Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware or other electronic critter


  • This topic is locked This topic is locked
2 replies to this topic

#1 castoffpolite

castoffpolite

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere in Nebraska, I think.
  • Local time:09:26 AM

Posted 26 October 2010 - 03:56 PM

Howdy everyone, Detailed description coming so get comfortable please.

As a writer, I visit a variety of places to gather information and do research. Some of these places are not the best to visit and I understand that. I have paid for antivirus from Trend and up to this point I have been fine. I am proficient in computers, but there are items that are over my head. Such is my case today and why I am here. I found Bleeping Computer after I run Hijack This via Trend.

I went through the Preparation guide, and did all that. I think I did everything correct. If not please tell me. I did have a lock up while working with the gmer zip file. I run Professional XP, NTSF, and the unzipper is internal so I did not get to the "uncheck items" before it did a scan. Once I did get to that page, and unchecked all that needed to be unchecked, I redid the scan and that log follows.

My specific problem began last Friday while I was working doing some research about the Furry culture, Trend jumped up unexpectadly. I stopped my research and backed away and did a scan. Trend found nothing. Since then, Trend has been jumping up on a variety of websites that it did not previously. I checked my settings, all is fine there. Trend found malware yesterday, from a program download that I paid for previously. The program is knowm far and wide as Evrsoft First Page 2006. That is the program I use to build my websites. This program worked fine before Friday. Sunday night it crashed and would not re-start. I run my antivirus, nothing found. Went to the site, got a fresh download, and once the download finished, and I tried to install, that is when I found a malware critter Trend identified as GRAY_Gen.CZ0046. Went to Trend, could find nothing on this critter. This critter is in my Trend Quarantine files. I searched my machine, could not find this critter anywhere. Looked in the file it was reported in by the Trend report, C:\System Volume Information\_restore{63B5F209-732E-4D83-A579-FE6474476174}\RP63\A0011067.exe I could not find it and I have my system set to show me all files. Yesterday, Monday, I began getting this popup that said it was from AOL. I use AOL on a bring your own connection setup. When AOL sends out an update, I get the update when I sign on to the service. This popup however, came up when I was not on AOL. Looked in my AOL folder, could not find anything out of place. Asked AOL if they recently sent out an update. Still waiting to hear back from them.

I do not allow remote assistance on my machine. I have enough trouble with online theft of my work as it is. Do not want something out before it is published. I found that turned on, reset it to off. System Restore I had turned off also a good time back. While checking things, I checked and found my settings changed to allow for system restore. I reset to what I wanted, and did a restart. Continuing on with my search of my puter I also found that my windows firewall was turned off, turned it back on. Checked Trend, it is on and fine as far as I can tell. Popup blocker is on but apparently not working. I'm getting popups all over the place.

Folks I've been through my machine as best I can and I do not know what else to do to clean this machine. I do not want to, but if you folks here cannot help me clean this machine, I will do a complete strip and dip, and a complete reinstall. I am hoping we can clean this up. This is a big machine I really do not want to strip and dip.

Thank You,
Castoffpolite
AE. Roud
S. Behr

DDS.text file


DDS (Ver_10-10-21.02) - NTFSx86
Run by User at 12:44:51.46 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.368 [GMT -6:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\AOL\1279333251\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\aol\1279333251\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HostManager] c:\program files\common files\aol\1279333251\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} - hxxp://www.king.com/ctl/kingcomie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-9-24 36432]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-9-24 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-9-24 51792]
R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-9-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-9-24 689416]

=============== Created Last 30 ================

2010-10-26 17:05:29 -------- d-----w- c:\windows\system32\NtmsData
2010-10-26 04:48:15 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-26 03:30:01 -------- d-----w- C:\Dictionaries
2010-10-24 18:22:38 -------- d-----w- c:\docume~1\user\applic~1\BackToTheBeach
2010-10-24 16:13:19 -------- d-----w- c:\program files\Evrsoft First Page 2006
2010-10-22 22:52:25 -------- d-----w- c:\docume~1\user\applic~1\VirtualStore
2010-10-22 16:23:27 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Help
2010-10-19 18:49:04 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Unzip Wizard
2010-10-13 09:05:18 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 06:31:25 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 06:31:24 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 06:31:07 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-09-28 23:18:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-09-28 23:16:35 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-28 23:16:34 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
2010-09-28 23:16:34 117760 ----a-w- c:\windows\system32\hpzll5mu.dll
2010-09-28 23:12:14 -------- d-----w- c:\program files\common files\HP
2010-09-28 23:10:14 -------- d-----w- c:\program files\HP
2010-09-28 23:10:08 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-28 23:10:08 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-28 23:10:05 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-09-28 23:10:05 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2010-09-24 07:48:05 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-10 11:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 11:15:58 69632 -c--a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 12:45:27.46 ===============

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 04 November 2010 - 06:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:26 AM

Posted 09 November 2010 - 07:38 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users