remote attack

**currentlybeingspyedon** · 2010-03-16, 17:24

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:20:15 PM, on 3/16/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Domain Tools\ProjectWhois\ProjectWhois.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\my\Desktop\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.as...4z1m5r48l23265
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: ProjectWhois.lnk = C:\Program Files (x86)\Domain Tools\ProjectWhois\ProjectWhois.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9851 bytes

-------------------
http://forums.spybot.info/showthread.php?t=56202

**Shaba** · 2010-03-16, 18:13

Hi currentlybeingspyedon

Your log looks pretty ok to me. OS is windows 7 64bit which many tools don't support though.

Having asp.net account is normal as well.

Can you give me details why you think you are being spyed?

**currentlybeingspyedon** · 2010-03-16, 20:18

this may be in part to me running spybot & comodo registry cleaner a couple days ago (when doing so the scan had trouble with something called helloworld & I might have deleted some files in a stupid attempt trying to get rid of the thing and regain ownership to my computer) but my old computer had a backdoor, circus ride & bumphump type virus i could never figure out and so i bought this one but upon inserting our sd card i think it jumped into this computer (all the sudden my brand new computer was being tracked)... i have a folder called perflogs and also in my network map there's a folder remote administrator called admin$ that is shared with all my personal files & i don't use .net framework for anything and it seems someone now owns my computer because im being denied permission to folders im administrator to & have a smart card user account (i've never owned or used a smart card) also getting igoogle redirect & redirected at other times also..... should i try to restore this pc to default factory setting then scan again? (did this before & went great until about 30 sec into start up it launched & i tried eliminating the process but dont think it did any good because my security threat log in norton is riddled with unauthorized thread data logged & security modifications to my system config that i did not do) should i try to run a hjt log on my old computer to get an idea of what jumped into this one?

sorry for the trouble & thank you for the help!

**Shaba** · 2010-03-17, 19:08

So then we continue with this:

Download gmer.zip and save to your desktop.
alternate download site

Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

**currentlybeingspyedon** · 2010-03-18, 07:30

I did what you asked & under rootkit the only options im allowed to check are services, registry, files, ADS, & c:\ in normal mode & safe mode, the rest of the options are ghost in appearance & will not allow me to check them (including show all)... i scanned any way while disconnected from internet in both normal & safe mode which resulted in nothing found, but under modules i happened to notice that \systemroot\system32\drivers/mountmgr.sys size was 106496. Is that abnormal in size? If I restore system settings will this fix my problem of my files not being supported? (seen in my hjt log) I deleted some files that seemed to be suspicious & lost powerpoint & other programs previous to finding out about spybot & I'm wondering if starting over from factory default will restore my old files & i know whatever invaded my computer will re launch itself because I already tried this once when i called the manufacter of this new laptop i have, thats what there instructions were when i told them about the tracking device that installed when the sd card was put in.... (it didnt work as far as eliminating the remote administrator, unauthorized access & igoogle redirect)

Im sorry for my inexperience on these issues & really appreciate the help.

Thank you

**Shaba** · 2010-03-19, 09:30

Files are supported, it is about HJT and your windows version.

You never should delete anything which you are unsure about.

In this case, factory reset sounds best alternative.

You shouldn't use that sd card either or you will end up in similar situation soon.

**currentlybeingspyedon** · 2010-03-20, 02:14

okay, i have restored system to factory default settings & once again upon start up something called alaunchx intsalled 15 updates or some programs or something & shutdown then restarted automatically where i notice my date & time are not reading correctly. the perflogs file and many others are still there. when i downloaded spybot i disabled teatimer & ran a scan (nothing found) when i downloaded hjt & tried to run a scan to save on log it says: for some reason your system denied write access to the host file. if any hijacked domains are in this file hjt may not be able to fix this. if that happens you need to edit the file yourself.

