Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

china and korea accessing my passworded services lately.


  • Please log in to reply
1 reply to this topic

#1 Mike Sell

Mike Sell

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 22 May 2010 - 10:36 PM

SO...... I have been having problems with people accessing my facebook, gmail, and other sites lately. Especially over the last week. I think that I might have downloaded a trojan, but I can't find any sign of it. I have looked, and I guess I am missing something, and figured you all might be able to help a bit better. i went through the steps as listed in order. defogger to stop dameon tools. restarted. downloaded the dds, the gmer. I will post the logs of that... Did have a problem with gmer not giving me all the options that I saw were available on the post.

I did have the option to scan, services, registry and files C. All of the others were greyed out.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Mike at 19:03:22.46 on Sat 05/22/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.1647 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Windows\splwow64.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DVOVE0CB\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~1\office12\GRA8E1~1.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files (x86)\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files (x86)\daemon tools lite\daemon.exe" -autorun
uRun: [LightScribe Control Panel] c:\program files (x86)\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [PRO Landscape Dashboard] c:\program files (x86)\drafix\pro landscape\PRO Landscape Dashboard.exe /hide
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [AsusStartupHelp] "c:\program files (x86)\asus\aasp\1.00.17\AsRunHelp.exe"
mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
mRun: [AVP] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Google Quick Search Box] "c:\program files (x86)\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files (x86)\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GR99D3~1.DLL
AppInit_DLLs: c:\progra~2\kasper~1\kasper~1\mzvkbd.dll,c:\progra~2\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~2\kasper~1\kasper~1\adialhk.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg64.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc64.dll,nvsvcStart
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
AppInit_DLLs-X64: c:\progra~2\kasper~1\kasper~1\x64\kloehk.dll,c:\progra~2\kasper~1\kasper~1\x64\adialhk.dll
IFEO-X64: taskmgr.exe - "c:\program files\process explorer\PROCEXP.EXE"

============= SERVICES / DRIVERS ===============

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 38416]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 26128]
R2 AVP;Kaspersky Internet Security;c:\program files (x86)\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 208616]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files (x86)\common files\seagate\schedule2\schedul2.exe [2008-6-24 605464]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 202776]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1417240]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 94744]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 33296]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-3-31 93184]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2009-5-5 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-10-8 202776]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-10-8 1417240]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-10-8 94744]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-8 25832]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2009-3-31 19968]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

=============== Created Last 30 ================

2010-05-22 22:52:43 0 d-----w- c:\program files (x86)\Trend Micro
2010-05-11 21:44:13 974848 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 21:44:13 738304 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-05-08 00:54:45 0 d-----w- C:\PRO Landscape Library
2010-05-08 00:54:31 974848 ----a-w- c:\windows\syswow64\mfc70.dll
2010-05-08 00:54:31 54784 ----a-w- c:\windows\syswow64\msvci70.dll
2010-05-08 00:54:12 0 d-----w- c:\program files (x86)\Drafix
2010-05-08 00:54:00 87552 ----a-w- c:\windows\system32\custmon64.dll
2010-05-08 00:53:57 0 d-----w- c:\program files (x86)\drafixPDF Writer
2010-05-08 00:52:16 0 d-----w- c:\program files (x86)\common files\Business Objects
2010-05-08 00:52:16 0 d-----w- c:\program files (x86)\Business Objects
2010-05-03 13:47:34 843409479 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2010-05-19 05:16:38 8364 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-19 05:16:38 59964 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-19 05:16:38 5781052 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-19 05:16:38 1065020 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-12 15:21:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-05 08:23:53 149773 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-05 08:23:53 106765 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-09 16:54:17 1032704 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:50:32 86528 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:28:40 833024 ----a-w- c:\windows\syswow64\wininet.dll
2010-03-09 16:28:27 1174528 ----a-w- c:\windows\syswow64\urlmon.dll
2010-03-09 16:27:21 146432 ----a-w- c:\windows\syswow64\occache.dll
2010-03-09 16:26:20 671232 ----a-w- c:\windows\syswow64\mstime.dll
2010-03-09 16:26:11 476672 ----a-w- c:\windows\syswow64\mshtmled.dll
2010-03-09 16:26:11 3586048 ----a-w- c:\windows\syswow64\mshtml.dll
2010-03-09 16:26:10 458240 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-03-09 16:25:38 28160 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-03-09 16:25:24 270848 ----a-w- c:\windows\syswow64\iertutil.dll
2010-03-09 16:25:24 193024 ----a-w- c:\windows\syswow64\iepeers.dll
2010-03-09 16:25:23 6069248 ----a-w- c:\windows\syswow64\ieframe.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\syswow64\ieencode.dll
2010-03-09 16:25:21 389120 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-03-09 16:25:21 380928 ----a-w- c:\windows\syswow64\ieapfltr.dll
2010-03-09 16:25:21 230400 ----a-w- c:\windows\syswow64\ieaksie.dll
2010-03-09 14:28:42 32768 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 14:01:47 26624 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-03-04 18:54:51 430080 ----a-w- c:\windows\syswow64\vbscript.dll
2010-03-04 18:45:31 603648 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 04:09:57 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-24 04:09:57 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-24 04:09:56 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-04-01 03:43:18 174 --sha-w- c:\program files\desktop.ini
2009-04-01 03:43:18 174 --sha-w- c:\program files (x86)\desktop.ini
2009-04-01 03:35:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:04:56.77 ===============

I know that it didn't say add the hijack this report, but I was going to send it as well...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:13 PM, on 5/22/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Mike\Desktop\gmer.exe
C:\PROGRA~2\WinZip\winzip32.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AsusStartupHelp] "C:\Program Files (x86)\ASUS\AASP\1.00.17\AsRunHelp.exe"
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [PRO Landscape Dashboard] C:\Program Files (x86)\Drafix\PRO Landscape\PRO Landscape Dashboard.exe /hide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus/Modul...ces/ax/stub.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GR99D3~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\adialhk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10342 bytes




I ran the gmer.exe and accidently didn't save it... but I re ran it and stopped it after if found the first stuff, because that is all it found by the end of the run the first time. crazy.gif

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:24 AM

Posted 25 May 2010 - 05:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users