Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fast rootkit swearware/catchme


  • This topic is locked This topic is locked
5 replies to this topic

#1 falconaaa

falconaaa

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 31 December 2009 - 06:03 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Epic 3060 at 20:13:58.48 on Wed 12/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.35 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Epic 3060\Local Settings\Temporary Internet Files\Content.IE5\5T31KGCU\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-9-16 17968]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]

=============== Created Last 30 ================

2009-12-31 04:10:15 0 d-----w- c:\program files\TrendMicro
2009-12-31 03:51:39 261632 ----a-w- c:\windows\PEV.exe
2009-12-31 03:51:06 0 ----a-w- c:\windows\system.ini
2009-12-31 03:31:24 0 d-----w- c:\windows\system32\VIRepair
2009-12-31 03:14:59 0 d-----w- c:\windows\pss
2009-12-31 02:04:49 0 d-----w- c:\docume~1\alluse~1\applic~1\LightScribe
2009-12-31 01:28:48 0 d-sha-r- C:\cmdcons
2009-12-31 01:23:16 98816 ----a-w- c:\windows\sed.exe
2009-12-31 01:23:16 77312 ----a-w- c:\windows\MBR.exe
2009-12-31 01:23:16 161792 ----a-w- c:\windows\SWREG.exe
2009-12-31 00:20:09 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-31 00:20:09 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2009-12-31 00:19:14 0 d-----w- c:\windows\Modio
2009-12-31 00:04:22 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-31 00:04:18 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-12-30 16:34:43 74752 ----a-w- c:\windows\system32\storprop.dll
2009-12-30 16:34:42 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-30 16:34:39 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2009-12-30 16:34:38 2065792 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-30 16:34:36 2188928 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-30 16:34:32 24960 ----a-w- c:\windows\system32\drivers\pciidex.sys
2009-12-30 16:34:31 5376 ----a-w- c:\windows\system32\drivers\viaide.sys

============= FINISH: 20:14:19.31 ===============









-------------------Here is my combofix log SEEMS STRANGE, YES?


