Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe botnet :(


  • Please log in to reply
5 replies to this topic

#1 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 April 2010 - 07:36 PM

Hello there,

Recently, today my silly mother thought It was a good idea to download a torrent with a keygen for the full version of Adobe Photoshop on my laptop.

Okay, then my wireless was like, wow. Wouldn't stop even though all internet based applications were closed. So I downloaded process explorer only to find that Services.exe is draining my CPU, and was the route cause of this mayhem.

The file was originating in C:\Documents and Settings\Jake\Application Data\Microsoft\

Once navigating there, couldn't see it. I enabled the view of hidden files, still not there. Then popped open notepad, created a file called services.exe and it said that it couldn't overwrite the file as it was read-only.

So, used MBAMS fantastic FileAssasin tool and ridded of the botnet exe(hooray!)

okay, ran MBAM multiple times. Results as follows.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 21:47:53
mbam-log-2010-04-08 (21-47-53).txt

Scan type: Quick scan
Objects scanned: 100502
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3970

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 22:38:45
mbam-log-2010-04-08 (22-38-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 143309
Time elapsed: 45 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{67C4541F-D3F2-450D-8BA3-DE79D55388CD}\RP18\A0006088.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{67C4541F-D3F2-450D-8BA3-DE79D55388CD}\RP21\A0007528.EXE (Trojan.Agent.CK) -> Quarantined and deleted successfully.


To be honest, I highly doubt thats all. I need to know if I am clean (:

Regards


PS: This is not related to my other thread!

BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 08 April 2010 - 09:53 PM

Hello Super Panda. You mentioned that this is not related to your other thread - is this a different computer?

Kindly follow the instructions as listed in the Preparation Guide located here ==> http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ and post the requested logs in your next reply.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 JacobHall

JacobHall
  • Topic Starter

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 April 2010 - 06:45 AM

yes, Different Computer.


As requested.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jake at 12:23:57.59 on 09/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1524.865 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Jake\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0310&m=aoa150
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0310&m=aoa150
uInternet Connection Wizard,ShellNext = hxxp://www.store.acer-euro.com/?kid=38020knzcut1301
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Gif Animator Toolbar Helper: {96372ab6-15eb-4316-b497-71c741bc548c} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Easy Gif Animator Toolbar: {35065594-9169-4a34-b167-fc4865038e53} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jake\applic~1\mozilla\firefox\profiles\ro1i1gbp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2148489&SearchSource=3&q={searchTerms}
FF - component: c:\documents and settings\jake\application data\mozilla\firefox\profiles\ro1i1gbp.default\extensions\{baccd013-d3bf-4c64-8920-1a4783e47454}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\jake\application data\mozilla\firefox\profiles\ro1i1gbp.default\extensions\{baccd013-d3bf-4c64-8920-1a4783e47454}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-2-22 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-2-22 95872]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-2-22 810120]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe [2010-3-22 81920]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe [2010-3-22 2736128]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2010-3-14 151936]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-13 135664]

