Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan disabled my security


  • This topic is locked This topic is locked
38 replies to this topic

#1 Weedly

Weedly

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 20 August 2009 - 06:44 PM

Hello again.

I seem to have got hit with something as my comp started acting strange while I was working this afternoon. I had some popup that said "rasvsnet.tmp" could not run and I found a file in my sys32 folder called "scecli.dll" which I know is malware. The worst thing is I suspect this attack has made it impossible to run both spybot and Malware adbytes and Has disabled my security program. O am posting a hijack this loge in hopes someone can shed some light on how to fix this error.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:38:05, on 8/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\net.net
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\msa.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 206.53.61.77 google.ba
O1 - Hosts: 206.53.61.77 google.bg
O1 - Hosts: 206.53.61.77 google.bs
O1 - Hosts: 206.53.61.77 google.com.gh
O1 - Hosts: 206.53.61.77 google.com.gi
O1 - Hosts: 206.53.61.77 google.com.hk
O1 - Hosts: 206.53.61.77 google.com.jm
O1 - Hosts: 206.53.61.77 google.com.ly
O1 - Hosts: 206.53.61.77 google.com.mx
O1 - Hosts: 206.53.61.77 google.com.my
O1 - Hosts: 206.53.61.77 google.com.na
O1 - Hosts: 206.53.61.77 google.com.nf
O1 - Hosts: 206.53.61.77 google.com.ng
O1 - Hosts: 206.53.61.77 google.com.np
O1 - Hosts: 206.53.61.77 google.com.om
O1 - Hosts: 206.53.61.77 google.com.pa
O1 - Hosts: 206.53.61.77 google.com.pr
O1 - Hosts: 206.53.61.77 google.com.qa
O1 - Hosts: 206.53.61.77 google.com.sg
O1 - Hosts: 206.53.61.77 google.com.tj
O1 - Hosts: 206.53.61.77 google.com.tr
O1 - Hosts: 206.53.61.77 google.com.tw
O1 - Hosts: 206.53.61.77 google.com.ua
O1 - Hosts: 206.53.61.77 google.com.vc
O1 - Hosts: 206.53.61.77 google.it.ao
O1 - Hosts: 206.53.61.77 google.dm
O1 - Hosts: 206.53.61.77 google.dz
O1 - Hosts: 206.53.61.77 google.ee
O1 - Hosts: 206.53.61.77 google.ge
O1 - Hosts: 206.53.61.77 google.gr
O1 - Hosts: 206.53.61.77 google.gy
O1 - Hosts: 206.53.61.77 google.ht
O1 - Hosts: 206.53.61.77 google.im
O1 - Hosts: 206.53.61.77 google.in
O1 - Hosts: 206.53.61.77 google.ki
O1 - Hosts: 206.53.61.77 google.la
O1 - Hosts: 206.53.61.77 google.lk
O1 - Hosts: 206.53.61.77 google.ma
O1 - Hosts: 206.53.61.77 google.md
O1 - Hosts: 206.53.61.77 google.mv
O1 - Hosts: 206.53.61.77 google.nr
O1 - Hosts: 206.53.61.77 google.nu
O1 - Hosts: 206.53.61.77 google.sc
O1 - Hosts: 206.53.61.77 google.si
O1 - Hosts: 206.53.61.77 google.sn
O1 - Hosts: 206.53.61.77 google.st
O1 - Hosts: 206.53.61.77 google.tl
O1 - Hosts: 206.53.61.77 google.us
O1 - Hosts: 206.53.61.77 google.vu
O1 - Hosts: 206.53.61.77 google.ws
O1 - Hosts: 206.53.61.77 google.co.bw
O1 - Hosts: 206.53.61.77 google.co.ck
O1 - Hosts: 206.53.61.77 google.co.id
O1 - Hosts: 206.53.61.77 google.co.ma
O1 - Hosts: 206.53.61.77 google.co.mz
O1 - Hosts: 206.53.61.77 google.co.tz
O1 - Hosts: 206.53.61.77 google.co.za
O1 - Hosts: 206.53.61.77 google.co.zm
O1 - Hosts: 206.53.61.77 google.co.zw
O1 - Hosts: 206.53.61.77 google.com.af
O1 - Hosts: 206.53.61.77 google.com.ag
O1 - Hosts: 206.53.61.77 google.com.ai
O1 - Hosts: 206.53.61.77 google.com.ar
O1 - Hosts: 206.53.61.77 google.com.bn
O1 - Hosts: 206.53.61.77 google.com.br
O1 - Hosts: 206.53.61.77 google.com.by
O1 - Hosts: 206.53.61.77 google.com.bz
O1 - Hosts: 206.53.61.77 google.com.co
O1 - Hosts: 206.53.61.77 google.com.cu
O1 - Hosts: 206.53.61.77 google.com.ec
O1 - Hosts: 206.53.61.77 google.com.et
O1 - Hosts: 206.53.61.77 google.com.fj
O1 - Hosts: 206.53.61.77 www.google.ba
O1 - Hosts: 206.53.61.77 www.google.bg
O1 - Hosts: 206.53.61.77 www.google.bs
O1 - Hosts: 206.53.61.77 www.google.com.gh
O1 - Hosts: 206.53.61.77 www.google.com.gi
O1 - Hosts: 206.53.61.77 www.google.com.hk
O1 - Hosts: 206.53.61.77 www.google.com.jm
O1 - Hosts: 206.53.61.77 www.google.com.ly
O1 - Hosts: 206.53.61.77 www.google.com.mx
O1 - Hosts: 206.53.61.77 www.google.com.my
O1 - Hosts: 206.53.61.77 www.google.com.na
O1 - Hosts: 206.53.61.77 www.google.com.nf
O1 - Hosts: 206.53.61.77 www.google.com.ng
O1 - Hosts: 206.53.61.77 www.google.com.np
O1 - Hosts: 206.53.61.77 www.google.com.om
O1 - Hosts: 206.53.61.77 www.google.com.pa
O1 - Hosts: 206.53.61.77 www.google.com.pr
O1 - Hosts: 206.53.61.77 www.google.com.qa
O1 - Hosts: 206.53.61.77 www.google.com.sg
O1 - Hosts: 206.53.61.77 www.google.com.tj
O1 - Hosts: 206.53.61.77 www.google.com.tr
O1 - Hosts: 206.53.61.77 www.google.com.tw
O1 - Hosts: 206.53.61.77 www.google.com.ua
O1 - Hosts: 206.53.61.77 www.google.com.vc
O1 - Hosts: 206.53.61.77 www.google.it.ao
O1 - Hosts: 206.53.61.77 www.google.dm
O1 - Hosts: 206.53.61.77 www.google.dz
O1 - Hosts: 206.53.61.77 www.google.ee
O1 - Hosts: 206.53.61.77 www.google.ge
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [system tool] C:\Program Files\radweu\tdqxsysguard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12605 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 27 August 2009 - 12:54 PM

