Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


To: boopme, Colma's log reports (rootkit problem continued)

  • This topic is locked This topic is locked
9 replies to this topic

#1 Colma


  • Members
  • 21 posts
  • Local time:03:07 AM

Posted 26 June 2010 - 02:37 PM

Mod edit: I'ved Merged all together ~~~boopme

Edit: SORRY GUYS, didn't mean to make so many multiple posts, that was an accident. Anyways "boopme", the forums won't let me post the full content of the logs here, I'm guessing its too long, so I'll just put all the logs in the attachments.

Second Edit: It won't let me upload the DDS log to attachments, so I'll just post as much of it as I can and then make a reply posting the rest of it.

Hello again. I've followed step 6-9 in the instructions you (boopme) gave me and gotten my log results and created a new thread in this forum section as you requested from my previous thread here: http://www.bleepingcomputer.com/forums/t/325989/should-i-be-sceptic-about-this-block-or-unblock/. I had no problem getting the first 2 logs. The Gmer log was quiet annoying to get though. The first time I scanned, I went afk while it scanned for a while and came back to a completely black screen and nothing would happen no matter what i pressed. So i turned my computer off and back on, ran the scan again, went afk again, came back to the same thing but realized it was my screen saver that was the problem. So i set my screen saver to activate after 30 minutes of being idle rather than the measly 10 minutes it was set to. I've been meaning to change that anyways. So the third scan was successful, but the scan was so long ._.

DDS Log part 1:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 11:31:54.28 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1332 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:Program FilesThe Skins FactoryHyperdeskCommonHDThemeEnabler.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
c:Program FilesRoxioBackOnTrackFile BackupFileBackupSVC.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesCommon FilesSoftwinBitDefender Communicatorxcommsvr.exe
C:Program FilesCommon FilesSoftwinBitDefender Scan Serverbdss.exe
C:Program FilesCommon FilesSoftwinBitDefender Update Servicelivesrv.exe
C:Program FilesSoftwinBitDefender10vsserv.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesPanasonicMFStationPCCMFSDM.exe
C:Program FilesSoftwinBitDefender10bdmcon.exe
C:Program FilesSoftwinBitDefender10bdagent.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesDNAbtdna.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesCommon FilesAheadlibNMBgMonitor.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesWindows LiveContactswlcomm.exe
C:Documents and SettingsChrisDesktopDefogger.exe
c:Program FilesCommon FilesInstallShieldUpdateServiceagent.exe
C:Documents and SettingsChrisDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll

DDS Log part 2:

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: BigSeekPro Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:program filesbigseekpro toolbartbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [BitTorrent DNA] "c:program filesdnabtdna.exe"
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceISUSPM.exe" -scheduler
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesaheadlibNMBgMonitor.exe"
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [UnHackMe Monitor] c:program filesunhackmehackmon.exe
uRun: [uTorrent] "c:program filesutorrentuTorrent.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:

DDS Log part 3: (I dunno why the hell its cutting off like this, I highlight the whole log and copy then paste it here and when i check my post, its cut off like that...

mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Microsoft Default Manager] "c:program filesmicrosoftsearch enhancement packdefault managerDefMgr.exe" -resume
mRun: [Panasonic Device Manager for Multi-Function Station software] c:program filespanasonicmfstationPCCMFSDM.exe
mRun: [Panasonic PCFAX for Multi-Function Station software] c:program filespanasonicmfstationKmPcFax.exe -1
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [BDMCon] "c:program filessoftwinbitdefender10bdmcon.exe" /reg
mRun: [BDAgent] "c:program filessoftwinbitdefender10bdagent.exe"
mRun: [PWRISOVM.EXE] c:program filespowerisoPWRISOVM.EXE
IE: &Clean Traces - c:program filesdapprivacy packagedapcleanerie.htm
IE: &Download with &DAP - c:program filesdapdapextie.htm
IE: Download &all with DAP - c:program filesdapdapextie2.htm
IE: Free YouTube Download - c

Well that's all of that log that I can post, it won't let me post the rest for some reason, sorry. And every single time I try to post one of the logs, it says "connection interrupted" or something, but it doesn't do that if I just post something like this that I typed myself...

Ok, I've been informed that I should make 1 more reply before I need to stop replying so I can get help, so here it is. Well first of all, if you guy's really need the rest of that DDS log that the virus didn't let me post, then I got an idea. I was thinking maybe I could send that DDS log over MSN to my friend and he can post it for me. So if you really need that DDS log and you think I should go ahead and try that, lemme know and I'll get my friend to try and post it.