=============== Created Last 30 ================

2010-04-08 21:26:31 974848 ------w- c:\windows\system32\mfc70.dll
2010-04-08 21:26:31 57344 ------w- c:\windows\system32\mfc70enu.dll
2010-04-08 21:26:31 344064 ------w- c:\windows\system32\msvcr70.dll
2010-04-08 21:26:27 0 d-----w- c:\program files\common files\Macromedia Shared
2010-04-08 21:26:25 0 d-----w- c:\program files\common files\Macromedia
2010-04-08 21:26:04 0 d-----w- c:\program files\Macromedia
2010-04-08 20:21:14 0 d--h--w- c:\windows\PIF
2010-04-08 20:17:37 0 d-----w- c:\docume~1\jake\applic~1\Malwarebytes
2010-04-08 19:38:10 0 d-----w- c:\docume~1\jake\applic~1\TeamViewer
2010-04-08 19:37:50 0 d-----w- c:\program files\TeamViewer
2010-04-08 19:36:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 19:36:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 19:36:33 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 19:36:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 20:11:24 0 d-----w- c:\docume~1\jake\applic~1\ArcticLine
2010-04-06 20:10:43 0 d-----w- c:\program files\Folder Marker
2010-04-05 23:52:02 0 d-----w- c:\program files\Everything
2010-04-05 18:02:39 0 d-----w- c:\program files\Conduit
2010-04-05 18:02:32 0 d-----w- c:\program files\FlameHabbo
2010-04-05 17:50:41 11124 ----a-w- c:\documents and settings\jake\.recently-used.xbel
2010-04-04 21:24:46 236161 ----a-w- c:\windows\EasyGifAnimator_Toolbar_Uninstaller_8421.exe
2010-04-04 21:24:43 0 d-----w- c:\program files\Easy Gif Animator Extension
2010-04-04 21:24:10 0 d-----w- c:\program files\Easy GIF Animator
2010-04-04 21:05:36 0 d-----w- c:\documents and settings\jake\.thumbnails
2010-04-04 20:23:19 0 d-----w- c:\documents and settings\jake\.gimp-2.6
2010-04-04 20:11:14 0 d-----w- c:\program files\GIMP-2.0
2010-04-03 19:49:27 0 d-----w- c:\windows\pss
2010-03-23 20:27:10 55376 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-22 20:42:31 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-22 20:19:36 0 d-----w- c:\program files\SpacialAudio
2010-03-22 20:19:01 450560 ----a-w- c:\windows\system32\GDS32.DLL
2010-03-22 20:18:54 462848 ----a-w- c:\windows\system32\Firebird2Control.cpl
2010-03-22 20:18:17 0 d-----w- c:\program files\Firebird
2010-03-22 19:49:01 0 d-----w- c:\docume~1\alluse~1\applic~1\WebcamMax
2010-03-22 19:48:26 0 d-----w- c:\program files\WebcamMax
2010-03-22 19:26:58 0 d-----w- c:\docume~1\jake\applic~1\WebcamMax
2010-03-22 18:01:48 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-22 18:00:13 0 d-----r- c:\program files\Skype
2010-03-21 15:26:26 276 ----a-w- C:\m.vbs
2010-03-20 19:30:01 0 d-----w- c:\docume~1\alluse~1\applic~1\{462AB9A5-1898-46D0-851B-4FED4AB4E4DF}
2010-03-20 19:29:56 0 d-----w- c:\program files\LiveZilla
2010-03-17 20:28:14 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-16 21:47:32 0 d-----w- c:\program files\Rockstar Games
2010-03-16 18:07:09 0 d-----w- c:\program files\uTorrent
2010-03-16 18:06:49 0 d-----w- c:\docume~1\jake\applic~1\uTorrent
2010-03-15 20:09:16 0 d-----w- c:\docume~1\jake\applic~1\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-03-15 20:09:11 0 d-----w- c:\program files\TweetDeck
2010-03-14 19:45:31 0 d-----w- c:\docume~1\jake\applic~1\LimeWire
2010-03-14 15:27:03 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-14 15:27:03 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-14 15:26:09 0 d-----w- c:\program files\iPod
2010-03-14 15:26:03 0 d-----w- c:\program files\iTunes
2010-03-14 15:26:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-14 15:25:38 0 d-----w- c:\program files\Bonjour
2010-03-14 12:36:34 0 d-----w- c:\windows\system32\XPSViewer
2010-03-14 12:35:40 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-14 12:35:40 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-14 12:35:40 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-14 12:35:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-14 12:35:40 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-14 12:35:40 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-14 12:35:40 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-14 12:35:39 0 d-----w- C:\3da3fa442132934af4fdf8594f5a
2010-03-14 11:27:16 0 d-----w- c:\windows\ie8updates
2010-03-14 11:21:08 0 d-sh--w- c:\documents and settings\jake\PrivacIE
2010-03-14 10:41:08 0 d-----w- c:\docume~1\jake\applic~1\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2010-03-14 10:41:01 0 d-----w- c:\program files\BBC iPlayer Desktop
2010-03-14 10:38:20 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-14 10:38:20 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-14 10:38:13 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-14 10:38:13 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-14 10:37:49 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-14 10:37:49 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-14 04:02:44 0 d-----w- c:\docume~1\jake\applic~1\eSobi
2010-03-14 04:02:03 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-14 03:55:48 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-14 03:54:28 730 ----a-w- c:\windows\system32\setup.iss
2010-03-14 03:54:28 321024 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2010-03-14 03:54:28 258048 ----a-w- c:\windows\system32\Uninstall_eRecovery.exe
2010-03-14 03:54:28 258048 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2010-03-14 03:54:28 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2010-03-14 03:54:28 159744 ----a-w- c:\windows\system32\CloseProcessWindow.dll
2010-03-14 03:53:29 0 d-----w- c:\program files\common files\CrystalEye
2010-03-14 03:46:45 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-03-14 02:44:19 8 ----a-w- c:\windows\system32\drivers\1025_ACER_AOA150.MRK
2010-03-14 02:44:18 0 d---a-w- c:\windows\AcerStore
2010-03-14 02:44:17 98304 ----a-w- c:\windows\CUSTOMIZEIE7.EXE
2010-03-14 02:44:17 465 ----a-w- c:\windows\UPDATE.CMD
2010-03-14 02:44:17 237568 ----a-w- c:\windows\FIXWLM.EXE
2010-03-14 02:44:17 1233 ----a-w- c:\windows\SASETS.INI
2010-03-13 22:53:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-13 22:53:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-13 22:51:18 0 d-----w- c:\program files\LimeWire
2010-03-13 22:13:54 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-13 22:13:52 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-13 21:50:15 0 d-sh--w- c:\documents and settings\jake\IETldCache
2010-03-13 21:29:00 0 d-----w- c:\program files\Microsoft
2010-03-13 21:19:29 0 dc-h--w- c:\windows\ie8
2010-03-13 21:17:37 0 d-----w- c:\documents and settings\jake\Tracing
2010-03-13 21:07:54 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-13 20:33:16 0 d-----w- c:\windows\system32\PreInstall
2010-03-13 20:24:58 215920 ----a-w- c:\windows\system32\muweb.dll
2010-03-13 20:24:58 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-03-13 20:24:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-13 20:19:54 0 d-----w- c:\program files\ESET
2010-03-13 20:16:22 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-22 16:51:10 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-02-22 16:50:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-02-22 16:47:20 139192 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-01-20 18:25:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 12:24:39.48 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 14/03/2010 03:51:21
System Uptime: 04/09/2010 09:47:42 (-3549 hours ago)

