Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kinda Weird...


  • Please log in to reply
3 replies to this topic

#1 jlo666

jlo666

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 25 November 2005 - 10:32 AM

I have been having trouble with my computer lately... I normally am capable of keeping my xp pro machine free of spyware except for tracking cookies. I use ad-aware, search and destroy, spyware doctor, rootkit revealer and zone alarm Pro package to keep my install of xp pro clean. About a week ago I opened up task manager to kill a unresponsive prog and found- to my surprise- that there were two explorer.exe processes running... this immediately set off alarm bells and I attempted to investigate further... fired up mark russinovich's process explorer and attempted to investigate... only to find out that I no longer had the process running. I immediately unplugged from the net and ran full spyware and virus scans, found nothing. Ran hijack this... everything looked fine. Ran rootkit revealer after shutting everything down (process/programs) in startup that was non-microsoft using msconfig and rebooting. Got the following... mind you I usally get absolutly nothing when running rootkit revealer. Googled the results... all of the entries seem benign but why would they be hidden from the windows API? Also my computer has been slowing down immensly and freezing/hanging at least once a night... no blue screen yet but I feel it is coming soon. Also, I attempted to uninstall .net framework the other night to no avail... it froze at about a third of the way though and will not get past that point. Still list's as installed, and will not uninstall... just another of the myriad of problems that has been cropping up since this happened. Here is my hijack this, rootkit revealer, process list, psinfo, and start up list logs... any help would be appreciated thanks...


Logfile of HijackThis v1.99.1
Scan saved at 3:32:59 AM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
D:\Downloads\New Software\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.gotfuturama.com
O15 - Trusted Zone: http://www.musicvideocodes.com
O15 - Trusted Zone: http://www.nowthatsbleepedup.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126839084993
O20 - AppInit_DLLs: interceptor.dll,c:\progra~1\google\google~2\goec62~1.dll
O23 - Service: QBR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jac\LOCALS~1\Temp\QBR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YCFWIX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jac\LOCALS~1\Temp\YCFWIX.exe



PsList 1.26 - Process Information Lister
Copyright © 1999-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for -:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 1 0 0 0:21:25.848 0:00:00.000
System 4 8 52 304 0 0:00:11.646 0:00:00.000
smss 616 11 3 19 164 0:00:00.610 0:26:00.874
csrss 688 13 10 445 1860 0:00:41.960 0:25:56.638
winlogon 760 13 23 518 6668 0:00:03.034 0:25:55.927
services 812 9 18 333 2316 0:00:03.845 0:25:54.435
lsass 824 9 23 368 8664 0:00:02.773 0:25:54.375
svchost 992 8 7 127 1624 0:00:00.330 0:25:53.293
svchost 1144 8 15 310 6828 0:00:00.901 0:25:51.961
svchost 1260 8 50 1234 15692 0:00:06.339 0:25:50.549
svchost 1308 8 6 66 1432 0:00:00.470 0:25:48.887
svchost 1352 8 6 88 1472 0:00:00.230 0:25:48.456
spoolsv 1488 8 12 129 3448 0:00:00.560 0:25:47.545
netdde 1576 8 11 79 1300 0:00:00.180 0:25:46.824
alg 1628 8 10 138 6128 0:00:00.480 0:25:46.503
dllhost 1656 8 15 191 2520 0:00:00.620 0:25:46.243
inetinfo 1716 8 12 308 6692 0:00:00.871 0:25:45.842
msdtc 1772 8 14 157 2104 0:00:00.430 0:25:45.342
tcpsvcs 1904 8 7 126 6168 0:00:00.340 0:25:42.508
snmp 1960 8 10 224 6436 0:00:00.550 0:25:42.047
snmptrap 2000 8 9 96 5668 0:00:00.370 0:25:41.666
wdfmgr 232 8 6 77 1824 0:00:00.130 0:25:40.855
vsmon 312 8 27 392 31300 0:00:22.602 0:25:40.054
explorer 2148 8 14 375 12996 0:00:11.726 0:25:00.127
explorer 2416 13 10 290 9060 0:00:18.927 0:23:42.164
hh 3296 8 6 210 4644 0:00:02.052 0:09:56.728
cmd 3880 8 3 43 4272 0:00:00.190 0:00:06.499
pslist 3896 13 4 111 1092 0:00:00.230 0:00:00.901