Hi Weedly,

Is this a business, work or corporate computer? :thumbup2:

Edited by SifuMike, 27 August 2009 - 12:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 27 August 2009 - 10:09 PM

None of the above Mike, Its my PC, my baby

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 27 August 2009 - 10:29 PM

Hi Weedly ,

Download and run RootRepeal

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 28 August 2009 - 05:32 PM

Hey Mike, there is something that I probably should have mentioned earlier. My machine's condition has changed since my initial post. After after several hours of researching some tasks in my task manager list that sounded suspicious, I manually ended some of the processes and was suddenly able to regain control of my Symantec anitvirus. after a scan and purge of everything it found, I could again fire up Malwarebytes once again, scanned the machine and had it fix everything it could. I then updated and ran all the other safety tools I have.

The fake scare- ware stuff is gone and my firewalls are up once again, but I am not convinced all traces of the attack are gone.


I do have that malwarebytes log saved and can make a new HJT log as well. Do you want me to post them for review before running the root-tool-thing you posted?

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 28 August 2009 - 05:38 PM

Hi Weedly,

Good job. :thumbup2: Yes, please run RootRepealer and post a fresh Hijackthis log.


Can you get to google now?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 02 September 2009 - 08:51 PM

Ok mike here is the new Hijack this log




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50:22, on 9/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O1 - Hosts: 206.53.61.77 google.ba
O1 - Hosts: 206.53.61.77 google.bg
O1 - Hosts: 206.53.61.77 google.bs
O1 - Hosts: 206.53.61.77 google.com.gh
O1 - Hosts: 206.53.61.77 google.com.gi
O1 - Hosts: 206.53.61.77 google.com.hk
O1 - Hosts: 206.53.61.77 google.com.jm
O1 - Hosts: 206.53.61.77 google.com.ly
O1 - Hosts: 206.53.61.77 google.com.mx
O1 - Hosts: 206.53.61.77 google.com.my
O1 - Hosts: 206.53.61.77 google.com.na
O1 - Hosts: 206.53.61.77 google.com.nf
O1 - Hosts: 206.53.61.77 google.com.ng
O1 - Hosts: 206.53.61.77 google.com.np
O1 - Hosts: 206.53.61.77 google.com.om
O1 - Hosts: 206.53.61.77 google.com.pa
O1 - Hosts: 206.53.61.77 google.com.pr
O1 - Hosts: 206.53.61.77 google.com.qa
O1 - Hosts: 206.53.61.77 google.com.sg
O1 - Hosts: 206.53.61.77 google.com.tj
O1 - Hosts: 206.53.61.77 google.com.tr
O1 - Hosts: 206.53.61.77 google.com.tw
O1 - Hosts: 206.53.61.77 google.com.ua
O1 - Hosts: 206.53.61.77 google.com.vc
O1 - Hosts: 206.53.61.77 google.it.ao
O1 - Hosts: 206.53.61.77 google.dm
O1 - Hosts: 206.53.61.77 google.dz
O1 - Hosts: 206.53.61.77 google.ee
O1 - Hosts: 206.53.61.77 google.ge