Motherboard: Acer | |
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1596/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 143 GiB total, 112.235 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_015B1025&REV_02\4&20975680&0&00E1
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8102E/RTL8103E Family PCI-E Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_015B1025&REV_02\4&20975680&0&00E1
Service: RTLE8023xp

==== System Restore Points ===================

RP1: 14/03/2010 03:51:27 - System Checkpoint
RP2: 14/03/2010 03:53:28 - Installed Acer Crystal Eye Webcam
RP3: 14/03/2010 03:56:51 - Installed Acer Product Registration
RP4: 14/03/2010 04:04:07 - Removed Acer Product Registration
RP5: 14/03/2010 04:04:38 - Removed Acer ScreenSaver
RP6: 14/03/2010 04:05:18 - Removed eSobi v2
RP7: 14/03/2010 04:09:23 - Removed Microsoft Works
RP8: 13/03/2010 20:19:49 - Installed ESET NOD32 Antivirus
RP9: 13/03/2010 20:32:22 - Software Distribution Service 3.0
RP10: 13/03/2010 21:08:22 - Software Distribution Service 3.0
RP11: 14/03/2010 11:26:47 - Software Distribution Service 3.0
RP12: 14/03/2010 12:30:02 - Software Distribution Service 3.0
RP13: 14/03/2010 14:00:16 - Software Distribution Service 3.0
RP14: 14/03/2010 15:25:53 - Installed iTunes
RP15: 16/03/2010 19:40:59 - System Checkpoint
RP16: 16/03/2010 21:47:38 - Installed GTA San Andreas
RP17: 21/03/2010 17:29:25 - System Checkpoint
RP18: 22/03/2010 20:25:58 - Removed Skype Toolbars
RP19: 03/04/2010 12:02:18 - Software Distribution Service 3.0
RP20: 04/04/2010 19:15:01 - System Checkpoint
RP21: 06/04/2010 16:45:05 - Installed Microsoft Fix it 50267
RP22: 08/04/2010 22:26:02 - Installed Fireworks

