bradster Posted January 14, 2009 ID:47447 Share Posted January 14, 2009 I managed to install Malwarebytes but my infection doesn't allow me to run the program. After a few minutes after booting up I get the BSOD and the computer reboots. TIA for your assistance. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:41:18 PM, on 1/13/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Spare Backup\SpareBackup.exeC:\Program Files\BigFix\bigfix.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\ClamWin\bin\ClamTray.exeC:\Windows\System32\lgbpd.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Users\roque\Program Files\DNA\btdna.exeC:\Users\roque\AppData\Roaming\cogad\cogad.exeC:\Users\roque\AppData\Local\Temp\csrssc.exeC:\Users\roque\AppData\Roaming\Twain\Twain.exeC:\Program Files\Palm\Hotsync.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Internet Explorer\IEUser.exeC:\Users\roque\AppData\Roaming\svchost.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\Taskmgr.exeC:\Windows\system32\SearchFilterHost.exeK:\HT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5625ER1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5625ER0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GT5625ER0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: C:\Windows\system32\rakmdlkd83indfgnbu.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\Windows\system32\rakmdlkd83indfgnbu.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silentO4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systrayO4 - HKLM\..\Run: [bigFix] c:\program files\Bigfix\bigfix.exe /atstartupO4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exeO4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsersO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /sO4 - HKLM\..\Run: [*svchostBoot] C:\Users\roque\AppData\Roaming\svchost.exeO4 - HKLM\..\Run: [Managing Services] C:\Windows\system32\spools.exeO4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\Users\roque\AppData\Local\Temp\winloggn.exeO4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logonO4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [LGBLiveUpdate] C:\Windows\system32\lgbpd.exeO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKCU\..\Run: [AlarmWiz] C:\Program Files\AlarmWiz\alarmwiz.exe startupO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\roque\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [Java Runtime Update] C:\Users\roque\AppData\Local\Temp\file2.exeO4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\Users\roque\AppData\Local\Temp\winloggn.exeO4 - HKCU\..\Run: [cogad] "C:\Users\roque\AppData\Roaming\cogad\cogad.exe" 61A847B5BBF72813329D31466188719AB689201522886B092CBD44BD8689220221DD3257O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\Users\roque\AppData\Local\Temp\csrssc.exeO4 - HKCU\..\Run: [Twain] C:\Users\roque\AppData\Roaming\Twain\Twain.exeO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\roque\AppData\Local\Temp\kHaywXNE.dll,#1O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Startup: HotSync Manager.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO13 - Gopher Prefix: O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dllO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{8E340F40-6D7F-42F8-9735-DC3FE1D5A1C3}: NameServer = 85.255.114.90,85.255.112.92O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9C3291-86CE-40AB-8D4D-DBFC51E61030}: NameServer = 85.255.114.90,85.255.112.92O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.90,85.255.112.92O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.90,85.255.112.92O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.90,85.255.112.92O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\Windows\system32\rakmdlkd83indfgnbu.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 7885 bytes Link to post Share on other sites More sharing options...
bradster Posted January 14, 2009 Author ID:47457 Share Posted January 14, 2009 Ran combofix, then malwarebytes. So far so good. Thanks for this kind site! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 14, 2009 Root Admin ID:47532 Share Posted January 14, 2009 Just a warning, please do not run combofix or similar tools on your own. These tools if not used properly can cause damage to Windows to the point it will never restart again.Please run the following Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen run the following scan againPlease download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button. DO NOT Click on the SCAN button.This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.Click OK and quit the GMER program.Then run a new HJT scan and save log Link to post Share on other sites More sharing options...
bradster Posted January 14, 2009 Author ID:47653 Share Posted January 14, 2009 Malwarebytes log:Malwarebytes' Anti-Malware 1.32Database version: 1649Windows 6.0.6001 Service Pack 11/13/2009 6:56:20 PMmbam-log-2009-01-13 (18-56-20).txtScan type: Full Scan (C:\|D:\|K:\|)Objects scanned: 182332Time elapsed: 1 hour(s), 3 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Qoobox\Quarantine\C\Windows\System32\TDSScrrx.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\Windows\System32\TDSSntlv.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\Windows\System32\TDSSrfpp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\Windows\System32\TDSStmei.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.C:\Qoobox\Quarantine\C\Windows\System32\drivers\TDSSmcmc.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.C:\System Volume Information\SystemRestore\FRStaging\Users\roque\AppData\Local\Temp\IXP001.TMP\RQMCBZC.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\Users\roque\AppData\Roaming\_fad39831195ec6bbf82d5fc026c00600\down\4203008.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.GMER log:GMER 1.0.14.14536 - http://www.gmer.netRootkit scan 2009-01-14 09:46:47Windows 6.0.6001 Service Pack 1---- Disk sectors - GMER 1.0.14 ----Disk \Device\Harddisk0\DR0 sector 60: copy of MBR---- Devices - GMER 1.0.14 ----AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- EOF - GMER 1.0.14 ---- Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 15, 2009 Root Admin ID:47840 Share Posted January 15, 2009 Please update MBAM again, it's at version 1.33 now and do a Quick Scan not a full scan.Then run a new HJT scan and post back both logs. Link to post Share on other sites More sharing options...