O1 - Hosts: 206.53.61.77 google.gr
O1 - Hosts: 206.53.61.77 google.gy
O1 - Hosts: 206.53.61.77 google.ht
O1 - Hosts: 206.53.61.77 google.im
O1 - Hosts: 206.53.61.77 google.in
O1 - Hosts: 206.53.61.77 google.ki
O1 - Hosts: 206.53.61.77 google.la
O1 - Hosts: 206.53.61.77 google.lk
O1 - Hosts: 206.53.61.77 google.ma
O1 - Hosts: 206.53.61.77 google.md
O1 - Hosts: 206.53.61.77 google.mv
O1 - Hosts: 206.53.61.77 google.nr
O1 - Hosts: 206.53.61.77 google.nu
O1 - Hosts: 206.53.61.77 google.sc
O1 - Hosts: 206.53.61.77 google.si
O1 - Hosts: 206.53.61.77 google.sn
O1 - Hosts: 206.53.61.77 google.st
O1 - Hosts: 206.53.61.77 google.tl
O1 - Hosts: 206.53.61.77 google.us
O1 - Hosts: 206.53.61.77 google.vu
O1 - Hosts: 206.53.61.77 google.ws
O1 - Hosts: 206.53.61.77 google.co.bw
O1 - Hosts: 206.53.61.77 google.co.ck
O1 - Hosts: 206.53.61.77 google.co.id
O1 - Hosts: 206.53.61.77 google.co.ma
O1 - Hosts: 206.53.61.77 google.co.mz
O1 - Hosts: 206.53.61.77 google.co.tz
O1 - Hosts: 206.53.61.77 google.co.za
O1 - Hosts: 206.53.61.77 google.co.zm
O1 - Hosts: 206.53.61.77 google.co.zw
O1 - Hosts: 206.53.61.77 google.com.af
O1 - Hosts: 206.53.61.77 google.com.ag
O1 - Hosts: 206.53.61.77 google.com.ai
O1 - Hosts: 206.53.61.77 google.com.ar
O1 - Hosts: 206.53.61.77 google.com.bn
O1 - Hosts: 206.53.61.77 google.com.br
O1 - Hosts: 206.53.61.77 google.com.by
O1 - Hosts: 206.53.61.77 google.com.bz
O1 - Hosts: 206.53.61.77 google.com.co
O1 - Hosts: 206.53.61.77 google.com.cu
O1 - Hosts: 206.53.61.77 google.com.ec
O1 - Hosts: 206.53.61.77 google.com.et
O1 - Hosts: 206.53.61.77 google.com.fj
O1 - Hosts: 206.53.61.77 www.google.ba
O1 - Hosts: 206.53.61.77 www.google.bg
O1 - Hosts: 206.53.61.77 www.google.bs
O1 - Hosts: 206.53.61.77 www.google.com.gh
O1 - Hosts: 206.53.61.77 www.google.com.gi
O1 - Hosts: 206.53.61.77 www.google.com.hk
O1 - Hosts: 206.53.61.77 www.google.com.jm
O1 - Hosts: 206.53.61.77 www.google.com.ly
O1 - Hosts: 206.53.61.77 www.google.com.mx
O1 - Hosts: 206.53.61.77 www.google.com.my
O1 - Hosts: 206.53.61.77 www.google.com.na
O1 - Hosts: 206.53.61.77 www.google.com.nf
O1 - Hosts: 206.53.61.77 www.google.com.ng
O1 - Hosts: 206.53.61.77 www.google.com.np
O1 - Hosts: 206.53.61.77 www.google.com.om
O1 - Hosts: 206.53.61.77 www.google.com.pa
O1 - Hosts: 206.53.61.77 www.google.com.pr
O1 - Hosts: 206.53.61.77 www.google.com.qa
O1 - Hosts: 206.53.61.77 www.google.com.sg
O1 - Hosts: 206.53.61.77 www.google.com.tj
O1 - Hosts: 206.53.61.77 www.google.com.tr
O1 - Hosts: 206.53.61.77 www.google.com.tw
O1 - Hosts: 206.53.61.77 www.google.com.ua
O1 - Hosts: 206.53.61.77 www.google.com.vc
O1 - Hosts: 206.53.61.77 www.google.it.ao
O1 - Hosts: 206.53.61.77 www.google.dm
O1 - Hosts: 206.53.61.77 www.google.dz
O1 - Hosts: 206.53.61.77 www.google.ee
O1 - Hosts: 206.53.61.77 www.google.ge
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12033 bytes