==== Installed Programs ======================


µTorrent
7-Zip 4.65
Acer Crystal Eye Webcam
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BBC iPlayer Desktop
Bonjour
Easy GIF Animator 5.1
Easy Gif Animator Extension
ESET NOD32 Antivirus
Everything 1.2.1.371
Firebird 2.1.3.18185 (Win32)
Folder Marker Pro v 3.0
GIMP 2.6.8
Google Toolbar for Internet Explorer
Google Update Helper
GTA San Andreas
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java Auto Updater
Java™ 6 Update 18
JMicron JMB38X Flash Media Controller
Junk Mail filter update
Launch Manager
LimeWire 5.5.6
LiveZilla
Macromedia Fireworks MX 2004
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
SAM3 (remove only)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Skype™ 4.2
Synaptics Pointing Device Driver
TeamViewer 5
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebcamMax
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver

==== Event Viewer Messages From Past Week ========

08/04/2010 20:54:43, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
08/04/2010 20:54:28, error: Service Control Manager [7034] - The TeamViewer 5 service terminated unexpectedly. It has done this 1 time(s).
08/04/2010 16:20:44, error: Service Control Manager [7031] - The ESET Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08/04/2010 16:20:36, error: Service Control Manager [7031] - The ESET Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08/04/2010 16:20:24, error: Service Control Manager [7031] - The ESET Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
08/04/2010 16:20:14, error: Service Control Manager [7034] - The Firebird Server - DefaultInstance service terminated unexpectedly. It has done this 3 time(s).
08/04/2010 16:20:10, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
08/04/2010 15:45:29, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
08/04/2010 12:49:52, error: Service Control Manager [7034] - The Firebird Server - DefaultInstance service terminated unexpectedly. It has done this 2 time(s).
07/04/2010 11:38:32, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
07/04/2010 11:38:27, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
07/04/2010 11:38:13, error: Service Control Manager [7034] - The IviRegMgr service terminated unexpectedly. It has done this 1 time(s).
07/04/2010 11:38:10, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
07/04/2010 11:38:04, error: Service Control Manager [7034] - The Firebird Server - DefaultInstance service terminated unexpectedly. It has done this 1 time(s).
06/04/2010 01:43:59, error: Service Control Manager [7031] - The Firebird Guardian - DefaultInstance service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
05/04/2010 23:55:29, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
04/04/2010 15:22:09, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
03/04/2010 20:39:21, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00242C16CE31 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

The GMER is still running, I have just come to a BSOD. Wow. Not seen one of those for years.

On my acer, theres a eRecovery thing which like restores your computer to how it was when It was made, should I run that?



#4 JacobHall

JacobHall
  • Topic Starter

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 April 2010 - 08:51 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-09 14:39:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jake\LOCALS~1\Temp\fglorpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----


#5 JacobHall

JacobHall
  • Topic Starter

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 April 2010 - 11:24 AM

Hello,

I have taken the option to use the Acer eRecovery software which is included in my system. I will keep you posted on what occurs & I am doing this because Botnets are used to DDoS Servers, and people having full access of my computer doesn't really float my boat.

Thanks.

#6 JacobHall

JacobHall
  • Topic Starter

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 April 2010 - 02:29 PM

Wow, went brilliantly.

Im just going to install Windows Updates, then I will install MBAM, Update and scan!







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users