j osh

Members
  • Content count

    2
  • Joined

  • Last visited

About j osh

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hi screen317 The db version i am using is: Database version: 5296 I am sorry, but i can't get the contents of the BSoD because it would only stay on screen for a split second and then reboot. Also i can't reproduce the bluescreen right now because i think i might have completely removed the infection by now. It kept annoying me and i actually didn't think i'd get another answer here, so i deleted several additional autostart items manually and uninstalled Internet Explorer and replaced it with Firefox. Since my last post, the file rxsyrdub.exe has once reappeared in a normally named subfolder of the autostart part of the start menu. After i removed it there, it did not reappear. Sorry for cleaning up a bit early. However, two of the services look suspicious in the DDS log: I could also just release some files from quarantine and reinfect my system to see if the folder will reappear. DDS (Ver_10-12-12.02) - FAT32x86 Run by j osh at 23:24:07,85 on 12.12.2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3582.3081 [GMT 1:00] ============== Running Processes =============== C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k netsvcs SVCHOST.EXE SVCHOST.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE SVCHOST.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Programme\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter D:\Programs\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\j osh\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto mRun: [nwiz] c:\programme\nvidia corporation\nview\nwiz.exe /install mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\dokume~1\josh~1\anwend~1\mozilla\firefox\profiles\4ozuoyvy.default\ FF - plugin: c:\dokumente und einstellungen\j osh\lokale einstellungen\anwendungsdaten\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\programme\divx\divx plus web player\npdivx32.dll FF - plugin: d:\programs\canon\zoombrowser ex\program\NPCIG.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\programs\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ============= SERVICES / DRIVERS =============== S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-11 1684736] S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?] S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?] S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?] S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-10-6 23480] =============== Created Last 30 ================ 2010-12-12 16:44:30 -------- d--h--w- c:\windows\$hf_mig$ 2010-12-12 16:27:30 -------- d-----w- c:\dokume~1\josh~1\lokale~1\anwend~1\Mozilla 2010-12-09 19:07:56 -------- d-----w- c:\dokume~1\josh~1\anwend~1\Malwarebytes 2010-12-09 19:07:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-09 19:07:35 -------- d-----w- c:\dokume~1\alluse~1\anwend~1\Malwarebytes 2010-12-09 19:07:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-09 15:29:12 -------- d-----w- c:\windows\system32 2010-12-08 20:49:20 29996 ---h--w- c:\dokume~1\josh~1\anwend~1\ntuser.dat 2010-12-04 23:03:31 -------- d-----w- c:\windows\system32\cock 2010-11-27 03:44:13 -------- d-----w- c:\dokume~1\josh~1\anwend~1\Unity 2010-11-27 03:02:58 -------- d-----w- c:\dokume~1\josh~1\lokale~1\anwend~1\Unity 2010-11-16 19:20:30 -------- d-----w- c:\dokume~1\josh~1\anwend~1\.minecraft ==================== Find3M ==================== 2010-12-09 00:59:26 9728 ---h--w- c:\dokume~1\josh~1\anwend~1\desktop.ini 2010-12-08 21:14:12 75136 ----a-w- c:\windows\system32\PnkBstrA.exe 2010-12-08 21:12:40 271200 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-11-25 18:23:04 22328 ----a-w- c:\dokume~1\josh~1\anwend~1\PnkBstrK.sys 2010-10-12 00:41:10 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr 2010-10-03 21:47:28 794408 ----a-w- c:\windows\system32\pbsvc.exe 2010-09-18 11:22:58 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 07:52:56 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 07:52:56 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 07:52:56 953856 ----a-w- c:\windows\system32\mfc40u.dll ============= FINISH: 23:24:17,10 ===============
  2. Hi I recently catched a full dose of "System Tool 2011" on my WinXP PC. While my system is still infected, this thread is not about the infection, but about one detail: After removing several items manually and through the use of HijackThis and the free MBAM software, the trojan seems to have switched to a fallback solution to keep itself installed. While it was using the Hijack.UserInit method earlier to start C:\WINDOWS\system32\appconf32.exe, it now used the same method with a new folder: C:\Programme\pUljGAfA