Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prevx/Chrome.exe.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 rjhaas17

rjhaas17

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 17 January 2011 - 07:37 PM

Have tried malwarebytes. Think I fell for a scam installing prevx scanner to remove chrome.exe.exe virus. Not sure what the cause is now. Computer is now very slow, was having major popup problems and all browsers were configured to use a proxy server with no ip information for said proxy server.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 18:55:59.85 on Mon 01/17/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1257 [GMT -5:00]

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
"C:\WINDOWS\System32\svchost.exe"
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Time Warner Cable\NEOTWC VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.erpcrentals.com
uInternet Settings,ProxyServer = http=127.0.0.1:62667
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281557594484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281557828328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: igfxcui - igfxdev.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.7.33 www.symantec.com
Hosts: 127.0.7.33 symantec.com
Hosts: 127.0.7.33 securityresponse.symantec.com
Hosts: 127.0.7.33 sarc.com
Hosts: 127.0.7.33 www.sarc.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\qhnmllll.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.search.selectedengine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.zstart.com/
FF - prefs.js: keyword.URL - hxxp://www.zstart.com/s/?site=Bing&src=FF-Address&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {9B9E415B-53FE-4D5E-BC14-DC10D1101BDB} - c:\documents and settings\administrator\local settings\application data\{9B9E415B-53FE-4D5E-BC14-DC10D1101BDB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2010-4-6 20104]
R2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2010-8-31 147563]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2010-9-7 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2010-9-7 121856]
R2 itlperf;Intel CPU Perfermons;c:\windows\system32\svchost.exe -k itlsvc [1979-12-31 14336]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-19 91456]
R2 OSILLC;OSI LLC Protocol Driver for Windows 2000;c:\windows\system32\drivers\osillc.sys [2010-9-9 14848]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 BTCOMBUS;Bluetooth Serial Port Bus Service;c:\windows\system32\drivers\btcombus.sys [2010-8-26 22024]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2010-4-6 25864]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [2011-1-9 17232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-17 102448]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2010-4-6 23048]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110116.003\NAVENG.SYS [2011-1-16 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110116.003\NAVEX15.SYS [2011-1-16 1360760]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-8-24 6016]
S3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\drivers\btcomport.sys [2010-8-26 25992]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/15/2010,1.12.0.1;c:\windows\system32\drivers\libusb0.sys [2010-9-27 20992]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-8-24 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-8-24 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-8-24 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-8-24 9472]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-10-11 189792]

=============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2011-01-17 22:21:36 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-01-17 21:29:38 192251 ----a-w- c:\documents and settings\administrator\chrome.exe.exe
2011-01-17 21:11:24 192251 ---ha-w- c:\documents and settings\administrator\5066B.tmp.exe
2011-01-17 21:11:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2011-01-17 21:10:40 141824 --sha-r- c:\windows\system32\kbdpl1F.dll
2011-01-17 21:10:31 539 ----a-w- c:\docume~1\admini~1\applic~1\net.vbs
2011-01-17 21:10:31 1026 ----a-w- c:\docume~1\admini~1\applic~1\net.bat
2011-01-17 21:10:27 331264 ----a-w- c:\windows\system32\phnw.exe
2011-01-17 21:10:27 217 ----a-w- c:\documents and settings\administrator\delme.bat
2011-01-17 21:10:12 192251 ----a-w- c:\docume~1\admini~1\applic~1\chrome.exe.exe
2011-01-17 21:10:04 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-17 21:09:19 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-17 21:09:18 -------- d-----w- c:\program files\Search Toolbar
2011-01-17 21:09:09 763392 ----a-w- c:\windows\system32\drivers\mqkukdi.sys
2011-01-17 21:08:58 211456 ----a-w- c:\windows\system32\itlpfw32.dll
2011-01-17 21:08:57 35328 ----a-w- c:\windows\system32\itlnfw32.dll
2011-01-17 20:59:10 -------- d-----w- c:\windows\pss
2011-01-17 20:07:41 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-01-17 20:07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-17 20:07:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-17 20:07:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-17 20:07:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-17 03:40:45 0 ----a-w- c:\windows\Sfeqe.bin
2011-01-17 03:40:24 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{9B9E415B-53FE-4D5E-BC14-DC10D1101BDB}
2011-01-17 03:34:47 -------- d-----w- c:\program files\IDM Computer Solutions
2011-01-10 22:22:25 -------- d-----w- C:\DB Backup
2011-01-09 18:21:58 851176 ----a-w- c:\windows\system32\WinUsbCoInstaller2.dll
2011-01-09 18:21:58 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-01-09 18:21:45 17232 ----a-w- c:\windows\system32\drivers\easytthr.sys
2011-01-09 18:21:39 -------- d-----w- c:\program files\Mobile Stream
2010-12-27 19:37:47 -------- d-----w- C:\TFTPRoot

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 19:39:05 21648 ----a-w- c:\windows\CTL3DV2.DLL
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160412AS rev.0003LVM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A881555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8877b0]; MOV EAX, [0x8a88782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A832AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000098[0x8A8C8F18]
5 ACPI[0xB9E54620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A834940]
\Driver\atapi[0x8A8D2500] -> IRP_MJ_CREATE -> 0x8A881555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160412AS_____________________________0003LVM1#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A88139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:57:02.79 ===============





Here's the GMER scan result

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 17 January 2011 - 08:24 PM.


BC AdBot (Login to Remove)

 


#2 rjhaas17

rjhaas17
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 18 January 2011 - 11:58 AM

I got it, thanks anyway.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 PM

Posted 18 January 2011 - 04:13 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users