ComboFix 09-12-30.01 - Epic 3060 12/30/2009 19:52:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.122 [GMT -8:00]
Running from: c:\documents and settings\Epic 3060\Desktop\dfgfg.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 03:42 . 2009-12-31 03:42 -------- d-----w- c:\windows\LastGood
2009-12-31 03:31 . 2009-12-31 03:31 -------- d-----w- c:\windows\system32\VIRepair
2009-12-31 02:04 . 2009-12-31 02:04 -------- d-----w- c:\documents and settings\Epic 3060\Application Data\Ahead
2009-12-31 02:04 . 2009-12-31 02:04 -------- d-----w- c:\documents and settings\Epic 3060\Local Settings\Application Data\Ahead
2009-12-31 02:04 . 2009-12-31 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-12-31 01:09 . 2009-12-31 01:09 -------- d-----w- c:\documents and settings\Epic 3060\Local Settings\Application Data\Identities
2009-12-31 00:20 . 2001-08-17 21:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-31 00:20 . 2001-08-17 21:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2009-12-31 00:19 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-12-31 00:19 . 2009-12-31 00:19 -------- d-----w- c:\windows\Modio
2009-12-31 00:04 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-31 00:04 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 02:10 . 2008-09-16 15:20 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-31 02:04 . 2009-06-12 07:03 19256 ----a-w- c:\documents and settings\Epic 3060\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 16:34 . 2008-09-16 07:56 74752 ----a-w- c:\windows\system32\storprop.dll
2009-12-30 16:34 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-30 16:34 . 2008-04-14 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2009-12-30 16:34 . 2008-04-14 00:01 2065792 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-30 16:34 . 2008-04-14 12:00 2188928 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-30 16:34 . 2008-04-14 12:00 24960 ----a-w- c:\windows\system32\drivers\pciidex.sys
2009-12-30 16:34 . 2008-09-16 19:26 5376 ----a-w- c:\windows\system32\drivers\viaide.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-12-31_01.34.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-31 03:41 . 2009-12-31 03:41 16384 c:\windows\temp\Perflib_Perfdata_6e8.dat
+ 2008-09-16 15:17 . 2008-04-14 12:00 56832 c:\windows\system32\sol.exe
- 2009-06-12 17:57 . 2004-11-28 02:00 94208 c:\windows\system32\pskill.exe
+ 2009-06-12 17:57 . 2004-11-28 03:00 94208 c:\windows\system32\pskill.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 69120 c:\windows\system32\notepad.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 90624 c:\windows\system32\mydocs.dll
+ 2008-09-16 15:17 . 2008-04-14 12:00 55296 c:\windows\system32\freecell.exe
+ 2008-09-16 15:17 . 2008-04-14 12:00 80384 c:\windows\system32\charmap.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 29184 c:\windows\system32\batmeter.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-12-31 02:49 . 2009-12-31 02:49 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe
+ 2009-12-31 02:47 . 2009-12-31 02:47 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll
+ 2008-09-16 15:20 . 2009-12-31 02:10 2442 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-04-14 12:00 . 2008-04-14 12:00 338432 c:\windows\system32\zipfldr.dll
+ 2008-04-14 12:00 . 2008-05-08 11:24 155648 c:\windows\system32\wscript.exe
+ 2008-09-16 15:17 . 2008-04-14 12:00 119808 c:\windows\system32\WINmine.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 589312 c:\windows\system32\wiashext.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 433664 c:\windows\system32\wiaacmgr.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 218624 c:\windows\system32\uxtheme.dll
- 2008-04-14 12:00 . 2008-04-26 02:41 218624 c:\windows\system32\uxtheme.dll
+ 2004-01-07 19:21 . 2004-01-07 19:21 237936 c:\windows\system32\unicows.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 135680 c:\windows\system32\taskmgr.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 121856 c:\windows\system32\stobject.dll
+ 2008-09-16 15:17 . 2008-04-14 12:00 538624 c:\windows\system32\spider.exe
+ 2008-09-16 15:17 . 2008-04-14 12:00 138752 c:\windows\system32\sndvol32.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 438272 c:\windows\system32\shimgvw.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 985088 c:\windows\system32\setupapi.dll
+ 2008-09-16 15:18 . 2008-04-14 12:00 380416 c:\windows\system32\Restore\rstrui.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 658432 c:\windows\system32\rasdlg.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 176128 c:\windows\system32\photowiz.dll
+ 2008-09-16 15:17 . 2008-04-14 12:00 677888 c:\windows\system32\mstsc.exe
+ 2008-09-16 15:18 . 2008-04-14 12:00 274944 c:\windows\system32\mstask.dll
+ 2008-09-16 15:17 . 2008-04-14 12:00 343040 c:\windows\system32\mspaint.exe
+ 2008-09-16 15:17 . 2008-04-14 12:00 126976 c:\windows\system32\mshearts.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 997376 c:\windows\system32\msgina.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 216064 c:\windows\system32\moricons.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 382976 c:\windows\system32\fontext.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 344064 c:\windows\system32\cmdial32.dll
+ 2008-09-16 15:17 . 2008-04-14 12:00 114688 c:\windows\system32\calc.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 146432 c:\windows\regedit.exe
+ 2009-12-31 02:47 . 2009-12-31 02:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe
+ 2009-12-31 02:52 . 2009-12-31 02:52 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll
+ 2009-12-31 02:46 . 2009-12-31 02:46 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll
+ 2009-12-31 02:46 . 2009-12-31 02:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll
+ 2009-12-31 02:49 . 2009-12-31 02:49 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll
+ 2009-12-31 02:47 . 2009-12-31 02:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe
+ 2009-12-31 02:47 . 2009-12-31 02:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll
+ 2009-12-31 02:47 . 2009-12-31 02:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe
+ 2009-12-31 02:48 . 2009-12-31 02:48 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe
+ 2009-12-31 02:47 . 2009-12-31 02:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll
+ 2009-12-31 02:47 . 2009-12-31 02:47 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe
+ 2009-12-31 02:48 . 2009-12-31 02:48 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 2897920 c:\windows\system32\xpsp2res.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 1647616 c:\windows\system32\WINbrand.dll
+ 2008-04-14 12:00 . 2008-06-17 19:02 8461312 c:\windows\system32\shell32.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 1703936 c:\windows\system32\netshell.dll
+ 2008-04-14 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll
- 2008-04-14 12:00 . 2009-05-13 05:15 5936128 c:\windows\system32\mshtml.dll
+ 2008-04-14 12:00 . 2008-04-14 12:00 1033728 c:\windows\explorer.exe
+ 2009-12-31 02:52 . 2009-12-31 02:52 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll
+ 2009-12-31 02:52 . 2009-12-31 02:52 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll
+ 2009-12-31 02:46 . 2009-12-31 02:46 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll
+ 2009-12-31 02:36 . 2009-12-31 02:36 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\826b09ab0d0e36f4d631b4cd335df511\System.Data.SqlXml.ni.dll
+ 2009-12-31 02:50 . 2009-12-31 02:50 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
+ 2009-12-31 02:47 . 2009-12-31 02:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-12-31 02:48 . 2009-12-31 02:48 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll
+ 2009-12-31 02:51 . 2009-12-31 02:51 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
+ 2009-12-31 02:47 . 2009-12-31 02:47 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\4146033013edebd7e0cb604e504ebfee\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2006-05-04 14:26 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 05:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-07-21 14:14 86016 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-12 07:11 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
"RichVideo"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NMIndexingService"=3 (0x3)
"hkmsvc"=3 (0x3)
"helpsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/16/2008 9:02 AM 17968]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [11/29/2001 5:10 PM 1432836]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 19:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-30 20:01:44
ComboFix-quarantined-files.txt 2009-12-31 04:01
ComboFix2.txt 2009-12-31 01:36

Pre-Run: 52,912,672,768 bytes free
Post-Run: 52,887,371,776 bytes free

- - End Of File - - 7001A03BE31BCBD884835E353AC9CE66






-------MY ORIGINALO POST:

$50 offered to ANYONE who can diagnose, and fix this problem. Seriously. I will paypal upon success. I really don't think anyone can, but...for those of you feeling brave...

