i think i been hacked [Archive] - Safer-Networking Forums

View Full Version : i think i been hacked

DJSatin

2011-11-05, 06:26

i first posted here http://forums.spybot.info/showthread.php?p=415431#post415431 and i was told to start a new post

first and for most thank you for you help.
as asked here is the dds text and attach.zip
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Owner at 1:05:55 on 2011-11-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.511 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: crossfire-radio Toolbar: {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - c:\program files\crossfire-radio\prxtbcros.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: crossfire-radio Toolbar: {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - c:\program files\crossfire-radio\prxtbcros.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: crossfire-radio Toolbar: {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - c:\program files\crossfire-radio\prxtbcros.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [S3apphk] S3apphk.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4B42A0E5-3F70-4B98-9C61-1F2574716953} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{E5733E58-79F5-4C0C-B824-90600BF0641C} : DhcpNameServer = 15.60.103.2 15.60.103.1
TCP: Interfaces\{ED50E7F6-C9EE-48E7-8FD6-E0FC8061DF91} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\rf2lqeus.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2463487&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-28 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-3-31 320856]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2003-6-21 4064]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-3-31 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-14 44768]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-19 54752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2010-12-29 439632]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 portD;ABS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2011-9-15 7296]
S3 cpudrv;cpudrv;\??\c:\program files\systemrequirementslab\cpudrv.sys --> c:\program files\systemrequirementslab\cpudrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-5-8 23456]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2004-10-18 96256]
S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\pcdrdrv.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-7-20 163328]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2001-12-27 149244]
S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb1.sys [2004-10-9 9728]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-7-22 14336]
.
=============== Created Last 30 ================
.
2011-11-01 05:19:01 -------- d-----w- c:\documents and settings\owner\local settings\application data\SpacialAudio
2011-11-01 04:39:58 -------- d-----w- c:\program files\SpacialAudio
2011-11-01 04:34:37 -------- d-----w- C:\Sam4.9.2
2011-11-01 04:01:59 -------- d-----w- c:\documents and settings\owner\application data\MySQL
2011-11-01 03:33:14 -------- d-----w- C:\mysql
2011-10-15 09:53:00 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-10-16 07:12:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 06:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 1:11:32.23 ===============

shelf life

2011-11-10, 02:09

hi DJSatin,

Your post is a few days old. If you still need help simply post back.

DJSatin

2011-11-10, 10:54

hello shelf life

i have been waiting for some one to reply to my post. i haven't changed anything with my pc since my last post. i have not used the pc but to check to see if anyone had answered me here. for fear of a keylogger. all seems well with the pc,expection it runs a little slow.
no virus alert with avast, i also ran malwarebytes found nothing.
what puzzles me is someone made a guest account,with admin privlegedes and passworded it. so there has to be something on my pc that allow them to do it and it could possibly still be on the pc. no one uses this pc but me, i didn't make that guest account named guest$.
can we make sure i am clean please?

shelf life

2011-11-11, 00:33

Logs looks ok. Looks like your AV took care of it. I see you use Secunia, so must be pretty current with software updates. I assume Secunia will also cover MySQL.
We can get another download for a closer look. Its called combofix. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log and we will go from there.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