I don't mean to rush, but this rootkit is doing stuff to my computer every day, so it's kind of hard not to do what you said which is "not to make any changes to your computer". Does running virus scans and such count as making changes? Because I kind of have to do those since this virus is always doing stuff. For example, yesterday. My computer just all of a sudden restarted, but before it did, for like a split second, like .2 seconds there was a blue screen with some white words on it and then the computer restarted. My friend said it was the blue screen of death, but my computer is running ok right now, so maybe one of my anti viruses stopped it and maybe that's why my computer restarted. Also, today my computer just completely froze for no reason for about 10 seconds. And I'm always hearing those Windows error message noises in the background, but nothing pops up, its just the sound. So I think the virus is doing something in the background of my computer.

So yeah, that's my last reply until one of you have time to reply back, so I'll continue to patiently wait for a reply, but I urge you to help quick before this virus ruins my computer. Thanks.

Merged posts. ~ OB

Attached Files

Edited by Orange Blossom, 29 June 2010 - 10:09 PM.

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 30 June 2010 - 05:36 AM

Hi Colma,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

Please tell me if you have still the same issue, no need to post any logs or explain the history of the problem.

#3 Colma

  • Topic Starter

  • Members
  • 21 posts
  • Local time:03:07 AM

Posted 30 June 2010 - 07:27 AM

Yes I still have the same problem, I can't get rid of this virus.

Edited by farbar, 30 June 2010 - 07:39 AM.
Removed the quote

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 30 June 2010 - 07:43 AM

Please don't quote my whole post to avoid unneeded overpopulating the thread. When you do, others do it too and we have some long threads where a helper needs to review a terribly overpopulated thread. In case it is needed to refer to various parts you may quote those parts you are reacting to. Thank you.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller. Please attach it to your replay.

Edited by farbar, 30 June 2010 - 07:44 AM.

#5 Colma

  • Topic Starter

  • Members
  • 21 posts
  • Local time:03:07 AM

Posted 30 June 2010 - 01:03 PM

Alright, done successfully. I'll quickly review how it went: Ran Spybot, disabled the teatimer and SD helper, wasn't prompted at all, didnt ask me if I was sure I wanted to make changes, it just did it. Restarted computer. Then I ran the resetteatimer program you had me download. After that was done I used the special tool you had me download, TDSSKiller, let it scan. When it was finished scanning it said I needed to reboot my computer and asked me to press Y to restart computer or N to continue. I pressed Y, computer restarted, and now I made my reply with the log attached. Now what?

Attached Files

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 30 June 2010 - 01:18 PM

Well done and thanks for the feedback. The rootkit is taken care of and the redirection or trouble posting to this thread is behind us. thumbup2.gif

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

Removal Instructions
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    J2SE Runtime Environment 5.0
    Java™ 6 Update 15

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  4. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

  5. Tell me also how is your computer running.

#7 Colma

  • Topic Starter

  • Members
  • 21 posts
  • Local time:03:07 AM

Posted 01 July 2010 - 06:08 AM

Thank you very much for helping me get rid of this annoying rootkit. I've done what you said in you're last reply, but I also have some questions. #1, can I re-enable my CD Emulator Drivers yet? #2, should I do a follow up scan with all my scanners yet? #3, can I take off all the stuff you guys had me download yet? And #4, can you link me the official site to download Java 6 Update 20? Thanks. As for my computer, it's too soon to say how well its actually running, but for the most part, it's running fine and I haven't had any odd sounds in the background or random pop ups since.

Anyways, thanks again, very much. I'll attach those logs now.

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.46

Database version: 4262

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 8:52:02 PM
mbam-log-2010-06-30 (20-52-02).txt

Scan type: Quick scan
Objects scanned: 152587
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\srrxymczdrbhonljh (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\srrxymczdrbhonljh.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paknuuvb.exe (Adware.Lifze) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Attached Files

  • Attached File  DDS.txt   15.53KB   4 downloads

#8 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 01 July 2010 - 12:11 PM

Hi Colma,

You are most welcome and I guess I have answer for all those relevant questions. smile.gif

It looks good. thumbup2.gif
  1. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

  2. You may delete any tool or log we used from your computer.

  3. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  4. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing Colma. smile.gif

#9 Colma

  • Topic Starter

  • Members
  • 21 posts
  • Local time:03:07 AM

Posted 01 July 2010 - 02:27 PM

Alrighty, everything's lookin good, thanks very much. I downloaded those 2 recommendations, thanks, I needed something like that. Also followed all the rest of the things and all went well. I think it's safe to say this situation is officially RESOLVED! Woohoo!

Thanks again! Peace.

#10 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 01 July 2010 - 03:46 PM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users