Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partially removed infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 VGStudios

VGStudios

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 23 October 2009 - 10:19 PM

Ok. I had the Win32k1/2 Rootkit, and did a system repair. I was told that probably got rid of its bootup or whatever. anyway I still have some lingering infections, possibly a baby rootkit :( lol.





DDS (Ver_09-10-23.01) - NTFSx86
Run by Austin at 22:50:18.87 on Fri 10/23/2009
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.seeqpod.com/search/
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66006
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://pages.ebay.com/ebay_toolbar/app/congrats.html
uInternet Settings,ProxyOverride = localhost;*.local
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=66006
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=66006
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
uWinlogon: Shell=c:\documents and settings\austin\application data\start button rename\explorers\1\explorer.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: DavisCreation Toolbar: {89172179-d07f-455e-bbeb-c41d42aec078} - c:\program files\ietoolbar\daviscreation toolbar\daviscreation.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
TB: VGStudios Toolbar: {47ba9642-83d2-4bd9-9f71-acdf10dd9aec} - c:\program files\vgstudios\tbVGS1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {1646B884-BC5C-4C89-BD62-55B918FDBA45} - c:\progra~1\crawler\funball\CFunball.exe
IE: {B1CF6225-211E-4B4C-B466-5F224E348FF3} - c:\progra~1\crawler\weather\CWeather.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {89172179-D07F-455E-BBEB-C41D42AEC078} - {89172179-D07F-455E-BBEB-C41D42AEC078} - c:\program files\ietoolbar\daviscreation toolbar\daviscreation.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\msdn2
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://foodlion.coupons.smartsource.com/download/cscmv5X.cab
DPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxps://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129328254096
DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hxxp://host-d.oddcast.com/hostClientIE.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211738153_73a6a2b973b6020cc5b083ad6dfa5c8c&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/SCJohnson/Coupons.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://fate.netgame.com/launch/object/mglaunch_USAv1004.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab40972.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {C7E002D6-324B-4500-883D-84B620FD8640} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles_64916/heartbeat.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} - hxxp://www.zoomify.com/download/zoomify305.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://sympatico.zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\WBSrv.dll
AppInit_DLLs: wbsys.dll c:\windows\system32\tazifahe.dll c:\windows\system32\yirunonu.dll c:\windows\system32\gonikofa.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyAsTk
LSA: Notification Packages = scecli c:\windows\system32\tazifahe.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-23 03:14:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-23 03:14:31 0 d-----w- c:\program files\Avira
2009-10-23 03:14:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2009-10-14 00:33:12 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2009-10-14 00:33:02 749 ---ha-r- c:\windows\WindowsShell.Manifest
2009-10-14 00:33:02 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2009-10-14 00:33:02 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2009-10-14 00:33:02 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2009-10-14 00:04:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-10-14 00:04:17 13312 ----a-w- c:\windows\system32\irclass.dll
2009-10-14 00:04:05 10559 ----a-r- c:\windows\SET163.tmp
2009-10-14 00:04:04 22339 ----a-r- c:\windows\SET162.tmp
2009-10-14 00:04:01 13753 ----a-r- c:\windows\SET12F.tmp
2009-10-14 00:03:58 1086058 ----a-r- c:\windows\SET123.tmp
2009-10-14 00:03:55 1042903 ----a-r- c:\windows\SET120.tmp
2009-10-13 17:37:44 0 d-----w- c:\windows\java
2009-10-13 17:37:44 0 d-----w- c:\windows\dell
2009-10-13 17:37:43 469319680 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-10-22 17:18:00 502272 ----a-w- c:\windows\system32\winlogon.exe
2009-09-14 00:18:00 102800 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-03 19:10:39 473720 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-28 13:54:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:54:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-26 20:44:56 48448 ----a-w- c:\windows\system32\sirenacm.dll
2007-06-08 01:02:49 2373 ----a-w- c:\program files\ALLTEL Internet Accelerator Client setup.log
2007-01-18 17:17:20 8192 --sha-w- c:\program files\Thumbs.db
2006-08-11 21:15:36 51181 ----a-w- c:\program files\Uninst.isu
1999-08-13 09:39:36 15477 -c--a-w- c:\program files\readme.txt
1999-08-13 09:34:18 31403 -c--a-w- c:\program files\useman.txt
1999-07-26 17:09:34 766 ----a-w- c:\program files\ctw32u.ico
1999-07-26 17:09:34 766 ----a-w- c:\program files\ctw32.ico
2004-10-13 16:24:37 1694208 --sha-w- c:\windows\flyakiteosx\backup\msmsgs.exe
2004-10-13 16:24:37 1694208 --sha-w- c:\windows\flyakiteosx\tempfiles\msmsgs.exe
2009-05-03 16:13:06 1447477 --sha-w- c:\windows\system32\ipizumaz.ini2
2009-01-23 19:35:34 408760 --sha-w- c:\windows\system32\kTsAyyay.ini2
2009-06-12 14:12:09 0 --sha-w- c:\windows\system32\pekebera.dll
2009-06-12 14:12:09 0 --sha-w- c:\windows\system32\tehubufe.dll
2009-06-12 14:12:09 0 --sha-w- c:\windows\system32\wigafipe.dll

============= FINISH: 22:57:36.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 25 October 2009 - 04:33 PM

Hello VGStudios :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.




Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 30 October 2009 - 06:25 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users