Jump to content

Fflewt

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Managed to partially clean my system. Initially I was unable to run GMER or malwarebytes, well they would launch but within a few seconds of initiating a scan they would be terminated. With the assistance of a linux based boot cd I was able to remove enough of the malware that I could run malwarebytes. Any assistance that is available in removing the remainder of the rootkit would be greatly appreciated. Thanks dds.txt file: . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by getrich at 13:14:51 on 2011-08-23 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -7:00] . AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {7D92BFFF-36E4-4CD0-A710-3A5B88C670B4} AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {30C85E9C-2F8B-4CB8-BAD0-1CEAC49B0FC1} . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe C:\DOCUME~1\getrich\LOCALS~1\Temp\Adobelm_Cleanup.0001 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe C:\DOCUME~1\getrich\LOCALS~1\Temp\Adobelm_Cleanup.0001 . ============== Pseudo HJT Report =============== . uStart Page = about:blank uDefault_Page_URL = hxxp://companyweb mStart Page = about:blank BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll mRun: [nwiz] nwiz.exe /installquiet mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\getrich\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\getrich\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks\swscheduler\swBOEngine.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL LSP: mswsock.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://amcsrvr/connectcomputer/nshelp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.2.220 TCP: Interfaces\{E016B103-3C5B-4E47-ACE5-085F32C33DE8} : DhcpNameServer = 192.168.2.220 Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\getrich\application data\mozilla\firefox\profiles\4hmo7ohd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://slashdot.org/ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 57273 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll . ============= SERVICES / DRIVERS =============== . . =============== File Associations =============== . .scr=AutoCADScriptFile . =============== Created Last 30 ================ . 2011-08-23 18:11:42 71880 ----a-w- c:\windows\system32\PxSecure.dll-4112875 2011-08-23 17:51:25 54016 ----a-w- c:\windows\system32\drivers\euve.sys 2011-08-23 17:21:50 -------- d-----w- c:\documents and settings\getrich\application data\SolidWorks 2009 2011-08-23 17:19:09 -------- d-----w- c:\documents and settings\getrich\application data\SolidWorks 2011-08-23 17:14:25 -------- d--h--w- c:\windows\PIF 2011-08-10 11:31:25 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys 2011-08-10 11:30:58 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys 2011-08-05 21:05:08 -------- d-----w- C:\TMP . ==================== Find3M ==================== . 2011-08-23 18:13:24 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-08-11 00:28:12 102400 ----a-w- c:\windows\RegBootClean.exe 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec 2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-06-15 15:25:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 13:15:09.86 =============== Sorry, not sure why all the line returns were removed. Here's the dds.txt file again. . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 Run by getrich at 13:14:51 on 2011-08-23 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2387 [GMT -7:00] . AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {7D92BFFF-36E4-4CD0-A710-3A5B88C670B4} AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {30C85E9C-2F8B-4CB8-BAD0-1CEAC49B0FC1} . ============== Running Processes =============== . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe C:\DOCUME~1\getrich\LOCALS~1\Temp\Adobelm_Cleanup.0001 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe C:\DOCUME~1\getrich\LOCALS~1\Temp\Adobelm_Cleanup.0001 . ============== Pseudo HJT Report =============== . uStart Page = about:blank uDefault_Page_URL = hxxp://companyweb mStart Page = about:blank BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll mRun: [nwiz] nwiz.exe /installquiet mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\getrich\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\getrich\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks\swscheduler\swBOEngine.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL LSP: mswsock.dll DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://amcsrvr/connectcomputer/nshelp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.2.220 TCP: Interfaces\{E016B103-3C5B-4E47-ACE5-085F32C33DE8} : DhcpNameServer = 192.168.2.220 Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\getrich\application data\mozilla\firefox\profiles\4hmo7ohd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://slashdot.org/ FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 57273 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll . ============= SERVICES / DRIVERS =============== . . =============== File Associations =============== . .scr=AutoCADScriptFile . =============== Created Last 30 ================ . 2011-08-23 18:11:42 71880 ----a-w- c:\windows\system32\PxSecure.dll-4112875 2011-08-23 17:51:25 54016 ----a-w- c:\windows\system32\drivers\euve.sys 2011-08-23 17:21:50 -------- d-----w- c:\documents and settings\getrich\application data\SolidWorks 2009 2011-08-23 17:19:09 -------- d-----w- c:\documents and settings\getrich\application data\SolidWorks 2011-08-23 17:14:25 -------- d--h--w- c:\windows\PIF 2011-08-10 11:31:25 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys 2011-08-10 11:30:58 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys 2011-08-05 21:05:08 -------- d-----w- C:\TMP . ==================== Find3M ==================== . 2011-08-23 18:13:24 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-08-11 00:28:12 102400 ----a-w- c:\windows\RegBootClean.exe 2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec 2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll 2011-06-15 15:25:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 13:15:09.86 =============== attach.zip mbam-log-2011-08-23 (10-48-56).txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.