Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log


  • This topic is locked This topic is locked
6 replies to this topic

#1 sh4rkbyt3

sh4rkbyt3

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 08 June 2010 - 07:54 PM

Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~boopme

This has been an ongoing issue for a while now.
I am currently using Windows 7 x64 and ran SDFix several times to try to remove what I believe is a possible Rootkit. Upon removal by Sophos, I rescan only to find the same issues and even using Malwarebytes doesn't locate anything. I used HijackThis and found several file anomalies that don't look right but HijackThis cannot correct them. Spybot Search & Destroy finds nothign also as does

Here is my logfile from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:02 PM, on 6/8/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Users\Virus 1550\AppData\Roaming\mjusbsp\magicJack.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [cdloader] "C:\Users\Virus 1550\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Google Update] "C:\Users\Virus 1550\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~2\WinTV\TVServer\HAUPPA~1.EXE
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6151 bytes

Any help would be immensely appreciated.

Edited by boopme, 08 June 2010 - 08:03 PM.


BC AdBot (Login to Remove)

 


#2 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 08 June 2010 - 10:18 PM

In addition here is a dds. log since the HijackThis report doesn't really say much.

Attached Files



#3 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:28 PM

Posted 12 June 2010 - 06:12 AM

Hi sh4rkbyt3!!.. smile.gif

QUOTE(sh4rkbyt3 @ Jun 9 2010, 02:54 AM) View Post
I am currently using Windows 7 x64 and ran SDFix several times to try to remove what I believe is a possible Rootkit.

This was a very bad idea... SDFix is not a 64bit compatible tool (and also very, very outdated) - using it improperly can cause much trouble...
I've not heard about rootkit infections on 64bit machines - at this moment, I don't think this is possible...

Why do you think your computer is infected??..

I see you're running IObit's Advanced SystemCare... I suggest you uninstall it - this company stole Malwarebytes’ Intellectual Property...
Use Start -> Control Panel -> Programs and Features...

Then,
Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#4 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 12 June 2010 - 01:33 PM

Thank you for the reply snemelk.
The reason I thought it was a rootkit is I could not find ANY infection but I was experiencing different anomolies such as signing into my e-mail, clicking on an e-mail and only other e-mails would open, not the targeted one. I also experienced in gameplay online that I would be unable to connect to any servers on the system (STEAM) and then when I was able to sometimes connect I had actions happening but I had very little control of them. Then I would have the screen spin in a complete 360 degree turn and the screen would spin and shrink until it vanished.
To try and locate I used:
Spybot
HijackThis
Avira
SysInternals
Regedit
Combofix
SDFix
Malwarebytes
Ccleaner
SuperAntiSpyware
SpywareBlaster
Rkill
RevoUinstaller
A2
Sophos


The few programs I did find were removed (7-8 none were Vundo or anything of the sort) but the control of my system by me was still intermittent when online. I have since wiped the HDD using Ubuntu and reloaded an x86 version of Windows 7. While it may not have been a "rootkit" it acted like one and was completely undetectable through 64 bit which is why I've switched back to x86 version. While 64 is allegedly supported through some AV programs, it is useless if there are no removal programs able to capture what an AV misses, and they all miss some infections.

I'm also not sure that part of the drive is not locked by an attempted previous install of Ubuntu so it could be harboring legacy software. When I reformatted the drive (1TB) only 931 Gb was displayed? I went through this before and no one seemed to have an answer as to how to unlock a part of the drive that is locked. I was then told that linux changes the geometry of the drive and can ruin a part of it if a dual boot isn't applied properly? Lots of replies but not a lot of help.

#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:28 PM

Posted 12 June 2010 - 04:31 PM

Hi again sh4rkbyt3!!.. smile.gif

QUOTE(sh4rkbyt3 @ Jun 12 2010, 08:33 PM) View Post
The reason I thought it was a rootkit is I could not find ANY infection but I was experiencing different anomolies such as signing into my e-mail, clicking on an e-mail and only other e-mails would open, not the targeted one. I also experienced in gameplay online that I would be unable to connect to any servers on the system (STEAM) and then when I was able to sometimes connect I had actions happening but I had very little control of them. Then I would have the screen spin in a complete 360 degree turn and the screen would spin and shrink until it vanished.

I don't think malware was involved in it - I know of no infection which would cause such problems... And as I said, at this moment, rootkit infections are not possible on 64bit machines...

QUOTE
Combofix
SDFix

Not 64bit compatible, should not be used on your own...

QUOTE
I have since wiped the HDD using Ubuntu and reloaded an x86 version of Windows 7. While it may not have been a "rootkit" it acted like one and was completely undetectable through 64 bit which is why I've switched back to x86 version.

No, rootkit infections don't cause such problems!!.. Malware writers want to get money, they're not interested in causing strange problems on your machine!..

QUOTE
When I reformatted the drive (1TB) only 931 Gb was displayed? I went through this before and no one seemed to have an answer as to how to unlock a part of the drive that is locked.

It's always like that... It's not locked...

Hard disk manufacturers quote disk capacity in SI-standard powers of 1000, wherein a terabyte is 1000 gigabytes and a gigabyte is 1000 megabytes. With file systems that measure capacity in powers of 1024, available space appears somewhat less than advertised capacity.
Wikipedia: Hard disk drive

QUOTE
I was then told that linux changes the geometry of the drive and can ruin a part of it if a dual boot isn't applied properly?

I'm not sure about that... The only problem I can see is when you install Linux over your existing Windows installation... Or, if you try to install Linux on existing Windows partition, it would have to be shrinked - that can certainly cause problems if performed improperly... But you would have to aske xperts about that...

Since you re-formatted, may I close the thread??..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 12 June 2010 - 11:11 PM

Yes snemelk, thank you for replying.

#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:28 PM

Posted 13 June 2010 - 04:11 AM

QUOTE(sh4rkbyt3 @ Jun 13 2010, 06:11 AM) View Post
Yes snemelk, thank you for replying.

No problem!.. thumbup2.gif

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users