Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pnolya.exe and copies of Start-ups in msconfig


  • This topic is locked This topic is locked
7 replies to this topic

#1 Taidel

Taidel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 14 April 2011 - 04:37 PM

Alright, I've been fixing all sorts of crashes, viruses, etc on Windows computers. But this is one of the weirdest, and actually somewhat benign. There are multiple copies of start-up applications in the Msconfig menu, all coming from C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp. Most of them are what I normally see in the ctrl+alt+delete Process tab, such as spoolsv, wininst, services.. there's multiple copies of them all though. Running out of a weird directory. Along with the normal ones are Pl2, cie32c0, avp32, ogokuyepeb, arg2mos, b2ptfa89, hexdump, iexplarer, and the weirdest one of all, Pnolya.exe which runs out of C:\WINDOWS\Pnolya.exe Google has no clue what Pnolya.exe is.

It's slowing the system down considerably. It's made my google search links redirect me to ad sites. It's plain annoying, and odd that there's nothing on the net about Pnolya. The following is my Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:50 PM, on 4/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\mdm.exe
C:\WINDOWS\setup.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\services.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\Pnolya.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: C:\WINDOWS\system32\gv5fjjvlu1.dll - {B9B220C2-A500-99BD-F120-04B53A2C8952} - C:\WINDOWS\system32\gv5fjjvlu1.dll
O4 - HKLM\..\Run: [Windows Media Player ACM] C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Microsoft\Windows Media\12.0\wmpacm.exe
O4 - HKLM\..\Run: [Windows Media Player ACM] C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Application Data\Microsoft\Windows Media\12.0\wmpacm.exe
O4 - HKLM\..\Run: [HNUOQKOXRpuc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\lsass.exe
O4 - HKLM\..\Run: [HNUOQKOXRsre] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\wininst.exe
O4 - HKLM\..\Run: [HNUOQKOXRrvc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\setup.exe
O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [HNUOQKOXRpZ] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\mdm.exe
O4 - HKLM\..\Run: [HNUOQKOXRruf] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\spoolsv.exe
O4 - HKLM\..\Run: [HNUOQKOXRrta] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\services.exe
O4 - HKLM\..\Run: [HNUOQKOXRmSc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\avp32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Irurihep] rundll32.exe "C:\WINDOWS\ogokuyepeb.dll",Startup
O4 - HKCU\..\Run: [HNUOQKOXRpuc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [HNUOQKOXRsre] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\wininst.exe
O4 - HKCU\..\Run: [HNUOQKOXRrvc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUOQKOXRpZ] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\mdm.exe
O4 - HKCU\..\Run: [HNUOQKOXRruf] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [HNUOQKOXRrta] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [HNUOQKOXRmSc] C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\avp32.exe
O4 - HKCU\..\Run: [Rrexozecec] rundll32.exe "C:\WINDOWS\cie32co.dll",Startup
O4 - HKCU\..\RunOnce: [iNn28610jDaBc28610] C:\Documents and Settings\All Users\Application Data\iNn28610jDaBc28610\iNn28610jDaBc28610.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: labtech.mediamastertech.com (HKLM)
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - file:///E:/Scripts/LTOCX14N.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_intel_4.1.66.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: yshbef87w3hubdjnjksdf - {B9B220C2-A500-99BD-F120-04B53A2C8952} - C:\WINDOWS\system32\gv5fjjvlu1.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Memory Checker (MemChecker) - MediaChance - C:\WINDOWS\mc0013D.exe

--
End of file - 7372 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 15 April 2011 - 12:25 AM

:welcome: to BC!

Please follow the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help above this topic and post the required logs in a reply.

Edited by heir, 15 April 2011 - 12:26 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 Taidel

Taidel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 15 April 2011 - 08:51 AM

My apologies for not following the guidelines. I should have read the pinned topics.. and placed my thread in the right place... <.<...

