424 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-29 23:42 . 2009-06-29 23:42 563064 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-29 23:41 . 2009-06-29 23:41 566632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-29 23:38 . 2009-06-29 23:38 629072 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-29 23:38 . 2009-06-29 23:38 520024 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-29 23:38 . 2009-06-29 23:38 1029456 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 15:20 . 2007-12-23 22:34 -------- d-----w- c:\program files\World of Warcraft
2009-07-22 14:50 . 2009-06-06 02:46 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-06 02:43 . 2009-06-06 02:43 -------- d-----w- c:\program files\Netflix
2009-06-05 01:57 . 2009-05-09 16:52 -------- d-----w- c:\program files\AOL Games
2009-06-04 21:19 . 2008-04-08 23:03 -------- d-----w- c:\program files\Yahoo! Games
2009-06-04 21:01 . 2009-06-04 20:56 -------- d-----w- c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Application Data\BloodTies
2009-06-01 23:31 . 2009-06-01 23:31 15688 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-01 07:29 . 2008-05-04 03:26 -------- d-----w- c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Application Data\iWin
2009-05-29 22:16 . 2009-05-29 22:16 -------- d-----w- c:\program files\BellSouth
2009-05-29 22:16 . 2006-05-26 00:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-27 23:24 . 2009-04-27 23:24 64160 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2004-10-15 17:01 . 2004-10-15 17:01 21952 ---ha-w- c:\program files\folder.htt
2009-06-12 05:26 . 2008-12-22 03:21 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-01 518488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
BitTorrent.lnk - c:\program files\BitTorrent\bittorrent.exe [2006-2-3 153088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\RpcSandraSrv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9721:TCP"= 9721:TCP:obwzgdk

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [5/22/2007 5:04 AM 18088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [9/27/2008 12:36 PM 215040]
S2 bsllmyfj;kfvdmypqx;c:\windows\system32\svchost.exe -k netsvcs [3/31/2003 8:00 AM 14336]
S2 jipwalam;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [3/31/2003 8:00 AM 14336]
S2 jniamknfm;Universal Center;c:\windows\system32\svchost.exe -k netsvcs [3/31/2003 8:00 AM 14336]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 9:57 AM 13532]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jniamknfm
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 23:27]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath - c:\documents and settings\Administrator.ZZZZ-8F896KP6ZL\Application Data\Mozilla\Firefox\Profiles\8yq7jhqb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 13:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsllmyfj]
"ServiceDll"="c:\windows\system32\pxgmga.dll.old"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jipwalam]
"ServiceDll"="c:\windows\system32\pxgmga.dll.old"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jniamknfm]
"ServiceDll"="c:\windows\system32\pxgmga.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-22 13:44
ComboFix-quarantined-files.txt 2009-07-22 17:44

Pre-Run: 34,927,628,288 bytes free
Post-Run: 35,331,309,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect

166 --- E O F --- 2009-05-18 03:08

BC AdBot (Login to Remove)

 


#2 djsmuv

djsmuv
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 23 July 2009 - 03:55 PM

so this is a false alarm ?

Hello djsmuv,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 23 July 2009 - 05:39 PM.


#3 djsmuv

djsmuv
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 25 July 2009 - 06:06 PM

Hey , weatherman , thanks for the advice ,I wont bump again .
I know you guys are super duper busy so I had to take care of this myself .
This hidden service "svchost.exe" only showed up in gmer , so i used gmer to delete
the service , then my bart pe disk to remove the guilty dll (pxgmga.dll) and
regedit to delete the specific entries from my gmer log
tada !]= clean pc

Edited by djsmuv, 25 July 2009 - 06:21 PM.


#4 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 29 July 2009 - 05:42 PM

Thanks for letting us know djsmuv.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users