Member Avatar for matthew_riven

Hello all,

Unfortunately I have this bad habit of turning to this magnificent community
only with requests for helping hand on malware issues, but since that's the
root nature of this part of the forum, I can just say that I'll be happy to
drop by more frequently in future.

The computer I'm having problems with has Eset NOD32 installed, but as expected
prior to this post, I've read the sticky topics on the top, installed and ran
all the necessary scans, saved out logs etc.

Firstly - I've ran full system scan with ESET,
ending up with one found thread - eliminated.

Secondly - Malwerbytes found about six issues - all eliminated.

All the other logs are attached, except the dds.scr's as my system detects it
as autocad script, and just runs it in notepad. I don't know how to run it on it's own,
so I'll appreciate little help on that subject.

All in all, the problem prevails, some process is taking up my whole uploading bandwidth,
leaving my unabled to any use of internet. Some times this happens right of win start,
sometimes much later. I've found some posts on net with the same indications, but with
no resolution of the problem. One pinpointed one instance of SVCHOST process as the
carrier but i don't know how to determine which one, and how to fix it, once found.
There are multiple instances of this process, and i've found out that it resembles
the count of programs running on .net framework, or something like that.
[meaning one instance for every prog that is currently running]
Anyway, I could use some explanations of the issue about SVCHOST,
but meanwhile, something's going on that I would like to fix, with Your assistance.

End notes, Win XP SP3 [auto-update disabled] running on AMD XP type machine.
Also ran suggested Microsoft app, but resulting in no threads found...
Gmer logs are made prior to malwarebytes cleaning, hijackthis log after...

Here are the logs, hopefully this matter will end with good results.

<a href="/images/attachments/1/mbam%20log.txt">mbam log.txt</a>

<a href="/images/attachments/1/GMER%20One%20log.txt">GMER One log.txt</a>

<a href="/images/attachments/1/GMER%20Two%20log.txt">GMER Two log.txt</a>

<a href="/images/attachments/1/hijackthis%20log.txt">hijackthis log.txt</a>

Best regards, MR

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-15 18:00:24
Windows 5.1.2600 Service Pack 3
Running: 7pmighqe.exe; Driver: C:\DOCUME~1\OSTOJI~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT    sptd.sys                ZwEnumerateKey [0xF7502A92]
SSDT    sptd.sys                ZwEnumerateValueKey [0xF7502E20]

---- Devices - GMER 1.0.15 ----

Device  \FileSystem\Ntfs \Ntfs  8A71A1E8

---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-15 18:14:08
Windows 5.1.2600 Service Pack 3
Running: 7pmighqe.exe; Driver: C:\DOCUME~1\OSTOJI~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT    sptd.sys                                                                                                             ZwCreateKey [0xF74FD0B0]
SSDT    sptd.sys                                                                                                             ZwEnumerateKey [0xF7502A92]
SSDT    sptd.sys                                                                                                             ZwEnumerateValueKey [0xF7502E20]
SSDT    sptd.sys                                                                                                             ZwOpenKey [0xF74FD090]
SSDT    sptd.sys                                                                                                             ZwQueryKey [0xF7502EF8]
SSDT    sptd.sys                                                                                                             ZwQueryValueKey [0xF7502D78]
SSDT    sptd.sys                                                                                                             ZwSetValueKey [0xF7502F8A]