Anyhow, I have my dds and attach logs, but gmer will not run for me. I'm using a 32-bit Windows xp, not sure why it wont run. I don't get any messages, just the windows security warning, to which I click "Run", then.. nothing happens. I'm pretty sure I don't see it running in the process tab or anything. But here are the dds and attach logs anyhow:

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by HP_Administrator at 8:34:19.26 on Fri 04/15/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3191.2131 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Application Data\cleanhdd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\Pl2.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Pnolya.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\avp.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\iexplarer.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\sysmgm.exe
C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\login.exe
C:\Documents and Settings\HP_Administrator.YOUR-B27FB1C401\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
BHO: c:\windows\system32\gv5fjjvlu1.dll: {b9b220c2-a500-99bd-f120-04b53a2c8952} - c:\windows\system32\gv5fjjvlu1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [HNUOQKOXRpuc] c:\docume~1\hp_adm~1.you\locals~1\temp\lsass.exe
uRun: [HNUOQKOXRsre] c:\docume~1\hp_adm~1.you\locals~1\temp\wininst.exe
uRun: [HNUOQKOXRrvc] c:\docume~1\hp_adm~1.you\locals~1\temp\setup.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [HNUOQKOXRpZ] c:\docume~1\hp_adm~1.you\locals~1\temp\mdm.exe
uRun: [HNUOQKOXRruf] c:\docume~1\hp_adm~1.you\locals~1\temp\spoolsv.exe
uRun: [HNUOQKOXRrta] c:\docume~1\hp_adm~1.you\locals~1\temp\services.exe
uRun: [HNUOQKOXRmSc] c:\docume~1\hp_adm~1.you\locals~1\temp\avp32.exe
uRun: [Rrexozecec] rundll32.exe "c:\windows\cie32co.dll",Startup
uRun: [0ESKOMO9JO] c:\docume~1\hp_adm~1.you\locals~1\temp\Pl2.exe
uRun: [HNUOQKOXRota] c:\docume~1\hp_adm~1.you\locals~1\temp\install.exe
uRun: [HNUOQKOXRpw+] c:\docume~1\hp_adm~1.you\locals~1\temp\nvsvc32.exe
uRun: [HNUOQKOXRspe] c:\docume~1\hp_adm~1.you\locals~1\temp\winamp.exe
uRun: [HNUOQKOXRrxe] c:\docume~1\hp_adm~1.you\locals~1\temp\system.exe
uRun: [HNUOQKOXRnsc] c:\docume~1\hp_adm~1.you\locals~1\temp\drweb.exe
uRun: [HNUOQKOXRprc] c:\docume~1\hp_adm~1.you\locals~1\temp\login.exe
uRun: [HNUOQKOXRsPc] c:\docume~1\hp_adm~1.you\locals~1\temp\win16.exe
uRun: [MKaZ] c:\windows\cmd.exe
uRun: [HNUOQKOXRrrb] c:\docume~1\hp_adm~1.you\locals~1\temp\taskmgr.exe
uRun: [MKcuc] c:\windows\lsass.exe
uRun: [MKZe] c:\windows\avp.exe
uRun: [MKee] c:\windows\user.exe
uRun: [HNUOQKOXRrg] c:\docume~1\hp_adm~1.you\locals~1\temp\smss.exe
uRun: [HNUOQKOXRsa] c:\docume~1\hp_adm~1.you\locals~1\temp\win.exe
uRun: [HNUOQKOXRotc] c:\docume~1\hp_adm~1.you\locals~1\temp\hexdump.exe
uRun: [HNUOQKOXRptc] c:\docume~1\hp_adm~1.you\locals~1\temp\msmgm.exe
uRun: [HNUOQKOXRnyc] c:\docume~1\hp_adm~1.you\locals~1\temp\csrss.exe
uRun: [HNUOQKOXRrtc] c:\docume~1\hp_adm~1.you\locals~1\temp\sysedit.exe
uRun: [HNUOQKOXRouqc] c:\docume~1\hp_adm~1.you\locals~1\temp\iexplarer.exe
uRun: [HNUOQKOXRnoc] c:\docume~1\hp_adm~1.you\locals~1\temp\debug.exe
uRun: [HNUOQKOXRnZ] c:\docume~1\hp_adm~1.you\locals~1\temp\cmd.exe
uRun: [MKasc] c:\windows\drweb.exe
uRun: [MKewe] c:\windows\sysmgm.exe
uRun: [MKbta] c:\windows\install.exe
uRun: [HNUOQKOXRme] c:\docume~1\hp_adm~1.you\locals~1\temp\avp.exe
uRun: [HNUOQKOXRrwe] c:\docume~1\hp_adm~1.you\locals~1\temp\sysmgm.exe
uRun: [HNUOQKOXRssc] c:\docume~1\hp_adm~1.you\locals~1\temp\winlogon.exe
