Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected???? Not Sure


  • This topic is locked This topic is locked
3 replies to this topic

#1 BuffmanLT1

BuffmanLT1

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 18 March 2010 - 01:06 AM

Computer in question is from an employee at work. I always get the hard ones.

Anyways,

Supposedly the PC originally locked up after doing a "firefox" update. She when it restarted it was just showing the hour glass and wouldn't do anything. She said after leaving it unplugged for a half an hour it was fine, but continued after a day of locking up. I got the PC and saw her Firefox version was still 3.00. I uninstalled it and installed new version.

MalwareBytes came up clean. Same with Spybot search and destroy. I tried to run a Gmer Report, but everytime it gets so far then it locks up and automatically restarts (no blue screen). I can get to safe mode, I haven't noticed any browser redirects, and can get to the windows update page and sucessfully update.

I've run a 30 minute hardware test at full load, and system did not crash. It's a core 2 @ 1.86 Ghz with 3.12 GB of ram, but to me it seems a tad sluggish. (voltages check out on PSU) I'm not sure if Gmer crashing is any indication of an infection still looming on the PC, so I wanted to make a post to have someone check my logs before I return the PC to her. It was infected months ago by her son from downloading crap from Frostwire, but was cleaned at that time, but who's to say something still isn't looming (or wasn't a known threat at the time).

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Bert at 1:52:09.78 on Thu 03/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3199.2842 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\bert\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175805233421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bert\applic~1\mozilla\firefox\profiles\wwt0nzl2.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_03050024.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-17 242696]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-17 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-17 29512]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-11 24652]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\system32\drivers\ZD1201U.sys [2007-4-6 38656]

=============== Created Last 30 ================

2010-03-18 05:07:55 77312 ----a-w- C:\mbr.exe
2010-03-17 17:46:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 17:37:03 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-03-17 17:37:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-03-17 17:36:50 0 d-----w- c:\windows\Logs
2010-03-17 17:36:44 0 d-----w- c:\windows\system32\temp
2010-03-17 17:36:43 0 d-----w- c:\docume~1\alluse~1\applic~1\PassMark
2010-03-17 17:36:34 0 d-----w- c:\program files\BurnInTest
2010-03-17 17:18:13 0 d-s---w- C:\ComboFix
2010-03-17 06:36:26 0 d--h--w- C:\$AVG
2010-03-17 06:36:08 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-17 06:36:03 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-17 06:35:52 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-17 06:35:33 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-17 06:08:30 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-17 06:08:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-17 05:36:28 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-03-17 05:36:07 0 d-----w- c:\program files\NVIDIA Corporation
2010-03-17 02:38:12 0 d-----w- c:\windows\pss
2010-03-17 00:49:42 0 d-----w- c:\docume~1\bert\applic~1\Office Genuine Advantage
2010-03-16 18:47:25 0 d-----w- c:\program files\SpeedFan
2010-03-16 18:47:24 45 ----a-w- c:\windows\system32\initdebug.nfo
2010-03-16 15:22:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-16 14:55:49 0 d-----w- c:\program files\iPod
2010-03-16 14:55:43 0 d-----w- c:\program files\iTunes
2010-03-16 14:55:43 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-16 14:48:18 0 d-----w- c:\program files\Bonjour
2010-03-09 23:14:43 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 02:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 02:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 02:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 02:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 02:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 02:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

============= FINISH: 1:52:24.40 ===============


MBR Report:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


RootRepeal Report. << Ran without crashing:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/18 01:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8236000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Bert\LOCALS~1\Temp\mbr.sys
Address: 0xF77D7000 Size: 20864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7D0C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Bert\Cookies\bert@paypal.112.2o7[1].txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Bert\Cookies\bert@paypal[1].txt
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\bert\local settings\temp\~df700b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\bert\local settings\temporary internet files\content.ie5\frb10ebw\topic300745[1].htm
Status: Allocation size mismatch (API: 131072, Raw: 262144)

Path: c:\documents and settings\all users\application data\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.132.crwl
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: c:\documents and settings\all users\application data\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.132.gthr
Status: Allocation size mismatch (API: 136, Raw: 0)

Path: C:\Documents and Settings\Bert\Local Settings\Application Data\Microsoft\Messenger\atv89@yahoo.com\SharingMetadata\jjprime89@aol.com\DFSR\Staging\CS{36A0122A-7471-2C6C-E8A4-756FC38AD12A}\11\11-{F5D2970B-2F29-4CC6-A874-59ADB0723B75}-v11-{F5D2970B-2F29-4CC6-A874-59ADB0723B75}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: F:\Documents and Settings\Bert\Local Settings\Application Data\Microsoft\Messenger\atv89@yahoo.com\SharingMetadata\flashup@hotmail.co.uk\DFSR\Staging\CS{346BC2B1-405C-3BCB-69EF-D3B767BB08BA}\11\11-{48~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

==EOF==

Thanks Guys

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 20 March 2010 - 02:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 BuffmanLT1

BuffmanLT1
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 20 March 2010 - 02:48 PM

I guess you can close the topic unless you see anything out of the ordinary in those logs that I can look out for on future cases. I didn't have but 3 days with this PC, so I backed up all her docs and music and just wrote the drive 3-4 times with 0s and started from scratch. System is performing a lot faster now, and doesn't have issues with Gmer... I begin to think that part of the slowness issue was the fact the IDE cable had cuts in it exposing bare wire to the chasis. Kinda weird when you push on a cable with the PC off and it turns it on!

Edited by BuffmanLT1, 20 March 2010 - 02:50 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:20 AM

Posted 20 March 2010 - 02:52 PM

Couldn't find anything out of the usual in the logs so I will close the topic. Thanks for letting me know thumbup2.gif

-----------------------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users