DJSatin

2011-11-11, 22:51

thank you shelf life
i ran combo fix, i recieved an error that Pev.exe has encountered a problem and needs to close. as advised in the guide not to touch anything on the pc i allowed combofix to run here is the txt
ComboFix 11-11-11.06 - Owner 11/11/2011 15:46:50.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.590 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Application Data\Microsoft\AddIns\WordRMRComAddin.dll
c:\documents and settings\Owner\Recent\Thumbs.db
c:\windows\my.bak1
c:\windows\my.bak2
c:\windows\my.ini
c:\windows\system32\keep in touch with HP.htm
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-05 05:00 . 2011-11-05 05:01 -------- d-----w- c:\program files\ERUNT
2011-11-01 05:19 . 2011-11-01 05:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SpacialAudio
2011-11-01 04:39 . 2011-11-01 04:39 -------- d-----w- c:\program files\SpacialAudio
2011-11-01 04:34 . 2011-11-01 04:34 -------- d-----w- C:\Sam4.9.2
2011-11-01 04:01 . 2011-11-02 22:14 -------- d-----w- c:\documents and settings\Owner\Application Data\MySQL
2011-11-01 03:33 . 2011-11-01 10:58 -------- d-----w- C:\mysql
2011-10-27 05:02 . 2011-10-27 05:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-27 04:52 . 2011-10-27 04:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2011-10-21 18:38 . 2011-10-21 18:38 -------- d-----w- c:\program files\Common Files\Java
2011-10-15 09:53 . 2011-09-29 07:09 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-01 11:17 . 2011-11-01 11:17 454 ----a-w- c:\windows\my.bak7
2011-11-01 11:16 . 2011-11-01 11:16 311 ----a-w- c:\windows\my.bak6
2011-11-01 11:14 . 2011-11-01 11:14 247 ----a-w- c:\windows\my.bak5
2011-11-01 11:14 . 2011-11-01 11:14 246 ----a-w- c:\windows\my.bak4
2011-11-01 11:10 . 2011-11-01 11:10 158 ----a-w- c:\windows\my.bak3
2011-10-16 07:12 . 2011-05-15 10:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2005-07-22 04:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 09:06 . 2010-04-27 02:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 06:37 . 2011-06-13 11:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2005-07-22 04:52 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2002-03-15 14:19 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2002-03-15 14:19 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 20:45 . 2010-12-14 08:56 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2008-01-20 11:59 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-03-28 22:31 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2008-03-31 18:18 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2008-01-20 11:59 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2008-01-20 11:59 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2008-01-20 11:59 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2008-01-20 11:59 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2008-03-31 18:18 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2008-01-20 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-06 13:20 . 2005-07-22 04:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 21:00 . 2009-05-21 17:36 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2005-07-22 04:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2005-07-22 04:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 23:48 . 2005-07-22 04:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2005-07-22 04:51 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 07:09 . 2011-10-15 09:53 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}"= "c:\program files\crossfire-radio\prxtbcros.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}]
2011-05-09 09:49 176936 ----a-w- c:\program files\crossfire-radio\prxtbcros.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}"= "c:\program files\crossfire-radio\prxtbcros.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{53B3DEBE-7EA1-4999-A1AE-FCDBA2AEE48A}"= "c:\program files\crossfire-radio\prxtbcros.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{53b3debe-7ea1-4999-a1ae-fcdba2aee48a}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-16 212992]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"S3apphk"="S3apphk.exe" [2001-12-05 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-09-06 3722416]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpySubtract.lnk]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"iPod Service"=3 (0x3)
"rpcapd"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"WinRM"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1221:UDP"= 1221:UDP:mysql
"1221:TCP"= 1221:TCP:mysql
"3306:TCP"= 3306:TCP:mysql
"3306:UDP"= 3306:UDP:mysql
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\drivers\aswSnx.sys [3/28/2011 5:31 PM 442200]
R1 aswSP;aswSP;c:\windows\SYSTEM32\drivers\aswSP.sys [3/31/2008 1:18 PM 320856]
R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\drivers\ATMHELPR.SYS [6/21/2003 8:55 PM 4064]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\drivers\aswFsBlk.sys [3/31/2008 1:18 PM 20568]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R3 PSI;PSI;c:\windows\SYSTEM32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 portD;ABS PortIO Service;c:\windows\SYSTEM32\drivers\portd2k.sys [9/15/2011 5:53 PM 7296]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\SYSTEM32\drivers\DrvAgent32.sys [5/8/2010 4:25 AM 23456]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\SYSTEM32\drivers\LSIPNDS.sys [10/18/2004 3:18 AM 96256]
S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys --> c:\windows\system32\drivers\PCDRDRV.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\SYSTEM32\drivers\LV532AV.SYS [7/20/2005 10:44 PM 163328]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\SYSTEM32\drivers\ScreamingBAudio.sys [12/1/2009 3:49 PM 34384]
S3 trid3d;trid3d;c:\windows\SYSTEM32\drivers\trid3dm.sys [12/27/2001 10:11 PM 149244]
S3 viafilter;VIA USB Filter;c:\windows\SYSTEM32\drivers\viausb1.sys [10/9/2004 5:08 PM 9728]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rf2lqeus.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2463487&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 16:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3529363498-2885428501-3134616843-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-3529363498-2885428501-3134616843-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{079125F1-8A1B-01C2-18CB-BC2936B6FD41}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaikglgmdddjigaenc"=hex:69,61,65,6e,66,6c,68,6b,6e,62,6f,61,6b,6d,68,6b,67,6f,
00,00
"haokmgacfjocbopm"=hex:6a,61,66,6e,61,6e,70,63,6f,63,65,63,63,63,67,6e,6f,68,
61,6b,00,0e
"iaellfcbjnpmcnbpbi"=hex:63,61,6a,6e,69,6b,00,7c
"dbgnpapaboncogaggilfgnfpipchablgkckoachd"=hex:6a,62,63,6c,6f,66,69,63,69,6e,
6b,61,6c,67,64,68,6f,6f,62,68,69,61,63,6e,68,6b,68,65,68,68,63,66,6d,6c,67,\
"jbgnpapaboncogaggilffojnnkliamhngodbkgnoihdbeomgjeaf"=hex:6f,61,69,6b,62,6a,
63,67,67,6f,6f,67,6b,68,6f,61,6a,6d,6b,6b,70,6b,6a,64,66,68,62,66,61,68,00,\
"dbgngmlphhcnjjaikgidbkpkadhjbadknphaahlk"=hex:6a,62,63,6c,6f,66,69,63,69,6e,
6b,61,6c,67,64,68,6f,6f,62,68,69,61,63,6e,68,6b,68,65,68,68,63,66,6d,6c,67,\
"jbgngmlphhcnjjaikgidghmolionfeeoigmpplekdgfhcindckhj"=hex:6f,61,62,6c,6f,64,
70,68,69,69,66,6d,68,68,61,6f,6d,6d,6e,70,63,69,66,68,68,63,61,66,61,6e,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\{]
@DACL=(02 0000)
.
Completion time: 2011-11-11 16:27:10
ComboFix-quarantined-files.txt 2011-11-11 21:27
.
Pre-Run: 31,192,465,408 bytes free
Post-Run: 31,168,745,472 bytes free
.
- - End Of File - - 6EB2B7A836D690367F6A9A4D87F5B309

