Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit?


  • This topic is locked This topic is locked
2 replies to this topic

#1 DrewJC

DrewJC

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 15 July 2010 - 05:41 AM

Hi, I read the prep sticky and am posting the req'd info. Basically my wave volume slider in my master volume control panel goes all the way down all the time. After i adjust it back, the sound only lasts about 4 minutes and the slider drops again. At the same time that this started happening, pop up ads started appearing at random times, even when i was not browsing the web. Im not sure if these two things are related, but they started at the same time. I also use the Chrome browser, but the ads pop up in IE. Its essentially the same issue as this topic , and ive tried some of the programs he tried, but to no avail. My ads aren't invisible though, they are usually a maximized window. All of the info i am posting is from a clean boot, however, the problems persist. The only program i am using past the clean boot is Linksys (my wireless connection manager). i also get lots of iexplore.exe running, more the longer i keep my computer on.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 21:41:48.40 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.678 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
svchost.exe 4
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Andrew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Andrew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Andrew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andrew\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\ixk3iui6.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\andrew\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\andrew\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\andrew\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\andrew\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-12 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-24 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-24 116784]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-3-11 10384]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-24 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100713.001\IDSXpx86.sys [2010-7-13 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100714.023\NAVENG.SYS [2010-7-14 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100714.023\NAVEX15.SYS [2010-7-14 1362608]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]

=============== Created Last 30 ================

2010-07-15 01:51:26 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 20:23:23 0 d-----w- c:\docume~1\andrew\applic~1\Malwarebytes
2010-07-14 20:23:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 20:23:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-14 20:23:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 20:23:10 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 05:40:03 221568 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-07-15 03:35:14 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-15 03:35:11 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-23 19:25:28 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-23 19:25:28 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-23 19:25:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-23 19:25:28 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-12 02:57:52 32768 --sha-w- c:\windows\temp\cookies\index.dat
2010-03-12 02:57:52 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-03-12 02:57:52 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:42:20.96 ===============

EDIT- I forgot to attach ark.txt dry.gif

Attached Files


Edited by DrewJC, 15 July 2010 - 05:43 AM.


BC AdBot (Login to Remove)

 


#2 DrewJC

DrewJC
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:40 AM

Posted 16 July 2010 - 03:35 AM

I booted from a Windows XP disc and ran fixmbr through the recovery console and all is well. I believe my problem has been solved. I see a lot of people have the same issue that i had, and this is a super easy way to fix it.

Disclaimer- There is a slight chance that you may ruin your boot record this way, ive never seen it, but i hear that it has happened.

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:40 AM

Posted 22 July 2010 - 06:59 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users