Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have an infected computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 curtandy

curtandy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 04 February 2009 - 01:06 PM

Running McAfee VSE Enterprise 8.5i. It keeps finding what McAfee calls PWS-Mmorpg.gen, Generic.dx, and Generic Dropper.p but keeps coming back. Computer won't run most executables and sometimes won't boot up to desktop after logging on.

My user is offsite so I had him run DDS and send me the results. I will have the computer in my possesion in the morning.


DDS (Ver_09-02-01.01) - NTFSx86
Run by XXXXXXXX at 8:36:55.84 on 02/04/2009 Wed
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = hraoisa1:80
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ATLAS Toolbar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v14\ATLIECP.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: ATLAS Toolbar: {3c6301ed-0f78-4af2-8150-d9c052361a8e} - c:\program files\atlas v14\ATLIECP.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [Washer] c:\program files\washer\washer.exe /0
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG9.0] c:\progra~1\common~1\micros~1\ime\imjp9\IMJPMIG.EXE /Preload /Migration32
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [PMX Daemon] ICO.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
IE: &Translate with ATLAS - c:\program files\atlas v14\Atlscript.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: ATLAS Translation &Editor - c:\program files\atlas v14\AtlscriptEdit.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7707A72-4355-11D4-82BD-00000EBBEF8D} - c:\program files\atlas v14\Atlscript.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_08-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {E03778F3-6A38-4B36-A5FA-2F5026D97C66} - hxxp://tnews-u004.t.rd.honda.co.jp/e4l/or/ParaParaMekuri.cab

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-31 12:39 <DIR> --d----- c:\program files\MSXML 6.0
2009-01-31 12:38 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-01-30 21:34 <DIR> --d----- c:\docume~1\ra015129\applic~1\Malwarebytes
2009-01-30 21:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 21:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-30 21:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-30 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-30 20:07 <DIR> --d----- c:\docume~1\ra015129\applic~1\Xerox
2009-01-30 15:27 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-30 15:27 74,240 -c------ c:\windows\system32\dllcache\mscms.dll
2009-01-30 15:27 253,952 -c------ c:\windows\system32\dllcache\es.dll
2009-01-30 15:24 417,792 -c------ c:\windows\system32\dllcache\vbscript.dll
2009-01-30 13:18 <DIR> --d----- C:\Quarantine
2009-01-30 13:10 109,127 ---shr-- C:\hl80c6b1.com
2009-01-30 13:09 95,744 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-01-30 12:19 <DIR> --d----- c:\docume~1\ra015129\applic~1\Aventail
2009-01-30 12:06 108,861 ---shr-- C:\8.bat
2009-01-30 12:06 179 ---shr-- C:\autorun.inf
2009-01-30 12:05 95,744 ---shr-- c:\windows\system32\nmdfgds0.dll
2009-01-30 11:52 <DIR> --d----- c:\docume~1\ra015129\applic~1\Fujitsu
2009-01-30 11:50 <DIR> --d----- C:\spoolerlogs
2009-01-30 11:49 <DIR> --d----- c:\docume~1\ra015129\applic~1\Intel
2009-01-30 11:49 <DIR> --d----- c:\docume~1\ra015129\applic~1\ICAClient
2009-01-30 11:49 <DIR> --d----- c:\docume~1\ra015129\applic~1\Dell
2009-01-30 11:49 <DIR> --ds---- c:\documents and settings\ra015129\UserData
2009-01-30 11:49 <DIR> --d----- c:\documents and settings\ra015129\WINDOWS
2009-01-30 11:49 <DIR> --d----- c:\documents and settings\ra015129
2009-01-30 11:30 19,968 a----r-- c:\windows\system32\drivers\omci.sys
2009-01-30 11:20 179,584 -c------ c:\windows\system32\dllcache\mrxdav.sys
2009-01-30 10:52 <DIR> --d----- c:\program files\Aventail Connect
2009-01-30 10:39 256 a---h--- c:\windows\system32\LTAW14FN.BIN
2009-01-30 10:38 <DIR> --d----- c:\program files\ATLAS V14
2009-01-30 10:24 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-08 12:46 134,756 a------- c:\windows\system32\nvapps.nvb
2009-01-08 12:35 134,756 a------- c:\windows\system32\nvapps.xml
2009-01-08 12:35 356,352 a------- c:\windows\system32\nvudisp.exe
2009-01-08 12:35 17,527 a------- c:\windows\system32\nvdisp.nvu
2009-01-08 12:20 1,596,411 a------- c:\windows\setupapi.log.3.old
2009-01-08 12:16 1,705,472 ac------ c:\windows\system32\dllcache\netshell.dll
2009-01-08 12:16 476,160 ac------ c:\windows\system32\dllcache\wzcsvc.dll
2009-01-08 12:16 383,488 ac------ c:\windows\system32\dllcache\wzcdlg.dll
2009-01-08 12:16 52,736 ac------ c:\windows\system32\dllcache\wzcsapi.dll
2009-01-08 12:16 14,592 ac------ c:\windows\system32\dllcache\ndisuio.sys

==================== Find3M ====================

2009-02-03 16:06 463,587 a------- c:\windows\system32\nvModes.dat

============= FINISH: 8:37:21.34 ===============

Edited by curtandy, 04 February 2009 - 01:07 PM.


BC AdBot (Login to Remove)

 


#2 curtandy

curtandy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 06 February 2009 - 07:16 AM

Please close. I have resolved it myself using combofix and sdfix. I just wanted some verification first.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:06:35 AM

Posted 06 February 2009 - 02:51 PM

Thanks for informing us.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users