Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer has been hijacked (logs included)


  • This topic is locked This topic is locked
47 replies to this topic

#1 lillybneedshelp

lillybneedshelp

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 02 January 2010 - 03:20 PM

Hello... please help me.
My computer began acting very peculiar a few days ago (Dec 30, I think). It all started when I started up my computer (it had shut down on it's own overnight while I was downloading). I realized something was up when I noticed I had two shields resembling windows security. One of them kept popping up stating I had viruses and I should scan with Malware Defender. I had also noticed it disabled my Norton Antivirus. I seemed to have gotten all the Malware Defender windows closed and ran Anti-virus programs to remove it... it seems to have been removed, but then my computer still kept doing strange things. ie) browser windows shutting down or refreshing on their own, computer freezing up and/or shutting down. I searched to see what the problem was and that is when I noticed my browser history! Although I hadn't been on my computer almost at all, there were many, many sites and searches that showed up in my history for the two days. When I googled the website names they seem to be located in China, California and Quebec. (I did a whois search on a few of the names... too many to search). Some ended in .cn. Although I am a beginner when it comes to this stuff I researched and did what I was told to do. I checked my ports to see who was listening (netstat and CurrPorts) and there was alot of unusual activity. I also ran programs while in safe mode to remove malware/viruses and repair my registry. There was quite a bit found but nothing seemed to get rid of or fix the problem. (ran Norton Antivirus scan, Malwarebytes scan, Trend Micro free scan, etc... and about 3-4 registry repair programs) Everytime I tried downloading programs like Hijackthis or trying to seek help online my browser window would close or the download would freeze or not work. I've managed to use my laptop to get this info out but even the log files were difficult to transfer. My cd/dvd drive seems to be disabled (not sure if from hacker or registry change). So, I have log files saved from DDS scan (2), Hijackthis scan, Rootrepeal scan and Windows Registry Repair Pro scan. Not sure which ones I should post or attach first or if I should do all. As recommended I will add the DDS scan files and the Rootrepeal. I have also included the hijackthis log and added a third attachment of the log for Registry Repair Pro scan. Somebody please help me.

***********


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Lilly at 13:23:03.48 on Sat 01/02/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.161 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Lilly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /S
uRun: [Windows Registry Repair Pro] c:\program files\3b software\windows registry repair pro\RegistryRepairPro.exe 4
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\helpfile\helpfile.exe" /runcleanupscript
mRun: [Windows Clean-Up Pro] c:\progra~1\3bsoft~1\window~2\WINDOWS CLEAN-UP PRO.Exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124472466090
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-12-31 583640]
S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091230.005\naveng.sys [2009-12-30 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091230.005\navex15.sys [2009-12-30 1323568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys --> c:\windows\system32\drivers\vaxscsi.sys [?]

=============== Created Last 30 ================

2010-01-02 08:05:44 0 dc----w- c:\program files\Trend Micro
2010-01-02 07:44:43 67376 -c--a-w- c:\windows\system32\Sysinfo.ocx
2010-01-02 07:44:43 419619 -c--a-w- c:\windows\system32\Skin.skn
2010-01-02 07:44:43 417792 -c--a-w- c:\windows\system32\Skin1.skn
2010-01-02 07:44:43 3391 -c--a-w- c:\windows\system32\LOGO.GIF
2010-01-02 07:44:43 2591 -c--a-w- c:\windows\system32\Support.htm
2010-01-02 07:44:43 155648 -c--a-w- c:\windows\system32\Plug-in Maker.exe
2010-01-02 03:30:11 7716 -c--a-w- c:\windows\system32\Urlhist.tlb
2010-01-02 03:30:11 49152 -c--a-w- c:\windows\system32\ciaRegSvr.dll
2010-01-02 03:30:11 40960 -c--a-w- c:\windows\system32\ciaSubClsSvr.dll
2010-01-02 03:30:11 262144 -c--a-w- c:\windows\system32\ciaXPSideBarMenu.ocx
2010-01-02 03:30:11 180224 -c--a-w- c:\windows\system32\ciaResSvr.dll
2010-01-02 03:26:01 0 dc----w- c:\program files\3B Software
2010-01-01 15:17:17 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-01 04:04:34 876 -c--a-w- c:\windows\system32\krl32mainweq.dll
2009-12-31 19:06:15 880640 -c--a-w- c:\windows\system32\UniBox10.ocx
2009-12-31 19:06:15 212992 -c--a-w- c:\windows\system32\UniBoxVB12.ocx
2009-12-31 19:06:15 1101824 -c--a-w- c:\windows\system32\UniBox210.ocx
2009-12-31 19:03:21 0 dc----w- c:\docume~1\lilly\applic~1\Uniblue
2009-12-31 19:03:15 0 dc----w- c:\program files\Uniblue
2009-12-31 19:00:34 0 dc----w- c:\program files\common files\PC Tools
2009-12-31 18:39:05 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 18:39:01 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 18:39:01 0 dc----w- c:\program files\helpfile
2009-12-30 18:19:08 0 dc----w- c:\docume~1\lilly\applic~1\Malwarebytes
2009-12-30 18:14:58 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-30 14:53:53 207 -c--a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-12-12 16:44:43 1632 -c--a-w- c:\windows\system32\d3d8caps.dat
2009-10-29 07:46:59 832512 -c--a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00:55 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 -c--a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 -c--a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 -c--a-w- c:\windows\system32\rastls.dll
2009-10-05 01:17:22 1744 -c--a-w- c:\windows\system32\d3d9caps.dat