Q: should alunchx be installing anything upon default restoration then rebooting?
Q: what is GAIA alaunchx?
Q: can this affect my date/time?
Q: what is perflogs?
Q: what is remote admin$
Q: could the files i deleted previously have allowed me to run hjt scan before & if so was this possibly hampering someones attempt to track me?
Q: since restoration attempt, do you think whatever has attacked me reinstalled its program/s successfully?
Q: do you think im hijacked (from this post & previous posts)
Q: can someone act as me (using my information) to attack or steal from others?

so far since THIS (TRIED 2 TIMES PREVIOUSLY & SAME RESULT) restoration attempt, i have installed spybot, ran scan, nothing found(unable to immunize)hijack this (tried scan & save to log unsuccessfully), & firefox.... that is all so far since i am awaiting what to do from this point.
Q: any suggestions on what to do from here?

please help- i hope i'm wrong, but i am afraid my identity is compromised & others are at risk!!!

**Shaba** · 2010-03-20, 12:21

"okay, i have restored system to factory default settings & once again upon start up something called alaunchx intsalled 15 updates or some programs or something & shutdown then restarted automatically where i notice my date & time are not reading correctly. the perflogs file and many others are still there."

Alaunch is program by Acer and legit. Perflogs are part of operating system and should be left alone.

"Q: should alunchx be installing anything upon default restoration then rebooting?
"Q: what is GAIA alaunchx?"

Please see above.

"Q: what is remote admin$"

Ability to use windows remotely, can be disabled within operating system.

"Q: what is perflogs?"

Part of windows 7, please leave alone.

"Q: could the files i deleted previously have allowed me to run hjt scan before & if so was this possibly hampering someones attempt to track me?"

No, user account control is on and/or you are not running HJT as admin.

"Q: since restoration attempt, do you think whatever has attacked me reinstalled its program/s successfully?"

No, I don't.

"Q: do you think im hijacked (from this post & previous posts)
Q: can someone act as me (using my information) to attack or steal from others?"

Sounds very unlikely.

"so far since THIS (TRIED 2 TIMES PREVIOUSLY & SAME RESULT) restoration attempt, i have installed spybot, ran scan, nothing found(unable to immunize)hijack this (tried scan & save to log unsuccessfully), & firefox.... that is all so far since i am awaiting what to do from this point.
Q: any suggestions on what to do from here?"

You are not apparently running those programs as admin.

As most of tools don't support 64bit OS and researching your situation would be very difficult, I recommend to take computer to some store for checkup.
Not much can be done without physically being at the computer.

Best regards.

**currentlybeingspyedon** · 2010-03-21, 21:44

DOES THIS SHED ANY LIGHT ON THE SITUATION?
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-03-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi
2010-03-16 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-03-16 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-03-16 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-03-16 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-03-02 Includes\Malware.sbi
2010-03-17 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-03-16 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-03-16 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2010-03-02 Includes\Spyware.sbi
2010-03-16 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi
2010-03-16 Includes\TrojansC-02.sbi
2010-03-16 Includes\TrojansC-03.sbi
2010-03-16 Includes\TrojansC-04.sbi
2010-03-17 Includes\TrojansC-05.sbi
2010-03-16 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 2: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 3: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 4: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 5: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

OR THIS?

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-03-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi
2010-03-16 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-03-16 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-03-16 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-03-16 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-03-02 Includes\Malware.sbi
2010-03-17 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-03-16 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-03-16 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2010-03-02 Includes\Spyware.sbi
2010-03-16 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi
2010-03-16 Includes\TrojansC-02.sbi
2010-03-16 Includes\TrojansC-03.sbi
2010-03-16 Includes\TrojansC-04.sbi
2010-03-17 Includes\TrojansC-05.sbi
2010-03-16 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 35696
MD5: 452FA961163EF4AEE4815796A13AB2CF

Located: HK_LM:Run, LManager
command: C:\Program Files (x86)\Launch Manager\LManager.exe
file: C:\Program Files (x86)\Launch Manager\LManager.exe
size: 1157128
MD5: 34BC222864CEF86DABB5032DA36485DA

Located: HK_LM:Run, NortonOnlineBackupReminder
command: "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
file: C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe
size: 588648
MD5: 40AEF61000935C93C144E537AC990786

Located: HK_LM:Run, StartCCC
command: "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
file: C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
size: 98304
MD5: EF5C94E3EFC691D1EE862044505F6345