#8 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 02 September 2009 - 08:53 PM

and here is the rootrepeal log




OOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 21:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB3C90000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA616000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1C07000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_e60.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: D:\x
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8ab927f0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8aaf9b48

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ab80f20

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8ab915d0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8ac6b7d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8ab910b0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ab6d008

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a9cc200

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8aacef88

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ac767c0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8ac76788

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8aa5f760

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8ac79630

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xb9d466b0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8ab7f820

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8aa59200

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a969a48

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8aa15228

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8aaa89d8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a9fc180

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8aa35d80

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8ab7b278

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ab5d128

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8ab79d88

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwsiveodost.sys

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x88308e78

==EOF==

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 02 September 2009 - 09:26 PM

Hi Weedly,

Please refrain from making any changes to your system (updating, installing, removing, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


I see a rootkit on this computer, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your SYMANTEC ENDPOINT PROTECTION and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable SYMANTEC ENDPOINT PROTECTION
Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".
Posted Image

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 02 September 2009 - 09:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 September 2009 - 02:23 PM

Do I have to remain wired to the web while running combofix? Since I am disabling security?

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 07 September 2009 - 02:31 PM

No.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 September 2009 - 03:57 PM

here it is







ComboFix 09-09-06.06 - Owner 09/07/2009 16:25.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3324.2772 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\run.log
c:\windows\system32\kbiwkmokmxdiep.dat
c:\windows\system32\kbiwkmrcmbldxa.dat
c:\windows\system32\uacsr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmivhwvopq
-------\Legacy_UACd.sys
-------\Service_kbiwkmivhwvopq
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-08-21 02:16 . 2009-08-21 21:17 -------- d-----w- c:\program files\acufrv
2009-08-20 21:03 . 2009-08-20 21:20 -------- d-----w- c:\documents and settings\Owner\VASSAL
2009-08-20 21:03 . 2009-08-20 21:03 -------- d-----w- c:\program files\VASSAL
2009-08-20 21:02 . 2009-08-20 21:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 05:42 . 2009-08-18 05:42 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-18 05:42 . 2009-08-18 05:42 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-18 05:42 . 2009-08-18 05:42 -------- d-----w- c:\program files\OpenAL
2009-08-14 02:31 . 2009-08-14 02:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-08-12 07:01 . 2009-08-12 07:01 -------- d-----w- c:\windows\ServicePackFiles
2009-08-12 00:48 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 00:48 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 01:37 . 2008-12-26 01:47 -------- d-----w- c:\program files\Steam
2009-09-06 06:17 . 2009-01-26 06:34 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-22 03:27 . 2009-06-18 03:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 23:26 . 2008-12-26 00:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 22:57 . 2009-08-20 22:57 784730 ----a-w- c:\windows\system32\xa.tmp
2009-08-20 21:02 . 2005-04-13 17:41 -------- d-----w- c:\program files\Java
2009-08-18 06:38 . 2008-12-26 19:52 73696 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 05:45 . 2008-12-26 00:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-18 05:43 . 2009-08-06 18:52 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-07 23:51 . 2009-08-07 23:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 23:51 . 2009-08-07 23:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-06 18:52 . 2009-08-06 18:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Wargaming.Net
2009-08-05 09:11 . 2005-04-13 16:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:12 . 2009-08-05 04:11 -------- d-----w- c:\program files\iTunes
