Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rustock? or Malware


  • This topic is locked This topic is locked
30 replies to this topic

#1 las8

las8

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 01 August 2009 - 10:16 PM

Hello BleepingComputer users. My computer has been acting real weird lately, when i click on internet links on the first time it usually goes to some random website. I was trying to access a website i usually use last night and it said i had trojan rustock-b. I have been trying to fix this for the past few hours but I am getting no where. I tried to download multiple malware/spyware softwares but none of them are even booting, and some go to that blue screen when i try to install them. Im guessing this nasty virus is stopping it. herre is my log....Thanks, this is frusterating and i dont really know what I am doing, and i thought i was good with computers


DDS (Ver_09-07-30.01) - NTFSx86
Run by adam at 22:05:15.94 on Sat 08/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.824 [GMT -5:00]

SP: Trend Micro AntiVirus *enabled* (Updated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\WiniFighter Software\WiniFighter\WiniFighterSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Windows\system32\wuauclt.exe
C:\Users\adam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JS1F4RED\HiJackThis[1].exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\rundll32.exe
C:\Windows\system32\sdclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{BCD32E68-C1C9-4EFA-95E8-D19A3133589F}
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WeatherDPA] "c:\program files\zango\bin\10.3.65.0\Weather.exe" -auto
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Monopod] c:\users\adam\appdata\local\temp\b.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\users\adam\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\adam\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mri_di~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mri_di~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/wireless/bin/sysreqlab_srlx.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://75.52.180.166/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
TCP: NameServer = 85.255.112.104,85.255.112.155
TCP: {704FD937-485D-451D-9B6C-5E6F3A3F122B} = 85.255.112.104,85.255.112.155
TCP: {BFCAD9FC-FE8B-441A-8EDC-EFA85F538EBE} = 85.255.112.104,85.255.112.155
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\adam\appdata\roaming\mozilla\firefox\profiles\hq3eeihm.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101760&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\adam\appdata\roaming\mozilla\firefox\profiles\hq3eeihm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000005.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-1 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-27 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-27 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-7-27 51792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-1 348752]
R2 WiniFighterSvc;WiniFighter Security Service;c:\program files\winifighter software\winifighter\WiniFighterSvc.exe [2009-7-31 69120]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-4-1 4232704]

=============== Created Last 30 ================

2009-08-01 20:21 <DIR> --d----- C:\Rustbfix
2009-08-01 19:53 <DIR> --d----- c:\program files\HJT
2009-08-01 19:45 <DIR> a-d----- c:\programdata\TEMP
2009-08-01 19:45 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-01 19:44 <DIR> --d----- c:\users\adam\appdata\roaming\PC Tools
2009-08-01 19:44 <DIR> --d----- c:\programdata\PC Tools
2009-08-01 19:44 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-01 19:44 <DIR> --d----- c:\progra~2\PC Tools
2009-08-01 19:44 506,368 a------- c:\windows\system32\msxml.dll
2009-08-01 19:38 172,032 a------- c:\windows\system32\igfxres.dll
2009-08-01 19:35 <DIR> --d----- c:\program files\MB
2009-08-01 12:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 12:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 12:32 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-01 12:32 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-01 12:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 12:09 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-01 11:44 <DIR> --d----- c:\program files\WiniFighter Software
2009-07-28 04:20 17,571 a------- c:\windows\2b94zt5al2558.ocx
2009-07-28 01:35 14,206 a------- c:\windows\system32\3595backdo9z2049.ocx
2009-07-27 09:12 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-07-26 23:00 <DIR> --d----- c:\programdata\Avira
2009-07-26 23:00 <DIR> --d----- c:\program files\Avira
2009-07-26 23:00 <DIR> --d----- c:\progra~2\Avira
2009-07-26 22:50 <DIR> --d----- c:\users\adam\appdata\roaming\AVG8
2009-07-24 04:42 5,998 a------- c:\windows\system32\18954sp92z65.cpl
2009-07-23 13:54 17,810 a------- c:\windows\system32\1z88addwa9e29465.ocx
2009-07-23 09:12 11,695 a------- c:\windows\system32\35e65z9eat3220.ocx
2009-07-23 03:48 5,192 a------- c:\windows\1485595t-a-viruz577.ocx
2009-07-20 00:16 17,310 a------- c:\windows\system32\5fzbsteal929.cpl
2009-07-19 18:49 7,388 a------- c:\windows\system32\6a15zir196.cpl
2009-07-17 17:18 8,711 a------- c:\windows\system32\3zc4spyw9r5234.dll
2009-07-17 16:01 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-17 07:44 6,871 a------- c:\windows\system32\26613wormz259.exe
2009-07-16 17:30 5,563 a------- c:\windows\4543not9a-virzs41c.exe
2009-07-15 10:55 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 10:55 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 10:55 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 10:55 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-15 09:15 6,793 a------- c:\windows\11c2spa9s53104z.bin
2009-07-15 02:28 13,910 a------- c:\windows\77d9ste5z1057.cpl
2009-07-12 14:30 4,860 a------- c:\windows\315519ot-a5vzrus533.dll
2009-07-09 20:08 <DIR> --d----- C:\Poker Application
2009-07-08 18:36 12,567 a------- c:\windows\22z56worm6469.cpl
2009-07-08 04:21 14,469 a------- c:\windows\system32\z3162spy159.cpl
2009-07-05 12:28 2,904 a------- c:\windows\system32\z6cbbackdoor2495.ocx
2009-07-05 04:15 16,855 a------- c:\windows\12597hzckto9l56e.exe
2009-07-04 16:44 15,359 a------- c:\windows\591zvirus389.cpl

==================== Find3M ====================

2009-08-01 12:39 147,626 a------- c:\windows\hpoins21.dat
2009-07-17 16:03 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-17 16:03 51,200 a------- c:\windows\inf\infpub.dat
2009-07-17 16:02 86,016 a------- c:\windows\inf\infstor.dat
2009-07-02 09:43 17,738 a------- c:\windows\10979z9y715.dll
2009-07-02 05:46 10,560 a------- c:\windows\1e95stezl1854.dll
2009-06-28 03:46 3,652 a------- c:\windows\system32\1989zwo5m2659.exe
2009-06-27 13:56 6,083 a------- c:\windows\system32\z08649ot-a-vir5s28b.exe
2009-06-24 07:28 13,538 a------- c:\windows\97003noz-a-5irus4ec.exe
2009-06-20 16:39 2,651 a------- c:\windows\49e85hzef1267.bin
2009-06-10 09:48 4,921 a------- c:\windows\6526zhief2975.bin
2009-06-10 08:09 2,795 a------- c:\windows\system32\14555zpa5bot797.exe
2009-06-07 00:05 2,927 a------- c:\windows\system32\5596tzo9125.bin
2009-06-06 10:04 15,173 a------- c:\windows\system32\2z589not-9-virus58b.bin
2009-06-04 11:24 4,967 a------- c:\windows\135915orz923.exe
2009-06-04 07:40 7,089 a------- c:\windows\7f54threzt90770.exe
2009-06-04 04:24 6,975 a------- c:\windows\29027spz54a5.exe
2009-06-02 10:25 11,598 a------- c:\windows\system32\98159virus5zc.exe
2009-05-27 03:08 14,665 a------- c:\windows\system32\282z19py3fb5.dll
2009-05-19 08:43 15,141 a------- c:\windows\96bf5ownloader529z.bin
2009-05-17 13:39 17,175 a------- c:\windows\system32\667tr5j598z.dll
2009-05-16 06:33 6,961 a------- c:\windows\19979virus7a5z.dll
2009-05-14 07:00 3,302 a------- c:\windows\system32\3d98a5zware609.bin
2009-05-12 05:03 12,639 a------- c:\windows\a5v9r878z.dll
2009-05-08 12:48 12,114 a------- c:\windows\system32\3337b59kdoorz356.bin
2009-05-08 04:49 18,122 a------- c:\windows\24180v5rzs7809.dll
2009-05-06 07:28 15,832 a------- c:\windows\system32\431spyz59e358.dll
2009-05-04 13:37 11,248 a------- c:\windows\system32\30225spa9zo5741.dll
2009-01-04 01:46 174 a--sh--- c:\program files\desktop.ini
2009-01-04 01:36 665,600 a------- c:\windows\inf\drvindex.dat
2008-08-17 16:30 56 a---h--- c:\programdata\ezsidmv.dat
2008-08-17 16:30 56 a---h--- c:\progra~2\ezsidmv.dat
2007-12-16 23:59 0 a------- c:\users\adam\appdata\roaming\wklnhst.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-16 16:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-01-16 16:47 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-01-16 16:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 22:09:35.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 02 August 2009 - 10:55 AM

Hello las8 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Your log shows that you have both Trend Micro and Avast running on your computer. We are going to need to get one of them off but let's don't do that yet. What I would like for you to do is to go in and disable the Avast for the time being. Instructions can be found HERE


Please perform the following:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries






Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 August 2009 - 03:22 PM

ok i got through your first couple steps and i need to say a few things. i did enable immediate email notification but they arent being sent, and i downloaded avast becasue my trend micro expired, so i will need to remove that or i wont have any virus protection.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 02 August 2009 - 04:13 PM

Go with whichever AV is your choice and I don't want you without your AV providing protection. You know more about your system and what you want. I just don't want them interfering with each other and causing us problems which can happen sometime. We have been having a few notification problems so if it continues let me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 August 2009 - 06:31 PM

i cant seem to find trend micro anywhere on my computer. not in program files, not in desktop or system tray, and no files come up when i search for the words "trend" or "trend micro". could it be that i had it uninstalled, but continues to perform actions in my registry?

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 02 August 2009 - 06:41 PM

I don't see it either in your programs. It could be something left over in the WMI. Don't worry about it right now just go ahead with the GMER scan and we'll go from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 August 2009 - 07:40 PM

here is my gmer log. thanks for all this help

Attached Files

  • Attached File  Gmer.txt   128.94KB   5 downloads


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 02 August 2009 - 08:38 PM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications including Windows Defender, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. Post the log in the window provided for replying. No need to do it as an attachment.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 August 2009 - 09:06 PM

i tried both links and everytime i try to run it i get a message that says combofix.exe has stopped working.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 02 August 2009 - 09:56 PM

Need to make sure I understand exactly. Could you download it at all or did it refuse to download, or did it download and then refuse to run after that?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 02 August 2009 - 10:16 PM

i was able to download both links but unable to launch the software

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 03 August 2009 - 06:41 AM

Let's see if this will work:

Delete any version you have on your Desktop and then download a new version from one of the links above. This time when you download it rename it to adam.exe before installing it back onto your Desktop. Try this and then follow the rest of the instructions.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 August 2009 - 06:49 AM

its says trend micro antivirus is still running, should i continue anyway? i looked for it in my processes and couldnt find it

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 03 August 2009 - 07:08 AM

Yes, go ahead and let it run.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 las8

las8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 03 August 2009 - 07:54 AM

ok, i ran combofix and here is my log.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users