Help
Hello,
I've been fighting this problem for quite a while but now it has become very bad!
Using Process explore System PID 4 is now constantly accessing hard drive for 10 minutes + during turn on.
Found C:\Windows\System32\Drivers\dump_dumpata.sys
CPU use very high during these periods - laptop freezes
Problem began a few days ago with Firefox being re-directed on a number of sites.
I don't know what to do next
Please help
Thanks
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
dump_dumpata.sys found on PC - Browser Redirection - Lots of Hard Drive & CPU Activity - HELP!
Back to top
#2
- Member
-
- Group: Members
- Posts: 117
- Joined: 19-February 10
Posted 18 January 2012 - 07:58 AM
Below are (in order of being run:
DDS.txt, mbam log and GMER log.
I had to disable ms security essentials before GMER would run completely. This took two reboots.
Thanks again in advance for you time and effort on my behalf.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by User at 6:26:40 on 2012-01-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1304 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\mobsync.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [USB Safely Remove] c:\program files\usb safely remove\USBSafelyRemove.exe /startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\user\appdata\local\temp\_uninst_91361604.bat
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{10797319-1BAE-49B6-974E-C64C84F088E5} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\nzz2wp10.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: google.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-7-10 41912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-7 21504]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-12-20 196904]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2011-8-8 257880]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-2-28 7168]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2010-6-24 21504]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2011-6-23 291088]
.
=============== Created Last 30 ================
.
2012-01-18 09:47:12 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dca7c806-f0fc-4d55-8f8b-345cc5487dc9}\mpengine.dll
2012-01-17 23:28:16 -------- d-----w- C:\HijackThis
2012-01-17 23:08:02 -------- d-----w- c:\program files\Trend Micro
2012-01-17 18:45:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-17 18:45:07 -------- d-----w- c:\users\user\appdata\local\temp
2012-01-16 23:56:22 -------- d-----w- c:\users\user\appdata\local\temp(432)
2012-01-16 19:06:00 -------- d-----w- c:\users\user\appdata\roaming\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-16 17:52:37 -------- d-----w- c:\program files\common files\Java(286)
2012-01-16 02:32:00 -------- d-----w- c:\program files\VS Revo Group
2012-01-11 14:11:12 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-11 14:11:12 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 14:11:12 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 14:11:11 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 14:11:11 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-11 14:11:11 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-11 13:40:13 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:40:10 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 13:40:10 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 13:40:09 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:40:08 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 13:40:05 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 13:40:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-04 03:19:53 -------- d-----w- c:\programdata\Media Center Programs
2012-01-03 22:10:18 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-01-03 22:10:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 22:10:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 22:10:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 22:10:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 01:54:07 -------- d-----w- c:\program files\Sonalysts Combat Simulations
2012-01-02 01:45:57 -------- d-----w- c:\users\user\appdata\local\AMozilla
2012-01-02 01:45:41 -------- d-----w- c:\program files\common files\SystemEngines
2012-01-02 01:45:40 -------- d-----w- c:\users\user\appdata\roaming\AMozilla
2012-01-02 00:55:51 -------- d-----w- c:\program files\Sierra On-Line
2012-01-02 00:55:43 -------- d-----w- C:\Sierra
2012-01-02 00:42:51 30048 ----a-w- c:\windows\UNWISE.EXE
2011-12-22 03:40:00 -------- d-----w- c:\program files\Nitro PDF
2011-12-22 03:39:59 -------- d-----w- c:\program files\common files\Nitro PDF
.
==================== Find3M ====================
.
2012-01-17 03:39:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 15:10:38 17704 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-12-20 15:10:36 26408 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 16:39:10 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-26 16:39:10 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 01:16:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 6:27:37.98 ===============
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.18.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]
1/18/2012 7:00:56 AM
mbam-log-2012-01-18 (07-00-56).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 166693
Time elapsed: 5 minute(s), 19 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-18 07:45:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541616J9SA00 rev.SB4OC7DP
Running: rw5cwmwd.exe; Driver: C:\Users\User\AppData\Local\Temp\pwldapob.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3492] ntdll.dll!DbgBreakPoint 77C3878E 1 Byte [90]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@nagplcinnbafddhphghdbpeihdfg 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@oaapnebjccibdiphimkbeapcmkphil 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@pamcgjbbappmdghnjieboepbkljefcfc 0x6B 0x61 0x69 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@oagciiffdlnepeniemheimplnpmkkm 0x6B 0x61 0x69 0x6E ...