2009-08-05 04:12 . 2009-08-05 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 04:11 . 2009-01-07 21:36 -------- d-----w- c:\program files\iPod
2009-08-05 04:11 . 2009-01-07 21:58 -------- d-----w- c:\program files\Common Files\Apple
2009-08-05 04:10 . 2009-08-05 04:10 -------- d-----w- c:\program files\Bonjour
2009-08-05 04:10 . 2009-08-05 04:09 -------- d-----w- c:\program files\QuickTime
2009-08-03 17:36 . 2009-06-18 03:28 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-18 03:28 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 22:27 . 2008-12-27 19:07 -------- d-----w- c:\program files\Guild Wars
2009-07-25 21:59 . 2009-01-08 17:55 -------- d-----w- c:\program files\YouTube Downloader
2009-07-25 16:46 . 2008-12-25 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-20 13:34 . 2009-07-20 13:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-17 18:55 . 2005-04-13 16:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-04-13 16:57 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2005-04-13 16:56 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2005-04-13 16:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-26 03:44 . 2008-12-27 05:34 83654 ----a-w- c:\windows\War3Unin.dat
2009-06-25 18:36 . 2005-04-13 16:55 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2005-04-13 16:55 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2005-04-13 16:55 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2005-04-13 16:55 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2005-04-13 16:55 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2005-04-13 16:55 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2005-04-13 16:55 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2005-04-13 16:55 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2005-04-13 16:55 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2005-04-13 16:55 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2005-04-13 16:55 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2005-04-13 16:55 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2005-04-13 16:55 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2005-04-13 16:55 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2005-04-13 16:55 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2005-04-13 16:55 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2005-04-13 16:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-04-13 16:55 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2005-04-13 16:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2005-04-13 16:56 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2005-04-13 16:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2005-04-13 16:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-12-25 04:27 . 2008-12-25 21:18 53682216 ----a-w- c:\program files\avg_free_stf_en_8_176a1399.exe
2008-12-25 04:11 . 2008-12-30 20:49 5300208 ----a-w- c:\program files\bitcomet_setup.exe
2008-12-25 04:10 . 2008-12-25 21:18 15083520 ----a-w- c:\program files\spybotsd160.exe
2008-12-25 04:04 . 2008-12-27 21:31 1234120 ----a-w- c:\program files\wrar380.exe
2008-12-25 04:04 . 2008-12-25 21:18 23804784 ----a-w- c:\program files\aaw2008.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-20 148888]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-05-11 7086080]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2008-12-24 1742384]
Kodak EasyShare software.lnk - c:\program files\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Steam\\steamapps\\otakuwarrior\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Microsoft Games for Windows - LIVE\\Client\\GFWLive.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64333:TCP"= 64333:TCP:utorrent
"64333:UDP"= 64333:UDP:utorrent ud

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 7:44 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4fprb1kr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blizzard.com/us/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\4fprb1kr.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 16:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1964)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-07 16:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 20:43
ComboFix2.txt 2009-07-24 00:55

Pre-Run: 81,241,157,632 bytes free
Post-Run: 81,192,005,632 bytes free

230 --- E O F --- 2009-09-02 07:00

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 07 September 2009 - 05:23 PM

Hi Weedly,

You need to disable your SYMANTEC ENDPOINT PROTECTION and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable SYMANTEC ENDPOINT PROTECTION
Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".
Posted Image

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some things from being fixed.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\xa.tmp


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Weedly

Weedly
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 13 September 2009 - 07:33 PM

ok this seems simple enough, Im afraid I cant do this fix yet as Im on a business trip right now. I will take care of it and post the requested logs as soon as I get back ( should be on friday)

Edited by Weedly, 13 September 2009 - 07:34 PM.


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:55 PM

Posted 13 September 2009 - 08:37 PM

Hi Weedly,

OK, I will leave this open until then.

Be sure not to let anyone use the computer while you are away, as we are not finished removing malware.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users