uRun: [HNUOQKOXRre] c:\docume~1\hp_adm~1.you\locals~1\temp\user.exe
uRun: [HNUOQKOXRrse] c:\docume~1\hp_adm~1.you\locals~1\temp\svchost.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [MKfa] c:\windows\win.exe
uRun: [MKetc] c:\windows\sysedit.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [HNUOQKOXRoMc] c:\docume~1\hp_adm~1.you\locals~1\temp\gdi32.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
uRun: [MKfsc] c:\windows\winlogon.exe
uRun: [MKZSc] c:\windows\avp32.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [MKfPc] c:\windows\win16.exe
uRunOnce: [iNn28610jDaBc28610] c:\documents and settings\all users\application data\inn28610jdabc28610\iNn28610jDaBc28610.exe
mRun: [Windows Media Player ACM] c:\documents and settings\hp_administrator.your-b27fb1c401\application data\microsoft\windows media\12.0\wmpacm.exe
mRun: [Windows Media Player ACM] c:\documents and settings\hp_administrator.your-b27fb1c401\application data\microsoft\windows media\12.0\wmpacm.exe
mRun: [HNUOQKOXRpuc] c:\docume~1\hp_adm~1.you\locals~1\temp\lsass.exe
mRun: [HNUOQKOXRsre] c:\docume~1\hp_adm~1.you\locals~1\temp\wininst.exe
mRun: [HNUOQKOXRrvc] c:\docume~1\hp_adm~1.you\locals~1\temp\setup.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [HNUOQKOXRpZ] c:\docume~1\hp_adm~1.you\locals~1\temp\mdm.exe
mRun: [HNUOQKOXRruf] c:\docume~1\hp_adm~1.you\locals~1\temp\spoolsv.exe
mRun: [HNUOQKOXRrta] c:\docume~1\hp_adm~1.you\locals~1\temp\services.exe
mRun: [HNUOQKOXRmSc] c:\docume~1\hp_adm~1.you\locals~1\temp\avp32.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Irurihep] rundll32.exe "c:\windows\ogokuyepeb.dll",Startup
mRun: [HNUOQKOXRota] c:\docume~1\hp_adm~1.you\locals~1\temp\install.exe
mRun: [HNUOQKOXRpw+] c:\docume~1\hp_adm~1.you\locals~1\temp\nvsvc32.exe
mRun: [HNUOQKOXRspe] c:\docume~1\hp_adm~1.you\locals~1\temp\winamp.exe
mRun: [HNUOQKOXRrxe] c:\docume~1\hp_adm~1.you\locals~1\temp\system.exe
mRun: [HNUOQKOXRnsc] c:\docume~1\hp_adm~1.you\locals~1\temp\drweb.exe
mRun: [HNUOQKOXRprc] c:\docume~1\hp_adm~1.you\locals~1\temp\login.exe
mRun: [HNUOQKOXRsPc] c:\docume~1\hp_adm~1.you\locals~1\temp\win16.exe
mRun: [MKaZ] c:\windows\cmd.exe
mRun: [HNUOQKOXRrrb] c:\docume~1\hp_adm~1.you\locals~1\temp\taskmgr.exe
mRun: [MKcuc] c:\windows\lsass.exe
mRun: [MKZe] c:\windows\avp.exe
mRun: [MKee] c:\windows\user.exe
mRun: [HNUOQKOXRrg] c:\docume~1\hp_adm~1.you\locals~1\temp\smss.exe
mRun: [HNUOQKOXRsa] c:\docume~1\hp_adm~1.you\locals~1\temp\win.exe
mRun: [HNUOQKOXRotc] c:\docume~1\hp_adm~1.you\locals~1\temp\hexdump.exe
mRun: [HNUOQKOXRptc] c:\docume~1\hp_adm~1.you\locals~1\temp\msmgm.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HNUOQKOXRnyc] c:\docume~1\hp_adm~1.you\locals~1\temp\csrss.exe
mRun: [HNUOQKOXRrtc] c:\docume~1\hp_adm~1.you\locals~1\temp\sysedit.exe
mRun: [HNUOQKOXRouqc] c:\docume~1\hp_adm~1.you\locals~1\temp\iexplarer.exe
mRun: [HNUOQKOXRnoc] c:\docume~1\hp_adm~1.you\locals~1\temp\debug.exe
mRun: [HNUOQKOXRnZ] c:\docume~1\hp_adm~1.you\locals~1\temp\cmd.exe
mRun: [MKasc] c:\windows\drweb.exe
mRun: [MKewe] c:\windows\sysmgm.exe
mRun: [MKbta] c:\windows\install.exe
mRun: [HNUOQKOXRme] c:\docume~1\hp_adm~1.you\locals~1\temp\avp.exe
mRun: [HNUOQKOXRrwe] c:\docume~1\hp_adm~1.you\locals~1\temp\sysmgm.exe
mRun: [HNUOQKOXRssc] c:\docume~1\hp_adm~1.you\locals~1\temp\winlogon.exe
mRun: [HNUOQKOXRre] c:\docume~1\hp_adm~1.you\locals~1\temp\user.exe
mRun: [HNUOQKOXRrse] c:\docume~1\hp_adm~1.you\locals~1\temp\svchost.exe
mRun: [MKeta] c:\windows\services.exe