============= FINISH: 13:24:35.21 ===============


Also have Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:57 PM, on 1/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Lilly\Desktop\HJTInstall.exe
C:\Documents and Settings\Lilly\Desktop\HJTInstall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\helpfile\helpfile.exe" /runcleanupscript
O4 - HKLM\..\Run: [Windows Clean-Up Pro] C:\PROGRA~1\3BSOFT~1\WINDOW~2\WINDOWS CLEAN-UP PRO.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124472466090
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8358 bytes

Attached Files


Edited by lillybneedshelp, 03 January 2010 - 09:30 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 03 January 2010 - 10:49 AM

Hi lillybneedshelp,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Note 1:
Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Note 2:
I see from the log you are using a registry cleaner. It is even scheduled to run. Here at BC we do not recommend using registry cleaners as it might irreversibly damage your computer.

Removal Instructions

Your computer is infected with a rootkit.
  • Open Rootrepeal. Select Hidden Services tab. Press Scan and after it finished Save Report. Please post this scan to your reply before proceeding to the next step.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 03 January 2010 - 03:36 PM

Hi farbar,

To answer your question, I am fine not running any more scans unless recommended by you. I only ran these over the last few days to try to correct the problem myself. I don't run registry repair programs either, again, I only did over the last few days thinking it might help.

I don't really use the peer to peer programs other than occasionally using Vuze. I was using this around the time I was infected. Can you tell what program or file contained the virus or whatever it is that infected my computer??

I did run a Rootrepeal scan. It is included as one of my attachments as ark.txt. Does this contain the information you requested or should I run another scan?

One more question... should I be in safe mode (with networking) when running ComboFix.exe and following your instructions above? I'm just not sure how much information they are able to manipulate or prevent me from running while in regular mode.

I'll wait to hear back before running the scan.

#4 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 03 January 2010 - 03:58 PM

Do you know what type of rootkit infected my system?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 03 January 2010 - 05:23 PM

The rootkit is a TDSS variant, it might have come with another rootkit but we have to check that later on.

I can't say exactly how and through which program you got it. Many people get it through p2p file sharing.

You mention you use only Vuze. Besides Vuze I see also Azureus on the Attach.txt.

Generally, when I ask for a log, I don't mean to put you through unneeded trouble. While handling the infection I might ask you to run a particular tool again and again to monitor the changes. I think you have to be prepare for that.

The RootRepeal log you have posted only contains the Drivers section. There are other sections on RootRepeal, but I don't see them on the log. In this case I need to check the Hidden Services section in particular. Either there is no hidden service any more (the rootkit has a hidden service) or you have just scanned the Drivers section. I need to make sure of that.

We prefer to run our tools in normal mode. Running all the tools should be exactly as it is instructed. Whenever it is needed to run a tool in Safe Mode I will mention it. So we will run ComboFix in normal mode and we need internet connection. If it was not possible to run ComboFix in normal mode, or if we had no connection in normal mode we might sometimes use Safe Mode (with networking), but it is not preferred.

So please don't run ComboFix unless we have scanned the computer for Hidden Services. Now you may start with the step 1.

It is late here and tomorrow is a working day. If you get the required RootRepeal just post it and then start with Combofix. Otherwise we will do this tomorrow.