Read on.



Without writing a novel: I have spent the past 1.5 months attempting to fix a malware issue. I noticed my machine running

rundll persistently, and more scvhosts than required for some time, but after successfully removing rundll (this was the malware with the two .cp files in the program files directory), it came back, and I let it go. It returned, shjortly thereafter, and so I simply installed AVG, and left it at that.

This was probably not wise, although it is only a guess...shortly thereafter, I started getting the persisent "upgrade to internet explorer 8" popups that I simply couldn't find the source file for. As I began digging around this, I found that certain folders were becoming inaccessible, and groups such as administrators (with the s), trusted installer, anonymous logins, etc were assuming control over most system files. When I would remove them, they would come back, and I would be locked out of even more files, and various odd system characteristics started manifesting. There were so many odd occurences, I really can't remember all, but Microsoft Paint, for example, would have a very small, vertical strip in the upper left, I think it was designed to blend in to most images. Also, I found a key logger, and stumbled upon a cache of my videos (some adult, but all completely legal if you are wondering) compressed and stored pretty deep down in the directory structure. Finally, It got so that i couldn't access almost any of my folders, and i was stuck in a cycle of killing processes, retaking ownership of directories, removing groups, etc. Not to freak anyone out, but at one point, the text of a file that I ewas reading in notepad (may have been wordpad) began moving horizontally, in a chaotic fashion...This was when I really started becoming unnerved, enough so that I simply decided to forget about it, reformat, reload, and move on...OH...Also, a A TON of programs were being prefetched including notepad, wordpad, and like 20 others.

Then it got really strange. I found that my machine wouldn't load any windows installation disks. Rather, it would report that there was no disk in the drive. Then, I tried other loading mechanisms (ie extermal drives, network locations). Not happening. When I was able to load an operating system finally, it was a cracked version, and wile I was able to replace the os, I found that the same exact behaviors persisted after the reinstall,

At this point, I had no choice but to do what it took to wrestle this issue out of my machine, and so I got process explorer, and started attempting to diagnose the cause in the absence of easy fixes. Since that time, I have burned through 5 harddrives ( 4 of which are still inaccessible), and have logged a huge array of symptoms and suspicious files. I do know that after using combofix with great results initally, the file now arrives at my machine larger than when it was sent. Also, the System,Services, and other windows processes come back as "unable to verify" in process explorer, and the threads they create and execute are very bad, to my untrained eye. The computer barely functions, and even having purchased a brand new copy of windows 7, the cavalcade of bad behavior persists. I suspect heavily that the W7 systems disk was corrupted at this point, although I am not sure, and don't know exactly how to find out.

During all of this, btw,. the machine came back as absolutely clean according to AVG, AVAST, Windows Defender, and a few other anti malware/spywas/virus programs. It still does. I am currently able to use the internet, and am hoping to be able to keep this machine alive and working and be able to use it to get data from previous hard drives, and hopefully rehabilitate them.

Hijack this spewed out a ton of bad items when I installed it last week. Today, however, it reports a mere two items that are pretty innocuous. This brings me to my major question: Is there malware out there capable of emulating software packages such as Real Player, Hijack This!, AVG, etc?? IO thought not, but I have to wonder based on the system behavior I am noticing. Please tell me what you would like to see in terms reports, files, etc, and I will hopefully be able to accomodate...

What i am hoping to get from this group: I would love to get a simple, "combofix", type of solution that squashes it once and for all. Or even a tried an true manual method would be great.

At the minimum, I would be very happy to know how to get my cd drives working in a brute force method if necessary, and reformat the hard drive without any space being reserved by the system. That would solve all of my problems, but I would like to see if this intrusion is widespread, and if not, how I can trace its origins.

**I procured yet another clean machine and had been infected and taken over again within 1 hour of upgrading to windows 7.


If I could just get my C to work, I could reinstall, but as of now, I can't do anything.

Anyone??


While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Edited by garmanma, 31 December 2009 - 07:18 PM.


BC AdBot (Login to Remove)

 


#2 falconaaa

falconaaa
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 01 January 2010 - 09:37 PM

That's great, but I still do not understand what the motivation of your volunteers might be. I do not know of anyone, anywhere, who offers to fix computers for free. Is there a university involved?

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:17 AM

Posted 10 January 2010 - 07:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

We do this in our free time to help people. We do not get any money for it and we don't get sponsored by a university. We recently were asked the same questions by someone else if you want to read up, you can find the thread here: Link

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:17 AM

Posted 15 January 2010 - 05:21 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:17 AM

Posted 24 January 2010 - 09:14 PM

Hi,

topic reopened, please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:17 AM

Posted 05 February 2010 - 04:00 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users