Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with IEEXPLORE/Security Software and Malware loading


  • This topic is locked This topic is locked
2 replies to this topic

#1 Wake27

Wake27

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 10 January 2010 - 01:06 PM

NOTE: I attempted to go through and be able to provide each report requested. I have been unable to get RootRepeal to complete. Locks my computer up and thus far have left it to run in safe mode overnight and for 2 hours in regular. Can't get the report to complete.

Below is what I have encountered to the best of my ability to describe as well as the other two logs that were requested.

Wasn't browsing at the time but happened to be sitting at my desk and saw a popup advertising security software or what I knew to be something malicious (and also got instantly worried since it had popped up out of no where meaning it was already on my pc). Decided not to even click the 'x' and try to end the process from TM but could only find an entry for IEXPLORE (I use firefox). Immediately ended it and then had instantly some activity with pop ups and icons showing in the toolbar. Appeared to be 'security software' advertising.

At that point, my attempts to research and/or resolve the issue got progressively harder. Was getting redirected search results (but using 'cached' in search results got me around this to download programs). My connectivity kept going in and out and at the worst point, I couldn't install or open any programs related to security. Renamed some of them to success but then saw in TM that regedit was opening whenever I typed anything (presumably, based off what I was typing the infection was adapting?) The renaming ability turned south and I decided to do something that I know is risky but since I have no ability to use another computer, I had to.

I rebooted in safemode and used a combination of smitfraud/combofix. (NOTE: While in safe mode, I saw a new 'space/drive' named d and unknown. This has since vanished after running those two). I should also note that for a time, IEXPLORE was also loading in safemode which I couldn't believe. Prevented me from opening anything there as well until I got lucky. I know that I could have lost information and/or made it difficult. I hope not but I had no choice in order to get on here for some help with this issue. Everything seems to lead to some security software 2009/10 but I was unwilling to click on ANYTHING to confirm this. In my experience, that only leads to multiplication of the problem and more of a headache.

Where it stands now:

I have functionality as much as getting on here and being able to post. I have Prevx loaded and just running in the background (free version). I do not have sd/teatimer running through Spybot b/c it makes no sense if i'm still infected.

I notice that when I type in google, the bottom bar shows clients1.google.com which I have never seen before. That combined with some odd in and out connection issues today has led me to think there is something still present.

Ahead of time, thank you for your time in this. You all provide a valuable resource.


(UPDATE since post)

I don't know what is relevant and what is not. This is not from the combo log but what it asked me to write down before rebooting. Only include it because I don't know the exact nature of the infection and figured anything helps.

H8SRtohnkocumha. There are additional names (4 in total that were located in system32) but all begin with H8SR. Sorry if this is irrelevant information.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 10:40:26.85 on Sun 01/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2603 [GMT -6:00]


============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\windows\system32\PnkBstrA.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AutorunsDisabled - No File
BHO: AskBar BHO - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9jtw620h.default\
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\9jtw620h.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2009-7-4 16640]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-5 28552]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-1-10 30280]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-1-10 6222312]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-1-10 47408]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-1-10 24496]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-6 234888]

