Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - CWS.xxxx, unable to install MBAM, SuperAntivirus, etc.


  • This topic is locked This topic is locked
4 replies to this topic

#1 RDVoller

RDVoller

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 08 August 2009 - 01:58 PM

I tried to repair my computer based on what I read and I seem to have a complex problem.
First, on startup when I reach the desktop I get a windows notification that "the Google installer encountered a problem and needed to close". I get it twice. Then I get the following:
1. I am unable to run anitvirus, antimalware. ComboFix, etc. programs from the desktop.
2. I was able to run the CWshredder (latest download) and it found 3 items when I just scanned. When I tried to "Fix", a box pops up that says Windows must shutdown...by NT Authority... (somthing like that...I tried to record it, print screen it, etc. but it does not let me. The remaining 2 variants are CWS.olehelp and CWS.AlfaSearch. I'm sorry, but I did not record the name of the one that was removed...my bad.
3. I did some scanning and fixing on my own and removed some trojans in safemode using Dr. Web Cureit! I did not record the variants, another mistake I made.

The speed of the computer is good and has not degraded. Here are some specs:
Win XP SP3
512 mb ram
Althlon xp 3000+

Here is the dds log, thanks for your help in advance. Regards, Rich


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 13:07:12.25 on Sat 08/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.165 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\websrvx\websrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [windows_update.exe] c:\documents and settings\owner\local settings\temp\windows_update.exe
uRun: [svchost] c:\documents and settings\owner\application data\svchost.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\jx15p5t2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 websrvx;websrvx;c:\program files\websrvx\websrvx.exe [2009-7-29 13312]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [2009-4-7 114944]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-4-7 11520]
S4 gupdate1c9c204bc72b8a4;Google Update Service (gupdate1c9c204bc72b8a4);c:\program files\google\update\GoogleUpdate.exe [2009-4-20 133104]

=============== Created Last 30 ================

2009-08-08 11:28 32,768 a---h--- c:\docume~1\owner\applic~1\svchost.exe
2009-08-07 13:14 <DIR> --d----- c:\program files\CCleaner
2009-08-07 12:43 701,386 ac------ c:\windows\system32\dllcache\wdhaalba.sys
2009-08-07 12:42 113,762 ac------ c:\windows\system32\dllcache\usrpda.sys
2009-08-07 12:41 216,064 ac------ c:\windows\system32\dllcache\um34scan.dll
2009-08-07 12:40 123,995 ac------ c:\windows\system32\dllcache\tjisdn.sys
2009-08-07 12:39 10,240 ac------ c:\windows\system32\dllcache\swpdflt2.dll
2009-08-07 12:38 114,688 ac------ c:\windows\system32\dllcache\sonypi.dll
2009-08-07 12:37 28,160 ac------ c:\windows\system32\dllcache\sm91w.dll
2009-08-07 12:36 98,080 ac------ c:\windows\system32\dllcache\sgiulnt5.sys
2009-08-07 12:35 210,496 ac------ c:\windows\system32\dllcache\s3mvirge.dll
2009-08-07 12:34 714,762 ac------ c:\windows\system32\dllcache\r2mdmkxx.sys
2009-08-07 12:33 17,792 ac------ c:\windows\system32\dllcache\ppa.sys
2009-08-07 12:32 26,153 ac------ c:\windows\system32\dllcache\pcmlm56.sys
2009-08-07 12:31 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-08-07 12:30 35,392 ac------ c:\windows\system32\dllcache\n9i128.dll
2009-08-07 12:29 6,528 ac------ c:\windows\system32\dllcache\miniqic.sys
2009-08-07 12:28 70,730 ac------ c:\windows\system32\dllcache\lne100tx.sys
2009-08-07 12:27 100,992 ac------ c:\windows\system32\dllcache\icam5usb.sys
2009-08-07 12:26 391,199 ac------ c:\windows\system32\dllcache\hsf_k56k.sys
2009-08-07 12:25 907,456 ac------ c:\windows\system32\dllcache\hcf_msft.sys
2009-08-07 12:24 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys
2009-08-07 12:23 171,520 ac------ c:\windows\system32\dllcache\el99xn51.sys
2009-08-07 12:22 19,594 ac------ c:\windows\system32\dllcache\e100isa4.sys
2009-08-07 12:21 29,768 ac------ c:\windows\system32\dllcache\divasu.dll
2009-08-07 12:20 3,072 ac------ c:\windows\system32\dllcache\cwbmidi.sys
2009-08-07 12:17 186,402 ac------ c:\windows\system32\dllcache\c_20001.nls
2009-08-07 12:15 23,552 ac------ c:\windows\system32\dllcache\atixbar.sys
2009-08-07 07:25 101,888 ac------ c:\windows\system32\dllcache\adpu160m.sys
2009-08-06 20:56 3,155,573 a------- C:\cf.exe
2009-08-05 05:06 <DIR> --d----- c:\windows\pss
2009-08-04 21:13 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-08-04 21:13 21,504 a------- c:\windows\system32\hidserv.dll
2009-08-04 21:13 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-08-04 21:13 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-08-04 21:13 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-08-04 21:13 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-04 21:13 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-08-04 21:13 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-08-03 19:06 2 a------- c:\windows\0101120101465353.dat
2009-08-03 00:03 36 a------- c:\documents and settings\owner\links.dat
2009-08-01 20:06 <DIR> --d----- c:\program files\AskSearch
2009-08-01 20:06 <DIR> --d----- c:\program files\AskBarDis
2009-08-01 20:05 <DIR> --d----- c:\program files\Gamevance
2009-07-31 22:02 164 a------- c:\documents and settings\owner\keywords.dat
2009-07-31 19:44 247 a------- c:\windows\prxid93ps.dat
2009-07-31 09:29 2 a------- c:\windows\0101120101465253.dat
2009-07-31 08:29 2 a------- c:\windows\010112010146120114.dat
2009-07-29 17:17 <DIR> --d----- c:\program files\websrvx
2009-07-29 17:17 2 a------- c:\windows\01011201014650120.dat
2009-07-29 17:17 2 a------- c:\windows\0101120101465153.dat
2009-07-28 20:51 282,664 a--sh--- c:\docume~1\owner\applic~1\nrnakqzq.dll
2009-07-28 18:14 2 a------- c:\windows\0535251103110107106.uio
2009-07-28 18:14 2 a------- c:\windows\0101120101465749.dat
2009-07-28 18:14 1 ----h--- c:\windows\th823567.dat
2009-07-28 18:14 1 ----h--- c:\windows\jmmark2.dat
2009-07-28 18:14 2 a------- c:\windows\0101120101465053.dat
2009-07-28 17:14 <DIR> --d----- c:\program files\sFX
2009-07-28 17:14 1 a------- c:\windows\934fdfg34fgjf23
2009-07-28 17:14 2 a------- c:\windows\0101120101464849.dat
2009-07-28 17:14 2 a------- c:\windows\010112010146118114.dat
2009-07-28 12:28 <DIR> --d----- c:\program files\FunWebProducts
2009-07-28 12:28 <DIR> --d----- c:\program files\MyWebSearch
2009-07-25 17:13 24,576 a------- c:\windows\system32\drivers\ndisrd.sys
2009-07-25 17:13 <DIR> --d----- c:\program files\common files\Uninstall
2009-07-25 16:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\3DVIA
2009-07-25 16:59 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-07-25 16:59 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-07-25 16:59 <DIR> --d----- c:\windows\Logs
2009-07-25 16:59 <DIR> --d----- c:\program files\Virtools
2009-07-25 07:13 <DIR> --d----- C:\hegames
2009-07-25 07:12 450 a------- c:\windows\hegames.ini
2009-07-15 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-15 18:04 <DIR> --d----- c:\program files\NortonInstaller
2009-07-15 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

==================== Find3M ====================

2009-07-29 07:23 90,112 a------- c:\windows\DUMP39bd.tmp
2009-05-31 13:56 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 13:07:42.82 ===============

Attached Files


Edited by RDVoller, 08 August 2009 - 03:28 PM.


BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 20 August 2009 - 03:35 AM

Hello RDVoller, and welcome to BleepingComputer.com!

We apologize for the delay in responding to your request for help. Here at BleepingComputer.com we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply witin the next 5 days, we will need to close your topic.

Please take note of some guidelines for this fix:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request.
  • The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here.
  • Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link.


If you still require assistance, please post a new set of logs from DDS and a description of any remaining problems or symptoms you may still have.

If for any reason you did not post a DDS log please refer to this page and in step #6 there are instructions on downloading and running DDS. If you have any problems, just let me know in your next reply or simply post a HijackThis log.

Then, please check for rootkits with RootRepeal:

So for your next reply, I would like to see:
  • the DDS logs:
    • DDS.txt
    • Attach.txt (attached)
  • the RootRepeal report (RootRepeal.txt)
  • a description of any remaining problems
Thanks again and we apologize for the delay.

With kindest regards,

htv8

Reason for edit: BBCode error...

Edited by htv8, 20 August 2009 - 04:12 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 RDVoller

RDVoller
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 20 August 2009 - 10:05 PM

Thanks for your reply htv8,

Knowing that there could be a delay in response, I took the time to read the tutorials and I was able to fix the situation myself. The process was rather lengthy and took several sessions to complete but I am convinced that I amd free of the variants.

Thanks again for all you do in the fight against CRAP.

Regards,

Voller

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 21 August 2009 - 06:03 AM

Good to know you were able to fix things yourself, RDVoller. :thumbup2: I assume we can mark this topic as resolved then? If, however, you want me to check if there's still anything left, go ahead with the above instructions and I'll be happy to have a look over your logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:59 AM

Posted 26 August 2009 - 02:11 AM

As the problem here seems to be resolved, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. If you should have a new issue, please start a new topic. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users