---- Devices - GMER 1.0.15 ----

Device  \FileSystem\Ntfs \Ntfs                                                                                               8A71A1E8
Device  \Driver\usbuhci \Device\USBPDO-0                                                                                     8A6F41E8
Device  \Driver\dmio \Device\DmControl\DmIoDaemon                                                                            8A71C1E8
Device  \Driver\dmio \Device\DmControl\DmConfig                                                                              8A71C1E8
Device  \Driver\dmio \Device\DmControl\DmPnP                                                                                 8A71C1E8
Device  \Driver\dmio \Device\DmControl\DmInfo                                                                                8A71C1E8
Device  \Driver\usbuhci \Device\USBPDO-1                                                                                     8A6F41E8
Device  \Driver\usbehci \Device\USBPDO-2                                                                                     8A6BE1E8
Device  \Driver\usbuhci \Device\USBPDO-3                                                                                     8A6F41E8
Device  \Driver\usbuhci \Device\USBPDO-4                                                                                     8A6F41E8
Device  \Driver\Ftdisk \Device\HarddiskVolume1                                                                               8A78A1E8
Device  \Driver\Cdrom \Device\CdRom0                                                                                         8A54C1E8
Device  \Driver\PCI_NTPNP2434 \Device\00000065                                                                               sptd.sys
Device  \Driver\Cdrom \Device\CdRom1                                                                                         8A54C1E8
Device  \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                          [F7843B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device  \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3                                                                          prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device  \Driver\atapi \Device\Ide\IdePort0                                                                                   [F7843B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device  \Driver\atapi \Device\Ide\IdePort0                                                                                   prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device  \Driver\atapi \Device\Ide\IdePort1                                                                                   [F7843B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device  \Driver\atapi \Device\Ide\IdePort1                                                                                   prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device  \Driver\prohlp02 \Device\ProHlp02                                                                                    E1837C18
Device  \Driver\usbuhci \Device\USBFDO-0                                                                                     8A6F41E8
Device  \Driver\usbuhci \Device\USBFDO-1                                                                                     8A6F41E8
Device  \Driver\usbuhci \Device\USBFDO-2                                                                                     8A6F41E8
Device  \Driver\usbuhci \Device\USBFDO-3                                                                                     8A6F41E8
Device  \Driver\usbehci \Device\USBFDO-4                                                                                     8A6BE1E8
Device  \Driver\Ftdisk \Device\FtControl                                                                                     8A78A1E8
Device  \Driver\viasraid \Device\Scsi\viasraid1                                                                              8A71B1E8
Device  \Driver\viasraid \Device\Scsi\viasraid1                                                                              prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device  \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0                                                         8A71B1E8
Device  \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0                                                         prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device  \Driver\aamoepl7 \Device\Scsi\aamoepl71Port3Path0Target0Lun0                                                         8A64F1E8
Device  \Driver\aamoepl7 \Device\Scsi\aamoepl71                                                                              8A64F1E8
Device  \FileSystem\Cdfs \Cdfs                                                                                               8A460918

---- Registry - GMER 1.0.15 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                   736105738
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                   -35546773
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                   1
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  C:\Program Files\DAEMON Tools\
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0x6B 0xBB 0x58 0x35 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0x00 0xFD 0x22 0x4E ...
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg     HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0xA2 0x98 0xAF 0x02 ...
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools\
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x6B 0xBB 0x58 0x35 ...
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0x00 0xFD 0x22 0x4E ...
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg     HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0xA2 0x98 0xAF 0x02 ...

---- EOF - GMER 1.0.15 ----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:37, on 17.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPWOTOOLBOX] C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe "-i"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapa.urbel.com/beoinfo/ActiveX/mgaxctrl.cab
O21 - SSODL: UpdateCheck - {E411934E-1FE0-485B-91CB-B4A974067577} - C:\WINDOWS\system32\ymasf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional\RpcAgentSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7645 bytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4104

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

15.5.2010 19:25:10
mbam-log-2010-05-15 (19-25-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 267613
Time elapsed: 55 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SeekService Service (Adware.SeekService) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\D (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Steinberg\Nuendo 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
  • 4 Contributors
  • 11 Replies
  • 228 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by popin

Recommended Answers

All 11 Replies

Member Avatar for tiger86

If your computer is infected as bad as it sounds I am a little weary of opening text files that came from your PC. A good place to post hijack logs and anything else that deals with tech stuff is http://www.pastie.org. It's main purpose is for pasting code, but I don't see why you couldn't pastie hijack logs.

commented: All logs can easily be copy/pasted right here. No need to go else where -1
Member Avatar for matthew_riven

Do you mean paste into post?
If so I'll do that, it's just
that i didn't knew it's easier
for you to work your way with logs
scrolling through my post...
Coming up, in few minutes.