=============== Created Last 30 ================

2010-01-10 16:17:51 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-01-10 16:17:51 47408 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-01-10 16:17:51 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-01-10 16:17:51 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-01-10 16:17:50 0 d-----w- c:\program files\Prevx
2010-01-10 16:17:44 48 ----a-w- c:\windows\wininit.ini
2010-01-10 16:17:44 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-01-10 15:41:45 0 d-----w- c:\windows\system32\xircom
2010-01-10 15:41:45 0 d-----w- c:\windows\system32\wbem\snmp
2010-01-10 15:41:45 0 d-----w- c:\windows\system32\oobe
2010-01-10 15:41:45 0 d-----w- c:\program files\windows nt
2010-01-10 15:41:44 0 d-----w- c:\windows\system32\inetsrv
2010-01-10 15:41:44 0 d-----w- c:\program files\msn gaming zone
2010-01-10 06:12:38 98816 ----a-w- c:\windows\sed.exe
2010-01-10 06:12:38 77312 ----a-w- c:\windows\MBR.exe
2010-01-10 06:12:38 261632 ----a-w- c:\windows\PEV.exe
2010-01-10 06:12:38 161792 ----a-w- c:\windows\SWREG.exe
2010-01-10 05:42:32 0 d-----w- c:\program files\TrendMicro
2010-01-10 05:12:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-10 05:12:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-09 13:36:23 4096 ----a-w- c:\windows\system32\crash
2010-01-09 04:50:57 38942 ----a-w- c:\program files\uninstall.exe
2010-01-09 03:33:31 0 d-----w- c:\program files\Game Cam V2
2010-01-05 04:58:36 2 ----a-w- c:\windows\msoffice.ini
2010-01-05 04:49:58 0 d-----w- c:\docume~1\owner\applic~1\AOL
2010-01-05 04:49:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2010-01-05 04:49:36 0 d-----w- c:\program files\Viewpoint
2009-12-30 02:39:13 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2009-12-30 02:39:10 0 d-----w- c:\program files\common files\Software Update Utility
2009-12-30 02:39:10 0 d-----w- c:\program files\AIM
2009-12-27 04:42:17 0 d-----w- c:\program files\Windows Installer Clean Up
2009-12-27 04:42:12 0 d-----w- c:\program files\MSECACHE
2009-12-27 04:41:52 0 d-----w- c:\windows\system32\appmgmt
2009-12-26 18:48:07 0 d-----w- c:\program files\ATI
2009-12-26 18:47:54 0 d-----w- c:\program files\ATI Technologies
2009-12-26 18:47:19 0 d-----w- C:\ATI
2009-12-25 21:56:50 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-25 21:56:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 21:56:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-25 21:56:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 21:56:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 21:46:35 360580 ----a-w- c:\windows\eSellerateEngine.dll
2009-12-25 21:46:34 0 d-----w- c:\program files\Hot CPU Tester Pro 4 LE
2009-12-25 20:33:57 0 d-----r- C:\AHCache
2009-12-25 18:18:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-12-25 16:15:57 0 d-----w- c:\program files\World of Warcraft
2009-12-25 15:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2009-12-25 15:35:53 0 d-----w- c:\program files\common files\Blizzard Entertainment

==================== Find3M ====================

2009-12-30 07:08:35 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-12-30 07:08:26 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-25 03:50:16 4463104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26:52 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11:24 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10:54 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10:28 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59:54 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59:04 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44:28 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43:18 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42:54 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26:08 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21:40 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20:16 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19:26 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18:58 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18:26 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:18:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17:22 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12:38 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-05 17:26:14 139152 ----a-w- c:\docume~1\owner\applic~1\PnkBstrK.sys
2009-11-05 17:25:53 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-05 17:25:53 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-05 17:25:37 794408 ----a-w- c:\windows\system32\pbsvc(2).exe
2009-11-02 03:59:06 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-30 02:21:45 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-30 02:21:45 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-22 15:59:00 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-01-03 13:21:46 15706 ----a-w- c:\program files\changes.txt
2009-01-03 11:28:20 1203880 ----a-w- c:\program files\fraps.exe
2009-01-03 11:27:18 74920 ----a-w- c:\program files\fraps64.dat
2009-01-03 11:24:20 176128 ----a-w- c:\program files\fraps.dll
2009-01-03 11:24:14 127488 ----a-w- c:\program files\fraps64.dll
2009-01-03 11:23:44 159744 ----a-w- c:\program files\frapslcd.dll
2009-01-01 12:58:52 1852 ----a-w- c:\program files\README.HTM

============= FINISH: 10:40:39.03 ===============

Attached Files


Edited by Wake27, 10 January 2010 - 01:22 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 PM

Posted 16 January 2010 - 12:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:50 PM

Posted 23 January 2010 - 08:30 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users