bradster Posted January 15, 2009 Author ID:48015 Share Posted January 15, 2009 Thank you, the new update did find another Trojan. Here are the last scan results:Malwarebytes' Anti-Malware 1.33Database version: 1656Windows 6.0.6001 Service Pack 11/15/2009 10:00:00 AMmbam-log-2009-01-15 (10-00-00).txtScan type: Quick ScanObjects scanned: 46003Time elapsed: 2 minute(s), 59 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:C:\Users\roque\AppData\Roaming\cogad\cogad.exe (Trojan.Agent) -> Failed to unload process.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Users\roque\AppData\Roaming\cogad\cogad.exe (Trojan.Agent) -> Delete on reboot. Link to post Share on other sites More sharing options...
bradster Posted January 15, 2009 Author ID:48017 Share Posted January 15, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:08:19 AM, on 1/15/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Spare Backup\SpareBackup.exeC:\Program Files\BigFix\bigfix.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ClamWin\bin\ClamTray.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\System32\lgbpd.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\mobsync.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5625ER1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silentO4 - HKLM\..\Run: [bigFix] c:\program files\Bigfix\bigfix.exe /atstartupO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /sO4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logonO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [LGBLiveUpdate] C:\Windows\system32\lgbpd.exeO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - Startup: HotSync Manager.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)O13 - Gopher Prefix: O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dllO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 4735 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 16, 2009 Root Admin ID:48176 Share Posted January 16, 2009 Please update your Anti-Virus to latest definitions and do a FULL SCAN Then update MBAM and do another Quick ScanThen run this tool please.Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button. DO NOT Click on the SCAN button.This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.Click OK and quit the GMER program.Then post back MBAM, GMER, and new HJT logs Link to post Share on other sites More sharing options...
bradster Posted January 20, 2009 Author ID:49454 Share Posted January 20, 2009 Malwarebytes' Anti-Malware 1.33Database version: 1673Windows 6.0.6001 Service Pack 11/20/2009 3:38:01 PMmbam-log-2009-01-20 (15-38-01).txtScan type: Quick ScanObjects scanned: 46227Time elapsed: 2 minute(s), 33 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)---------------GMER 1.0.14.14536 - http://www.gmer.netRootkit scan 2009-01-20 15:45:16Windows 6.0.6001 Service Pack 1---- Disk sectors - GMER 1.0.14 ----Disk \Device\Harddisk0\DR0 sector 60: copy of MBR---- Devices - GMER 1.0.14 ----AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- EOF - GMER 1.0.14 ---------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:43:46 PM, on 1/20/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Spare Backup\SpareBackup.exeC:\Program Files\BigFix\bigfix.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ClamWin\bin\ClamTray.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\System32\lgbpd.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5625ER1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silentO4 - HKLM\..\Run: [bigFix] c:\program files\Bigfix\bigfix.exe /atstartupO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /sO4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logonO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [LGBLiveUpdate] C:\Windows\system32\lgbpd.exeO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - Startup: HotSync Manager.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exeO9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)O13 - Gopher Prefix: O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cabO16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dllO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 4692 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 21, 2009 Root Admin ID:49467 Share Posted January 21, 2009 Did you update ClamWin to the latest definitions and do a Full Scan? What did it find? Link to post Share on other sites More sharing options...
bradster Posted January 21, 2009 Author ID:49803 Share Posted January 21, 2009 Yes I did update clamwin, it found nothing. I can post the log if you'd like. Thanks!Did you update ClamWin to the latest definitions and do a Full Scan? What did it find? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 22, 2009 Root Admin ID:49883 Share Posted January 22, 2009 Okay that's good. The current logs don't seem to indicate any type of an infection.How is the computer running now?Are there still any signs of an infection? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 27, 2009 Root Admin ID:51127 Share Posted January 27, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts