Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU 100%, PremiumSearch infection


  • Please log in to reply
1 reply to this topic

#1 rdouglas

rdouglas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 15 May 2009 - 03:30 PM

So far I've :

1) Deleted temp files
2) Symantec Corporate in safe mode - comes up clean
3) Ran spybot in safe mode - cleans up everything except PremiumSearch
4) Malwarebytes will not run in safe mode


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Ray at 16:16:33.05 on Fri 05/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.212 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Ray.NOTEBOOK\My Documents\Download\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Ray.NOTEBOOK\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = actsvr.comcastonline.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
mWinlogon: System=cstff.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [AIM] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [eyeBeam SIP Client] "c:\program files\star2star\eyeBeam.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [Cobian Backup 8] "c:\program files\cobian backup 8\Cobian.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {6CB5E471-C305-11D3-99A8-000086395495} - hxxp://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - hxxp://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37418.5492592593
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\symantec\winfax\WfxSeh32.Dll
SEH: {E60A0B68-2F3C-A1D2-A901-9381E036D21A} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
S1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
S2 Iprip;Iprip;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-7-2 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-7-2 47640]
S2 MapMemP;MapMemP;c:\windows\system32\drivers\MapMemP.Sys [2003-4-10 63080]
S2 netsvcs_0x0;netsvcs_0x0;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x1;netsvcs_0x1;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x10;netsvcs_0x10;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x2;Microsoft VMware NAT Service ;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x5;netsvcs_0x5;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x7;netsvcs_0x7;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x8;netsvcs_0x8;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 netsvcs_0x9;netsvcs_0x9;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 Nwsapagent;Nwsapagent;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
S2 vqbwhlggycanp;vqbwhlggycanp;c:\windows\system32\drivers\fjenodsfacoiyt.sys [2009-5-15 65792]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-10-5 18864]
S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\common files\symantec shared\eengine\EraserUtilDrv10910.sys [2009-4-28 101936]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\system32\drivers\FCUSB.sys [2001-11-29 13104]
S3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [1979-12-31 65916]
S3 LSWL;Instant Wireless Network PC Card V2.5 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2008-9-8 50688]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [2009-5-15 5760]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090428.003\naveng.sys [2009-4-28 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090428.003\navex15.sys [2009-4-28 876144]
S3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [2002-6-9 6016]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\system32\drivers\USB100M.SYS [2004-3-30 27519]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2002-6-8 19968]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Nlaidevrnsa;Nlaidevrnsa; [x]
S4 YPWCA;YPWCA;c:\docume~1\ray~1.not\locals~1\temp\ypwca.exe --> c:\docume~1\ray~1.not\locals~1\temp\YPWCA.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-15 14:25 5,760 -------- c:\windows\system32\1.tmp
2009-05-15 09:02 213,024 a------- c:\windows\system32\drivers\str.sys
2009-05-15 09:01 65,792 a------- c:\windows\system32\drivers\fjenodsfacoiyt.sys
2009-05-15 09:01 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-15 09:01 <DIR> --d----- c:\program files\Microsoft Common
2009-05-03 10:57 <DIR> --d----- C:\!Submit

==================== Find3M ====================

2009-05-14 15:00 256 a------- c:\documents and settings\ray.notebook\pool.bin
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-19 14:50 97,649 a------- c:\windows\system32\nvModes.dat
2008-12-09 20:37 721,912 a------- c:\documents and settings\ray.notebook\gotomypc_428.exe
2008-11-14 11:33 82,792 a------- c:\docume~1\ray~1.not\applic~1\GDIPFONTCACHEV1.DAT
2006-09-10 14:36 563,712 a------- c:\documents and settings\ray.notebook\gotomypc_370.exe
2005-12-25 20:12 563,712 a------- c:\documents and settings\ray.notebook\370_gotomypc.exe
2005-10-14 19:15 2,449,408 a------- c:\documents and settings\ray.notebook\gosetup.exe
2005-09-16 20:51 483,401 a------- c:\documents and settings\ray.notebook\314_gotomypc.exe
2005-01-03 18:25 483,401 a------- c:\documents and settings\ray.notebook\gotomypc.exe
2008-08-10 15:05 2 a--shrot c:\windows\winstart.bat
2008-07-10 00:24 1,531 a--sh--- c:\windows\system32\nqWFOqss.ini2
2008-07-09 22:39 1,026 a--sh--- c:\windows\system32\nqWFOqssORG.ini2
2008-10-25 19:35 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2008-10-25 19:35 49,152 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-25 19:35 294,912 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:17:41.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:04 AM

Posted 18 May 2009 - 04:20 PM

Hello rdouglas,

Is this a company, corporate or work computer?

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Malwarebytes will not run in safe mode


Malwarebyess is not supoosed to run in the Safe Mode. Try it in the Normal Mode.
Does it install OK? Or is running it a problem?


You zipped your Attached File attach.txt.
Please attach it, but in the txt format (not zipped). It is far easier to read that way.

Edited by SifuMike, 18 May 2009 - 04:23 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users