---- EOF - GMER 1.0.15 ----
Regards,
John (NH Guy)
DDS.txt, mbam log and GMER log.
I had to disable ms security essentials before GMER would run completely. This took two reboots.
Thanks again in advance for you time and effort on my behalf.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by User at 6:26:40 on 2012-01-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1304 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\mobsync.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [USB Safely Remove] c:\program files\usb safely remove\USBSafelyRemove.exe /startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\user\appdata\local\temp\_uninst_91361604.bat
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{10797319-1BAE-49B6-974E-C64C84F088E5} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\nzz2wp10.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: google.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-7-10 41912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-7 21504]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-12-20 196904]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2011-8-8 257880]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-2-28 7168]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2010-6-24 21504]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2011-6-23 291088]
.
=============== Created Last 30 ================
.
2012-01-18 09:47:12 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dca7c806-f0fc-4d55-8f8b-345cc5487dc9}\mpengine.dll
2012-01-17 23:28:16 -------- d-----w- C:\HijackThis
2012-01-17 23:08:02 -------- d-----w- c:\program files\Trend Micro
2012-01-17 18:45:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-17 18:45:07 -------- d-----w- c:\users\user\appdata\local\temp
2012-01-16 23:56:22 -------- d-----w- c:\users\user\appdata\local\temp(432)
2012-01-16 19:06:00 -------- d-----w- c:\users\user\appdata\roaming\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-16 17:52:37 -------- d-----w- c:\program files\common files\Java(286)
2012-01-16 02:32:00 -------- d-----w- c:\program files\VS Revo Group
2012-01-11 14:11:12 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-11 14:11:12 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 14:11:12 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 14:11:11 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 14:11:11 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-11 14:11:11 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-11 13:40:13 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:40:10 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 13:40:10 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 13:40:09 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:40:08 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 13:40:05 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 13:40:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-04 03:19:53 -------- d-----w- c:\programdata\Media Center Programs
2012-01-03 22:10:18 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-01-03 22:10:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 22:10:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 22:10:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 22:10:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 01:54:07 -------- d-----w- c:\program files\Sonalysts Combat Simulations
2012-01-02 01:45:57 -------- d-----w- c:\users\user\appdata\local\AMozilla
2012-01-02 01:45:41 -------- d-----w- c:\program files\common files\SystemEngines
2012-01-02 01:45:40 -------- d-----w- c:\users\user\appdata\roaming\AMozilla
2012-01-02 00:55:51 -------- d-----w- c:\program files\Sierra On-Line
2012-01-02 00:55:43 -------- d-----w- C:\Sierra
2012-01-02 00:42:51 30048 ----a-w- c:\windows\UNWISE.EXE
2011-12-22 03:40:00 -------- d-----w- c:\program files\Nitro PDF
2011-12-22 03:39:59 -------- d-----w- c:\program files\common files\Nitro PDF
.
==================== Find3M ====================
.
2012-01-17 03:39:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 15:10:38 17704 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-12-20 15:10:36 26408 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 16:39:10 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-26 16:39:10 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 01:16:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 6:27:37.98 ===============
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.18.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]
1/18/2012 7:00:56 AM
mbam-log-2012-01-18 (07-00-56).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 166693
Time elapsed: 5 minute(s), 19 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-18 07:45:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541616J9SA00 rev.SB4OC7DP
Running: rw5cwmwd.exe; Driver: C:\Users\User\AppData\Local\Temp\pwldapob.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3492] ntdll.dll!DbgBreakPoint 77C3878E 1 Byte [90]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@nagplcinnbafddhphghdbpeihdfg 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@oaapnebjccibdiphimkbeapcmkphil 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@pamcgjbbappmdghnjieboepbkljefcfc 0x6B 0x61 0x69 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@oagciiffdlnepeniemheimplnpmkkm 0x6B 0x61 0x69 0x6E ...
---- EOF - GMER 1.0.15 ----
Regards,
John (NH Guy)
This post has been edited by hamluis: 18 January 2012 - 10:10 AM
#3
- Forum Addict
-
- Group: Malware Response Team
- Posts: 1,366
- Joined: 06-November 08
- Gender:Male
- Location:@localhost
Posted 22 January 2012 - 09:17 AM
hi NHGuy,
If you still need help simply reply back and we will see if we can figure out whats going on.
If you still need help simply reply back and we will see if we can figure out whats going on.
Is It Real or ScareWare?
How Can I Reduce My Risk.
How Can I Reduce My Risk.
Share this topic:
Page 1 of 1