#6 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 04 January 2010 - 06:28 PM

Hi farbar,

I was able to run the rootrepeal scan for the hidden files but wasn't able to post them. The rootkit has my computer set up so I cannot submit anything to this site or even access my yahoo mail. I keep getting error messages and the browser either closes or the page will not load. My burner/drive also is not working so I couldn't copy the report. I am very, very limited on what I can do on that computer. I did manage to print the report. Since there was only one hidden service detected I will type the service name for you.

Service Name: H8SRTd.sys
Image PathC:\WINDOWS\system32\drivers\H8SRTrevbafdxjw.sys

I hope this helps. Not sure if I should just bring my computer in to have someone fix it for me or buy a new one (neither is really in my budget). I also have all my files on my computer (not backed up). Should I delete the last files that I was downloading the day this virus infected my computer? They were movie files. I'm afraid of a reinfection... even though I didn't open the actual files yet. Do you think the rootkit is in the actual movie file or somehow got downloaded while I was downloading the movies on Vuze? (Vuze and Azereus is the same program, just updated)

Thanks.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 04 January 2010 - 06:39 PM

lillybneedshelp,

The priority at the moment is to clean the infection. Go ahead and run Combofix now.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 07 January 2010 - 03:00 PM

Are you still there and needing assistance? I'm thinking of closing the topic due to lack of activity. I'll give it one more day for Combofix scan after which I'll close the topic for good.

#9 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 08 January 2010 - 10:35 AM

downloaded combofix but it's not running... what to do?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 08 January 2010 - 10:48 AM

Rename it to far.exe and run it.

#11 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 08 January 2010 - 11:10 AM

already renamed something different and ran it... after reboot (combofix did it itself) it seems to be running my Symantec Antivirus scan now. I thought i disabled it but i'm not sure. Does the combofix scan resemble the Symantec one? Should i stop the scan that is currently running?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 08 January 2010 - 11:23 AM

You may go on scanning with Norton and do the rest on your own or you follow the instruction and disable it, and also don't run any other scanner. Only in the latter case this help will be continued.

#13 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 08 January 2010 - 11:37 AM

Not sure if my previous post was clear. (my apologies for that) I did download Combofix and ran it. It began the scan, I followed the prompts as directed, rebooted once, the combofix scan continued, and then a window popped up and told me I had a rootkit infection and had me write down (for future reference) the names of 5 files. Combofix continued with the scan and then it gave me the message about the windows recovery console. It asked me if I had windows xp home edition, I pressed NO and it continued to install Windows Home Edition... I just let it run because i didn't want to interrupt anything at this point. It then told me it needed to reboot the computer and to let Combofix do this, so i did. The only thing I did when my computer started up again was click on my name and entered the password to login. This was the point that the scan started up. Again, I don't know if this is my Symantec antivirus program running (it looks like it, but there is no name stating which it is and there is absolutely nothing else showing on my screen other than my desktop photo) or Combofix. This is why I asked if Combofix resembles Symantec scans. (i don't think so)
Also, to clarify, I am fairly positive that I do not have Norton Antivirus on my computer... it says it is Symantec Antivirus. I had some trouble disabling it. The box that states enable auto protect was not checked off so it should not have ran. If my symantec antivirus is running will this have messed up combofix? Should I restart combofix when symantec is done or will it continue on it's own? More importantly, by running the symantec scan will this reinfect my computer somehow if the files haven't been fixed already?

#14 lillybneedshelp

lillybneedshelp
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 08 January 2010 - 11:55 AM

OK... I know now for certain it is my Symantec Antivirus which is currently running because I received a popup message stating it found a threat on my system. The type of threat is a 'downloader' and it has been quarantined. What do I do at this point? Do I stop the scan? If so, will Combofix continue running or do I have to run it again?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:28 AM

Posted 08 January 2010 - 11:58 AM

Thanks for the feedback.

Symantec and Norton are both from the same vendor. Anyway we don't want your antivirus to do anything until we are done. We don't want to have a none bootable computer because while running Combofix and cleaning we give the control to the antivirus which could not prevent, or remove the infection. This kind of infection needs special treatment and that is what we are going to do.

You can recognize Combofix scan when it opens a blue screen and tells you to wait until the scan is done and a log is created. in no way it resembles any antivirus scan.

Now please tell me what you see on your desktop.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users