Located: HK_LM:RunOnce, Uninstall Adobe Download Manager
command: "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
file: C:\Windows\system32\rundll32.exe
size: 44544
MD5: 51138BEEA3E2C21EC44D0932C71762A8

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1173504
MD5: EA6EADF6314E43783BA8EEE79F93F73C

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-19...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1173504
MD5: EA6EADF6314E43783BA8EEE79F93F73C

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-20...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Global Registration
where: S-1-5-21-204940859-3958103151-4137569969-1002...
command: "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
file: C:\Program Files (x86)\eMachines\Registration\GREG.exe
size: 2844704
MD5: E379EB6B78739BA5273E880DE1216FEB

Located: HK_CU:Run, swg
where: S-1-5-21-204940859-3958103151-4137569969-1002...
command: "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
file: C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 39408
MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD

OR THIS?

pybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-03-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi
2010-03-16 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-03-16 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-03-16 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-03-16 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-03-02 Includes\Malware.sbi
2010-03-17 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-03-16 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-03-16 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2010-03-02 Includes\Spyware.sbi
2010-03-16 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi
2010-03-16 Includes\TrojansC-02.sbi
2010-03-16 Includes\TrojansC-03.sbi
2010-03-16 Includes\TrojansC-04.sbi
2010-03-17 Includes\TrojansC-05.sbi
2010-03-16 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

PID: 0 ( 0) [System]
PID: 2168 (1600) C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
size: 117640
MD5: EE215321E83BE72AB77B6627FD149EAE
PID: 3216 (2308) C:\Program Files (x86)\Launch Manager\LManager.exe
size: 1157128
MD5: 34BC222864CEF86DABB5032DA36485DA
PID: 3236 ( 708) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 39408
MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD
PID: 5036 (3372) C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
size: 2521464
MD5: 7CFD590987D2BB33D5D56D98093D2E76
PID: 4216 (1084) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 256 ( 4) smss.exe
PID: 400 ( 332) csrss.exe
PID: 472 ( 332) wininit.exe
size: 96256
PID: 480 ( 464) csrss.exe
PID: 512 ( 464) winlogon.exe
PID: 572 ( 472) services.exe
PID: 584 ( 472) lsass.exe
PID: 592 ( 472) lsm.exe
PID: 708 ( 572) svchost.exe
size: 20992
PID: 780 ( 572) svchost.exe
size: 20992
PID: 820 ( 572) atiesrxx.exe
PID: 904 ( 572) svchost.exe
size: 20992
PID: 940 ( 572) svchost.exe
size: 20992
PID: 968 ( 572) svchost.exe
size: 20992
PID: 396 ( 572) svchost.exe
size: 20992
PID: 1008 ( 572) svchost.exe
size: 20992
PID: 1192 ( 820) atieclxx.exe
PID: 1328 ( 572) spoolsv.exe
PID: 1364 ( 572) svchost.exe
size: 20992
PID: 1468 ( 572) ePowerSvc.exe
PID: 1496 ( 572) svchost.exe
size: 20992
PID: 1536 ( 572) GregHSRW.exe
PID: 1600 ( 572) ccSvcHst.exe
PID: 1688 ( 572) SchedulerSvc.exe
PID: 1800 ( 572) UpdaterService.exe
PID: 1184 ( 572) SearchIndexer.exe
size: 428032
PID: 1776 ( 572) svchost.exe
size: 20992
PID: 1732 ( 708) WmiPrvSE.exe
PID: 1292 ( 572) C:\Windows\System32\taskhost.exe
PID: 1808 ( 940) C:\Windows\System32\dwm.exe
PID: 1084 (1944) C:\Windows\explorer.exe
size: 2868224
MD5: C235A51CB740E45FFA0EBFB9BAFCDA64
PID: 268 (1084) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
size: 7982112
MD5: 910AFE116ADE17C93E892C38452075F9
PID: 1256 (1084) C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
size: 828960
MD5: 0C4F4CFFA3A613D175BB25728514C0C4
PID: 2728 (1084) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 1808168
MD5: FD217F6DDBB90D84A46B36E17E99CA0C
PID: 860 ( 708) C:\Windows\System32\wbem\unsecapp.exe
PID: 2976 (1468) ePowerEvent.exe
PID: 3516 ( 572) wmpnetwk.exe
PID: 3604 (2728) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
size: 120616
MD5: C6BE59AE498497F78EC46DADB5335766
PID: 3744 ( 572) svchost.exe
size: 20992
PID: 3376 (3732) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
size: 65536
MD5: E7704CBF568815C1CAA6E513387BD3F2
PID: 144 (3376) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
size: 65536
MD5: 74EF310FAC89341CE2897B7F2C4A7B0F
PID: 2460 ( 572) C:\Windows\System32\taskhost.exe
PID: 1940 ( 940) WUDFHost.exe
PID: 3088 ( 572) svchost.exe
size: 20992
PID: 4612 ( 968) C:\Windows\System32\wuauclt.exe
PID: 4844 ( 904) audiodg.exe