Member Avatar for matthew_riven

Here's the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:41, on 19.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPWOTOOLBOX] C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe "-i"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapa.urbel.com/beoinfo/ActiveX/mgaxctrl.cab
O21 - SSODL: UpdateCheck - {E411934E-1FE0-485B-91CB-B4A974067577} - C:\WINDOWS\system32\ymasf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional\RpcAgentSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7678 bytes

Member Avatar for matthew_riven

If anything else is needed, just give me a beep,
I'll be more that happy to work my way to the resolution[s]...

In the meanwhile, I've found something that
looks like it doesn't belong there, so i did a screenshot.


Don't know how to show you this, maybe via box.net, flickr or something?
It shows a service svchost on the internet connection settings...

net_settings.JPG 86.12 KB
Member Avatar for tiger86

No, what I meant was pastie your logs onto www.pastie.org. Well, I will look over them now and re-post.

Member Avatar for tiger86 
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapa.urbel.com/beoinfo/ActiveX/mgaxctrl.cab
O21 - SSODL: UpdateCheck - {E411934E-1FE0-485B-91CB-B4A974067577} - C:\WINDOWS\system32\ymasf.dll (file missing)

These entries look very suspicious. I would not click on that link, it most likely is the cause of your troubles. Also you have acrobat 8.0 on your computer, that is really outdated therefore open to a lot of attacks. ESET is for Creative Technology.

I am not one who messes with the registry, so I am not going to tell you too. I will leave that up to spyware geeks. I am a programmer geek who dabbles in helping out, well basically everywhere on DaniWeb.

Member Avatar for matthew_riven

Yesterday I wasn't able to check the progress here,
so here I am now. While checking for pc viruses,
i got real one myself, and had to nail the bed for whole day.

The 016 entry that you marked is actually something I'm familiar with,
obviously coming from the major institute of urbanism website,
but how did that plug-in managed to get into my start-up rooster,
i don't know. It could be packed with something malicious but i don't recall
that after i visited this website anything twisted was going goofy with my pc.

As for the other entry, I spotted a few others updating nodes that I don't know:

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

As for Adobe, what you see here are the nodes about Acrobat (not reader),
so going for the new version is a bit more expensive, but i could get new reader.

Anyway, I'm awaiting a "what to do" posts concerning the up-mentioned entries.

Member Avatar for matthew_riven

The entries i mentioned are obviously
install shield update service ones...

Member Avatar for matthew_riven

I did several things on my own,
result seems good, at least for now.
Used HJT to fix/delete entries 016 & 021,
used regedit to check what apps are
running behind svchost process,
and found in winlogon a suspicious entry a path
to a file "tnzbrg.exe' in the apps dir
under documents and settings, googled it,
it seemed even more suspicious, deleted
with the help of malwarebytes file deletion app.
Restarted pc, everything seems good,
at least for now... No uncontrolled uploading,
net goes like it should...

Member Avatar for jholland1964

. ESET is for Creative Technology.
.

ESET is the Anti-virus program installed on the computer.

Member Avatar for popin

hey matthew, I'm kind of amateur when it comes to spyware hell my computers nearly always got something suspicious on it so i can sympathies but I couldn't help but reply to remind you some virus's can be delayed so they activate on a date or on next start up or something. I've even herd of really clever one's that get round security by coming in in parts (tho to me this sounds like a risky infection stratagem for the cracker. (not that i mind that idiot's can fail all they like for all I care).

but anyhoo the point, a problem could have been dormant or unnoticed for sometime before you remember seeing the problem id suggest thinking back from when you saw the problem and looking for thing's you visited that are highest risk. then google virus problems + site or something, if you've got it chances are that someone else has had it or has encountered it befor.

I know this isn't very hopeful but id say google anything you think is suspious even if its just to narrow the possibilities and then id look at the site posted (i'm guessing more people would be able to help)

hope i was more help than a pain ^_^

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.