Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple instances of firefox/IE in background (rootkit virus?)


  • Please log in to reply
3 replies to this topic

#1 saint19

saint19

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 04 August 2010 - 09:02 AM

there seems to be multiple instances of firefox/IE in background when i didn't open any

i did a virus scan (trend mirco house call) and it was clean
i scanned with spybot and it was clean

i followed the preparation guide
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
but could not run GMER
and error always popped up

and now i can't ctrl-alt-del

thanks,



DDS (Ver_10-03-17.01) - NTFSx86
Run by ~ at 5:18:29.43 on Wed 08/04/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1262 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
P:\ZoneAlarm\zlclient.exe
P:\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\~\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uWindow Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
uInternet Settings,ProxyServer = proxy:8080
uInternet Settings,ProxyOverride = *.local;
mWinlogon: Userinit=c:\windows\system32\userinit.exe ,c:\windows\system32\userinlt.exe,,c:\program files\microsoft\desktoplayer.exe,c:\docume~1\admini~1\locals~1\temp\housecall\bspatchsrv.exe,c:\docume~1\admini~1\locals~1\temp\svchost.exe,c:\windows\system32\taskmgrsrv.exe,p:\firefox\firefoxsrv.exe,c:\program files\internet explorer\iexploresrv.exe,p:\ccleaner\ccleanersrv.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - p:\spybot\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ZoneAlarm Client] "p:\zonealarm\zlclient.exe"
mRun: [EvtMgr6] p:\logitech\setpointp\SetPoint.exe /launchGaming
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{cc15a5fc-b6d3-4a2d-8a26-d8f2702a3c00}\IcoUltraMon.ico
IE: E&xport to Microsoft Excel - p:\office~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - p:\office~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - p:\spybot\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269639546544
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 pnpshark;pnpshark;c:\windows\system32\drivers\pnpshark.sys [2003-10-2 119552]
R0 st3shark;st3shark;c:\windows\system32\drivers\st3shark.sys [2003-9-27 5504]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-3-26 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-26 353680]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-3-27 20968]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-9-14 10496]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 dxregsvc;DirectX DLL register;c:\windows\system32\dxdllreg.exe -service --> c:\windows\system32\dxdllreg.exe -SERVICE [?]
S3 __FOX__FOXONE_DRIVER__;__FOX__FOXONE_DRIVER__;\??\c:\docume~1\~\locals~1\temp\foxdriver.sys --> c:\docume~1\~\locals~1\temp\FoxDriver.sys [?]
S3 nosGetPlusHelper;getPlusŪ Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
S4 iPodSwPrv;iPod Service iPodSwPrv; [x]

=============== Created Last 30 ================

2010-08-04 12:13:11 0 ----a-w- c:\documents and settings\~\defogger_reenable
2010-08-04 11:59:43 0 d--h--r- c:\documents and settings\~\Recent
2010-08-04 03:50:44 44032 ----a-w- c:\windows\system32\taskmgrSrv.exe
2010-08-04 03:09:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-04 02:45:31 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-04 02:01:14 0 d-----w- c:\windows\system32\AGEIA
2010-08-04 02:00:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-08-04 01:57:00 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-08-04 01:57:00 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-08-04 01:56:59 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-08-04 01:56:58 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-08-04 01:56:58 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-08-04 01:56:57 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-08-04 01:56:56 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-08-04 01:56:55 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-08-03 10:17:32 0 d-----w- c:\windows\system32\KB905474
2010-08-03 09:42:37 0 d-----w- c:\program files\riva
2010-08-03 09:31:54 0 d-----w- c:\program files\iva
2010-08-03 07:54:48 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-03 07:54:48 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-08-03 07:52:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-03 07:45:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-03 07:45:58 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-03 07:45:54 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-03 07:42:38 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-03 07:39:51 0 d-----w- c:\windows\system32\PreInstall
2010-08-03 02:41:42 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-02 17:47:05 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-02 17:47:05 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-08-02 17:47:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2010-08-02 17:47:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-08-02 17:46:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-02 17:46:49 62424 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-08-02 17:46:49 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-02 17:18:03 44032 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-08-02 17:13:00 44032 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-19 15:53:24 200 ----a-w- c:\windows\wininit.ini
2010-07-18 02:12:44 0 d-----w- c:\docume~1\~\applic~1\vlc
2010-07-10 22:14:25 0 d-----w- c:\windows\pss
2010-07-09 17:46:49 24744 ----a-w- c:\docume~1\~\applic~1\GDIPFONTCACHEV1.DAT
2010-07-09 05:08:04 0 d-----w- c:\program files\common files\Autodesk Shared
2010-07-09 03:44:13 0 d-----w- c:\docume~1\~\applic~1\Autodesk
2010-07-08 19:37:42 0 d-----w- c:\program files\common files\Akamai
2010-07-07 17:24:07 0 d-sh--w- c:\windows\system32\lowsec

==================== Find3M ====================

2010-08-04 11:42:31 2406920 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-08-04 11:42:31 178977824 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-01 22:32:29 8 ----a-w- c:\docume~1\~\applic~1\avdrn.dat
2010-05-23 15:53:31 26116 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 06:07:34 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

============= FINISH: 5:19:43.70 ===============





Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:50 AM

Posted 12 August 2010 - 03:11 PM

Hello saint19 ,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 saint19

saint19
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 14 August 2010 - 06:22 PM

no worrries teacup61,

i formated.

i think i had the desktoplayer.exe virus.
it was making duplicate exe files with SRV at the end
eg. something.exe duplicate somethingSRV.exe
and it was running another copy of my default internet browser (firefox/iexplorer)
it also infected a whole bunch of DLL files....

AVG virus scanner fixed everything tho....

so thats the update

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:50 AM

Posted 14 August 2010 - 06:36 PM

Hi there,

Thank you so much for letting me know. thumbup2.gif I'm sorry you had to reformat. I know it's a pain.

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users