PLEASE KEEP IN MIND THIS IS A NEW COMPUTER THAT WAS FACTORY CLEAN WITHOUT ANY INSTALLS & RAN PERFECT BEFORE INSERTING AN SD CARD THAT WAS EXPOSED TO A VIRUSED COMPUTER.... Q: WHAT IS MOM.EXE & CCC.EXE & SHOULD THEY BE COMMANDING ACCESS TO SHARED FILES OR EVEN BE INSTALLED FROM FACTORY? (I NEVER INSTALLED)
Q: COULD THIS BE A ROOT KIT?

**currentlybeingspyedon** · 2010-03-21, 21:55

OR THIS?

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-03-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi
2010-03-16 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-03-16 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-03-16 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-03-16 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-03-02 Includes\Malware.sbi
2010-03-17 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-03-16 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-03-16 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2010-03-02 Includes\Spyware.sbi
2010-03-16 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi
2010-03-16 Includes\TrojansC-02.sbi
2010-03-16 Includes\TrojansC-03.sbi
2010-03-16 Includes\TrojansC-04.sbi
2010-03-17 Includes\TrojansC-05.sbi
2010-03-16 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 35696
MD5: 452FA961163EF4AEE4815796A13AB2CF

Located: HK_LM:Run, LManager
command: C:\Program Files (x86)\Launch Manager\LManager.exe
file: C:\Program Files (x86)\Launch Manager\LManager.exe
size: 1157128
MD5: 34BC222864CEF86DABB5032DA36485DA

Located: HK_LM:Run, NortonOnlineBackupReminder
command: "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
file: C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe
size: 588648
MD5: 40AEF61000935C93C144E537AC990786

Located: HK_LM:Run, StartCCC
command: "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
file: C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
size: 98304
MD5: EF5C94E3EFC691D1EE862044505F6345

Located: HK_LM:RunOnce, Uninstall Adobe Download Manager
command: "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
file: C:\Windows\system32\rundll32.exe
size: 44544
MD5: 51138BEEA3E2C21EC44D0932C71762A8

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1173504
MD5: EA6EADF6314E43783BA8EEE79F93F73C

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-19...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1173504
MD5: EA6EADF6314E43783BA8EEE79F93F73C

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-20...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Global Registration
where: S-1-5-21-204940859-3958103151-4137569969-1002...
command: "C:\Program Files (x86)\eMachines\Registration\GREG.exe" BOOT
file: C:\Program Files (x86)\eMachines\Registration\GREG.exe
size: 2844704
MD5: E379EB6B78739BA5273E880DE1216FEB

Located: HK_CU:Run, swg
where: S-1-5-21-204940859-3958103151-4137569969-1002...
command: "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
file: C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 39408
MD5: 5D61BE7DB55B026A5D61A3EED09D0EAD

AGAIN, THIS IS A NEW HOME COMPUTER USED FOR HOME USE (EMAILS ETC

NOTHING FOR BUSINESS USE OR MONITORING ANY OTHER COMPUTER/S.

Q: DOES ANYTHING OF THE SLIGHTEST HINT LOOK GOOFY OR OUT OF PLACE UPON START UP? *NOTE NEW EMACHINES E627 WITHOUT ANY MODS (TO MY KNOWLEDGE)

THANK YOU FOR YOUR INSIGHT

Thread: remote attack

Thread Tools

Display

remote attack

?????

Tags for this Thread

Posting Permissions