Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clean up my harddrive from nasty malware infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 surfside412

surfside412

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 29 June 2009 - 08:51 PM

My pc is infected with a nasty bug. I have Windows XP pro SP3. First I got a desktop telling me " Warning, your computer is infected ...". I ran Malware bytes & spybot. Tried to run an updated Eset nod32 but the old version will not uninstall. My pc is running a lot better, but is still sick. How can I pure this problem?


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dave at 21:25:49.28 on Mon 06/29/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.632 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Dave\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} - hxxps://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113010901656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132009487281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {279B4F7C-86AB-4F5A-B67A-CF9B5BD51B7E} = 4.2.2.1,4.2.2.2
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2007-5-24 22968]
R2 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2007-7-5 20424]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2007-7-5 161352]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-11-8 455936]
R2 RadeSvc;Citrix Streaming Service;c:\program files\citrix\streaming client\RadeSvc.exe [2007-7-5 237568]
R3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-4-20 517632]
S1 662e21e7;662e21e7;c:\windows\system32\drivers\662e21e7.sys --> c:\windows\system32\drivers\662e21e7.sys [?]
S2 fviwiixfjcey;fviwiixfjcey;\??\c:\windows\system32\drivers\bgvcnkr.sys --> c:\windows\system32\drivers\bgvcnkr.sys [?]
S3 1e07;1e07;\??\c:\windows\system32\1e07.sys --> c:\windows\system32\1e07.sys [?]
S3 43113;43113;\??\c:\windows\system32\43113.sys --> c:\windows\system32\43113.sys [?]
S3 7c38;7c38;\??\c:\windows\system32\7c38.sys --> c:\windows\system32\7c38.sys [?]
S3 93c2;93c2;\??\c:\windows\system32\93c2.sys --> c:\windows\system32\93c2.sys [?]
S3 9afB;9afB;\??\c:\windows\system32\9afb.sys --> c:\windows\system32\9afB.sys [?]
S3 9c612;9c612;\??\c:\windows\system32\9c612.sys --> c:\windows\system32\9c612.sys [?]
S3 c383;c383;\??\c:\windows\system32\c383.sys --> c:\windows\system32\c383.sys [?]
S3 cddA;cddA;\??\c:\windows\system32\cdda.sys --> c:\windows\system32\cddA.sys [?]
S3 cecE;cecE;\??\c:\windows\system32\cece.sys --> c:\windows\system32\cecE.sys [?]
S3 d3b10;d3b10;\??\c:\windows\system32\d3b10.sys --> c:\windows\system32\d3b10.sys [?]
S3 d71C;d71C;\??\c:\windows\system32\d71c.sys --> c:\windows\system32\d71C.sys [?]
S3 e00F;e00F;\??\c:\windows\system32\e00f.sys --> c:\windows\system32\e00F.sys [?]
S3 e9b14;e9b14;\??\c:\windows\system32\e9b14.sys --> c:\windows\system32\e9b14.sys [?]
S3 f6f6;f6f6;\??\c:\windows\system32\f6f6.sys --> c:\windows\system32\f6f6.sys [?]
S3 fb34;fb34;\??\c:\windows\system32\fb34.sys --> c:\windows\system32\fb34.sys [?]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-8-10 194272]

=============== Created Last 30 ================

2009-06-28 05:29 36,864 a------- c:\windows\system32\avast!Antivirus.exe
2009-06-28 05:21 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-28 05:11 <DIR> a-dshr-- C:\cmdcons
2009-06-28 05:09 161,792 a------- c:\windows\SWREG.exe
2009-06-28 05:09 155,136 a------- c:\windows\PEV.exe
2009-06-28 05:09 98,816 a------- c:\windows\sed.exe
2009-06-26 22:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-26 22:37 <DIR> --d----- C:\Zdumpster
2009-06-26 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 10:16 1,555 a------- c:\windows\SelectPhoneUninstall.MIF
2009-06-08 11:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-05 21:34 <DIR> --d----- c:\docume~1\dave\applic~1\Malwarebytes
2009-06-05 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-04 23:12 46 a------- C:\p2hhr.bat
2009-06-04 23:06 2 a------- C:\-394376302
2009-06-04 23:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\92962806
2009-06-04 23:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12952814
2009-06-04 22:21 <DIR> --d----- c:\documents and settings\dave\Old Favorites

==================== Find3M ====================

2009-06-04 23:07 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-12 14:27 61,224 a------- c:\documents and settings\dave\GoToAssistDownloadHelper.exe
2006-06-29 15:06 389,933 a------- c:\docume~1\alluse~1\applic~1\support.exe
2005-11-30 01:41 560 ac------ c:\docume~1\dave\applic~1\ViewerApp.dat
2005-05-27 18:10 98,370 a------- c:\docume~1\alluse~1\applic~1\vnchooks.dll
2005-05-18 00:36 344,064 a------- c:\documents and settings\dave\remote.exe
2009-02-10 16:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021020090211\index.dat

============= FINISH: 21:26:12.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:17 AM

Posted 03 July 2009 - 11:22 AM

Hello, surfside412.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:09:17 AM

Posted 06 July 2009 - 05:09 AM

Hello surfside412
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:17 AM

Posted 08 July 2009 - 07:52 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users