shelf life

2011-11-13, 00:35

hi,

Do you know what this is: C:\Sam4.9.2

We can get a closer look with Gmer:

Please follow step # 8 here. (http://www.bleepingcomputer.com/forums/topic34773.html)

DJSatin

2011-11-13, 05:35

yes C:\Sam4.9.2 is broadcasting software for the internet radio station i am in partnership with,which is also the reason i need mysql running for the playlist database.

i do have a DJ seeding licenese to run this software. i will provide it for your if needed privately as so it can not be used and copied by another. the station does pay royalties.through loudcity. i know you here have a policy to not support unlawful activity. this station is a non profit station provided free to anyone who listens. with that said and clear :) let me get this next step done for you. again my thanks for your time and help.

DJSatin

2011-11-13, 10:20

Gmer ark.txt is attached
it took 4 hours to run lol hope i did this right. i'll check back with you tomorrow have a good day

DJSatin

2011-11-13, 10:23

sorry didn't get it right the first time try again i'm tired lol good night

DJSatin

2011-11-13, 10:25

they say third time is a charm i didn't zip it again sorry this time should work whew one tired lady here sorry

DJSatin

2011-11-13, 10:26

and again lmao its been a long night

shelf life

2011-11-13, 15:21

hi,

Gmer can take a while. The good news is I dont see anything that looks out of place in the log. I dont need your license, I'm not the 'pirate' radio police. Looks like Avast managed to control the malware before it got out of hand.

DJSatin

2011-11-13, 19:49

lol ok your not the radio police.
great news the logs are clean. it was a pleasure having someone with as muck knowledge as you do helping me. i have confidance in you if you say i am clean then i am. whew that is a big worry off my shoulders. i changed all my passwords, updated the software and add ins.i even called my credit cards and had the numbers changed, perhaps i over reacted but better safe then sorry. hopefully i am now more secure and this will not occur again. at this time my pc seems to be working as it should. i can go do my daily radio broadcast.

thank you most kindly for your devoted time. this help forum gets a thumbs up. i will post in our website about how kind and helpful you were, so others can benifit from your help.

shelf life

2011-11-13, 23:01

Your welcome. Based on the logs your clean. You can remove the Gmer icon and logs. Combofix can be removed like this:
Start>run and type in combofix /uninstall
click ok or enter
Note the space after the x and before the /

For your reference:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes ,browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) The why and how to secure (http://www.cert.org/tech_tips/securing_browser/) your browser for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. A file can be named anything, be nothing but malware or have malware bundled in it.
Do you really trust the source?

Happy Safe Surfing

DJSatin

2011-11-13, 23:48

ok i removed Gmer icon and logs, and combofix was uninstalled. should i also remove or uninstall dds, and ERUNT?

shelf life

2011-11-14, 02:44

hi DJSatin,

You can delete the DDS icon from your desktop. ERUNT can be removed via the add/remove programs panel if you want to remove it. Up to you.

happy safe surfing.