Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

major problems, need help plz, hijacker and data miner


  • This topic is locked This topic is locked
2 replies to this topic

#1 superslo

superslo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 06 August 2009 - 08:33 PM

Ok here's the scoop. I noticed my computer had been running slow sometime ago and began looking around on the harddrive and other places. Well in the meantime, I posted a topic @malwarebytes.org, not that y'all were my second choice, just wasn't sure where to go, and I'm still not. That was August 2nd. Since then, I discovered a complete mirror of my hard disk, and mailing logs of Excel files of each and every process and task I undertook on my computer. (like my taxes!! ouch!)

Anyway, I was quite frustrated and began deleting files, and in true virus form, alot of them would come back. Well needless to say, I finally rendered the hard disk useless, and had to purchase a new one. I thought well, problem solved, new hard disk, clean install, good to go.... You probably won't believe this, because I still don't, but after reinstalling windows approx. 16 times, somehow the virus is on the hard drive before I connect to the internet. I changed out the DVD drive with a new one, that didn't work, flashed the bios, that didn't work, tried another new harddrive, nope....then tried a different Windows CD, just in case I had a bootleg copy. Still no! The virus moves faster now and is more noticeable than before. It has infected several computers at my house, and my work. I'm at a loss, and need some help please. Oh and they took over my router that was WPA2 secured, so I got a new one of those as well. Also did installs of windows with the USBs disabled, but to no avail. I'm going to post the logs of what was going on before the HD crash from malwarebytes to give you an idea of what there was. Then if you need current logs, please let me know. THANK YOU in advance!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:29 AM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefoxs\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorers
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 4644 bytes


Here is a game log:

GMER 1.0.15.15011 [3b32wi5o.exe] - http://www.gmer.net
Rootkit scan 2009-08-02 03:29:12
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

And finally the malwarebytes log:

This is the third time it has found and not removed this file....even tried it twice in safemode.

Malwarebytes' Anti-Malware 1.39
Database version: 2544
Windows 5.1.2600 Service Pack 3

8/2/2009 3:05:37 AM
mbam-log-2009-08-02 (03-05-37).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 130463
Time elapsed: 18 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and a file called setup50.exe keep rewriting itself...


GMER 1.0.15.15011 [3b32wi5o.exe] - http://www.gmer.net
Rootkit scan 2009-08-02 08:36:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT BAF62D36 ZwCreateKey
SSDT BAF62D2C ZwCreateThread
SSDT BAF62D3B ZwDeleteKey
SSDT BAF62D45 ZwDeleteValueKey
SSDT BAF62D4A ZwLoadKey
SSDT BAF62D18 ZwOpenProcess
SSDT BAF62D1D ZwOpenThread
SSDT BAF62D54 ZwReplaceKey
SSDT BAF62D4F ZwRestoreKey
SSDT BAF62D40 ZwSetValueKey
SSDT BAF62D27 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? PxHelp20.sys The system cannot find the file specified. !
? system32\DRIVERS\msfwhlpr.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\posaoqRI@ FCBYw\XFBj]C}dS}~?OOaoH{_
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\qbxwkh@ Yv[Ar@t_zGDjB}

---- EOF - GMER 1.0.15 ----

and then here is the most recent hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:51 AM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Me\Desktop\3b32wi5o.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Me\LOCALS~1\Temp\Temporary Directory 1 for coolsuite.zip\RootRepeal.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Documents and Settings\Me\My Documents\Ecstasy\Avira\AntiVir Desktop\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe



Root Repeal log-----

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/02 09:02
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\documents and settings\me\cookies\me@malwarebytes[2].txt
Status: Size mismatch (API: 517, Raw: 514)

Path: c:\documents and settings\me\local settings\temp\~df7e05.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\me\local settings\temp\~dfa29a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\CHKBK9L7\index[2].htm
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\me\local settings\temporary internet files\content.ie5\iijqe0jr\index[2].htm
Status: Allocation size mismatch (API: 61440, Raw: 131072)

Path: c:\documents and settings\me\local settings\application data\microsoft\internet explorer\recovery\active\{0f5a43d6-7f68-11de-84a4-002215202f7d}.dat
Status: Size mismatch (API: 19968, Raw: 16896)

Edited by superslo, 06 August 2009 - 08:54 PM.


BC AdBot (Login to Remove)

 


#2 superslo

superslo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 13 August 2009 - 10:11 PM

You can lock this thread, I got the help I needed.

Thank you though.



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:32 AM

Posted 14 August 2009 - 02:11 AM

Thank you for letting us know. I'm glad your computer issues have been resolved. If you experience problems, please start a new topic.

As this issue is resolved, this topic shall now be closed. Happy computing.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users