PsInfo v1.71 - Local and remote system information viewer
Copyright © 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\-:
Uptime: 0 days 0 hours 28 minutes 10 seconds
Kernel version: Microsoft Windows XP, Uniprocessor Free
Product type: Professional
Product version: 5.1
Service pack: 2
Kernel build number: 2600
Registered organization: -
Registered owner: _
Install date: 9/15/2005, 5:40:02 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.3 GHz
Processor type: mobile AMD Athlon™ XP-M 1600+
Physical memory: 224 MB
Video driver: S3 Graphics ProSavageDDR

rootkit revealer
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 11/24/2005 3:08 AM 1.62 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 11/24/2005 3:08 AM 575 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 11/24/2005 3:08 AM 574 bytes Hidden from Windows API.
C:\Documents and Settings\Jac\Local Settings\Temp\NNCLXA638.EXE 3/10/2005 3:30 AM 260.00 KB Hidden from Windows API.
C:\WINDOWS\system32\avisynthEx.dll 5/4/2002 6:19 AM 48.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drvc.dll 11/24/2004 10:25 AM 328.00 KB Hidden from Windows API.
C:\WINDOWS\system32\ff_mpeg2enc.dll 10/3/2004 8:50 AM 126.00 KB Hidden from Windows API.
C:\WINDOWS\system32\ff_theora.dll 10/11/2004 9:39 PM 108.00 KB Hidden from Windows API.
C:\WINDOWS\system32\ff_wmv9.dll 10/11/2004 9:39 PM 27.50 KB Hidden from Windows API.
C:\WINDOWS\system32\ff_x264.dll 10/8/2004 9:40 PM 443.50 KB Hidden from Windows API.
C:\WINDOWS\system32\MPEG2DEC.dll 6/22/2001 4:06 AM 164.00 KB Hidden from Windows API.
C:\WINDOWS\system32\UnAudioNT.dll 12/16/2002 9:19 AM 32.00 KB Hidden from Windows API.
C:\WINDOWS\system32\vusetup.dll 12/18/2002 10:57 AM 44.00 KB Hidden from Windows API.


StartupList report, 11/24/2005, 3:33:46 AM
StartupList version: 1.52
Started from : D:\Downloads\New Software\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
D:\Downloads\New Software\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=interceptor.dll,c:\progra~1\google\google~2\goec62~1.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll - {0A87E45F-537A-40B4-B812-E2544C21A09F}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1126839084993

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\system32\imslsp.dll
Protocol #2: C:\WINDOWS\system32\imslsp.dll
Protocol #3: C:\WINDOWS\system32\imslsp.dll
Protocol #4: C:\WINDOWS\system32\imslsp.dll
Protocol #5: C:\WINDOWS\system32\imslsp.dll
Protocol #6: C:\WINDOWS\system32\imslsp.dll
Protocol #7: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #8: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #9: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #15: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #16: C:\WINDOWS\system32\imslsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 5,491 bytes
Report generated in 0.211 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 01 December 2005 - 02:31 PM

I am sorry for the delay. If you are still have trouble, please follow the instructions here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

and then post a brand new hjt log as a reply to this topic.

#3 jlo666

jlo666
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 02 December 2005 - 04:28 AM

I already did follow these instructions... the logs I posted are from scans taken after the aforementioned instructions were followed.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:02 PM

Posted 02 December 2005 - 10:53 AM

Ok but since its been a couple of days I still want a new hjt log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users