mRun: [MKfa] c:\windows\win.exe
mRun: [MKetc] c:\windows\sysedit.exe
mRun: [MKfre] c:\windows\wininst.exe
mRun: [HNUOQKOXRoMc] c:\docume~1\hp_adm~1.you\locals~1\temp\gdi32.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [MKfsc] c:\windows\winlogon.exe
mRun: [MKZSc] c:\windows\avp32.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [MKfPc] c:\windows\win16.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: mediamastertech.com\labtech
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/Scripts/LTOCX14N.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://d1ylr6sba64qi3.cloudfront.net/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: igfxcui - igfxdev.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
Notify: LMIinit - LMIinit.dll
STS: c:\windows\system32\gv5fjjvlu1.dll: {b9b220c2-a500-99bd-f120-04b53a2c8952} - c:\windows\system32\gv5fjjvlu1.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hp_adm~1.you\applic~1\mozilla\firefox\profiles\aj4wjbxg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160023AS rev.3.43 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B05F439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0657d0]; MOV EAX, [0x8b06584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B092AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B09B698]
\Driver\atapi[0x8B0EEC78] -> IRP_MJ_CREATE -> 0x8B05F439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskST3160023AS_____________________________3.43____#5&e39fbfb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B05F27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:35:53.21 ===============






Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2010 3:47:04 PM
System Uptime: 4/14/2011 4:02:48 PM (16 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | Goldfish3
Processor: Intel® Pentium® 4 CPU 3.06GHz | CPU 1 | 3064/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 15.541 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.915 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\699A4611D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\699A4611D800
Service: NIC1394
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
==== Event Viewer Messages From Past Week ========
.
.
==== End Of File ===========================

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 15 April 2011 - 08:56 AM

That's OK as your topic were moved by a moderator.

You've caught a RootKit:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


Please also run DDS and Attach both logs in your reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 Taidel

Taidel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 18 April 2011 - 02:36 PM

The computer that is infected no longer has internet. And .exe's are unfamiliar file formats, it asks what program I'd like to use to open them... making it impossible to run ComboFix... I did get ComboFix onto the comp via a flash drive (which I assume is now infected and will not use on another comp), but yeah I double click on it, it asks what program I'd like to use to run it.

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 18 April 2011 - 02:50 PM

removed

Edited by heir, 18 April 2011 - 02:51 PM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 18 April 2011 - 02:52 PM

Disregard my last post.

Rename ComboFix.exe to ComboFix.com and try again.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:06 PM

Posted 23 April 2011 - 02:05 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users