Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just used MBAM--computer shuts off after 15mins


  • This topic is locked This topic is locked
15 replies to this topic

#1 kmc2000

kmc2000

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 26 January 2010 - 09:32 PM

Hello, i need help fixing my computer. I have been battling with this for the last 2 days. I have posted both logs from Hijackthis below. Please let me know other information that is needed. thanks for you help!



DDS (Ver_09-12-01.01) - NTFSx86
Run by Tuan Chau at 21:16:12.43 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.154 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Tuan Chau\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\f2CaeHaQD.exe" /runcleanupscript
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
AppInit_DLLs: c:\windows\system32\wipekoka.dll,sinehotu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: vefeziriw - {c4a98195-5daa-4255-8a0f-a658b6344912} - c:\windows\system32\wipekoka.dll
STS: mujuzedij: {c4a98195-5daa-4255-8a0f-a658b6344912} - c:\windows\system32\wipekoka.dll
LSA: Notification Packages = scecli susonuno.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tuanch~1\applic~1\mozilla\firefox\profiles\4vwodw0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\tuan chau\application data\mozilla\firefox\profiles\4vwodw0b.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-30 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-1-26 58016]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-1-26 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-8-18 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-8-18 28672]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-6-22 24652]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-1-26 108256]
S1 hbzgfgjh;hbzgfgjh;\??\c:\windows\system32\drivers\hbzgfgjh.sys --> c:\windows\system32\drivers\hbzgfgjh.sys [?]
S1 svchost.exe;svchost.exe;\??\c:\windows\system32\drivers\svchost.exe.sys [2010-1-22 0]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2005-12-6 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2005-12-6 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2005-12-6 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2005-12-6 10368]
S3 C792nO7p;C792nO7p;\??\c:\windows\system32\drivers\c792no7p.sys --> c:\windows\system32\drivers\C792nO7p.sys [?]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2010-01-27 02:11:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-25 06:44:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 06:43:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 06:42:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 06:06:21 4050368 ----a-w- c:\windows\pfirewall.log.old
2010-01-23 20:43:43 0 d-----w- c:\docume~1\tuanch~1\applic~1\Malwarebytes
2010-01-23 20:41:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-23 16:03:29 0 ----a-w- c:\windows\system32\17421.exe
2010-01-23 15:43:28 0 ----a-w- c:\windows\system32\12382.exe
2010-01-23 15:23:28 0 ----a-w- c:\windows\system32\292.exe
2010-01-23 09:10:35 0 ----a-w- c:\windows\system32\15724.exe
2010-01-23 08:50:34 0 ----a-w- c:\windows\system32\19169.exe
2010-01-23 00:49:12 0 ----a-w- c:\windows\system32\32662.exe
2010-01-23 00:29:04 0 ----a-w- c:\windows\system32\27644.exe
2010-01-23 00:08:52 0 ----a-w- c:\windows\system32\25547.exe
2010-01-22 23:48:38 0 ----a-w- c:\windows\system32\6868.exe
2010-01-22 23:28:29 0 ----a-w- c:\windows\system32\28253.exe
2010-01-22 23:08:16 0 ----a-w- c:\windows\system32\7711.exe
2010-01-22 22:48:10 0 ----a-w- c:\windows\system32\15141.exe
2010-01-22 22:23:18 0 ----a-w- c:\windows\system32\4664.exe
2010-01-22 22:03:11 0 ----a-w- c:\windows\system32\17673.exe
2010-01-22 21:43:06 0 ----a-w- c:\windows\system32\30333.exe
2010-01-22 21:22:54 0 ----a-w- c:\windows\system32\31322.exe
2010-01-22 21:02:49 0 ----a-w- c:\windows\system32\23811.exe
2010-01-22 20:42:34 0 ----a-w- c:\windows\system32\28703.exe
2010-01-22 20:22:29 0 ----a-w- c:\windows\system32\9894.exe
2010-01-22 20:02:25 0 ----a-w- c:\windows\system32\17035.exe
2010-01-22 19:42:21 0 ----a-w- c:\windows\system32\26299.exe
2010-01-22 19:22:16 0 ----a-w- c:\windows\system32\25667.exe
2010-01-22 19:02:10 0 ----a-w- c:\windows\system32\19912.exe
2010-01-22 18:41:58 0 ----a-w- c:\windows\system32\1869.exe
2010-01-22 18:21:54 0 ----a-w- c:\windows\system32\11538.exe
2010-01-22 18:01:42 0 ----a-w- c:\windows\system32\14771.exe
2010-01-22 17:41:37 0 ----a-w- c:\windows\system32\21726.exe
2010-01-22 17:21:26 0 ----a-w- c:\windows\system32\5447.exe
2010-01-22 17:01:22 0 ----a-w- c:\windows\system32\19895.exe
2010-01-22 16:41:09 0 ----a-w- c:\windows\system32\19718.exe
2010-01-22 16:21:04 0 ----a-w- c:\windows\system32\18716.exe
2010-01-22 14:58:33 0 ----a-w- c:\windows\system32\153.exe
2010-01-22 14:38:30 0 ----a-w- c:\windows\system32\3902.exe
2010-01-22 14:18:28 0 ----a-w- c:\windows\system32\14604.exe
2010-01-22 13:58:19 0 ----a-w- c:\windows\system32\32391.exe
2010-01-22 13:38:17 0 ----a-w- c:\windows\system32\5436.exe
2010-01-22 13:18:08 0 ----a-w- c:\windows\system32\4827.exe
2010-01-22 12:58:05 0 ----a-w- c:\windows\system32\11942.exe
2010-01-22 12:37:58 0 ----a-w- c:\windows\system32\2995.exe
2010-01-22 12:17:55 0 ----a-w- c:\windows\system32\491.exe
2010-01-22 11:57:49 0 ----a-w- c:\windows\system32\9961.exe
2010-01-22 11:37:47 0 ----a-w- c:\windows\system32\16827.exe
2010-01-22 11:17:40 0 ----a-w- c:\windows\system32\23281.exe
2010-01-22 10:57:38 0 ----a-w- c:\windows\system32\28145.exe
2010-01-22 10:37:34 0 ----a-w- c:\windows\system32\5705.exe
2010-01-22 10:17:31 0 ----a-w- c:\windows\system32\24464.exe
2010-01-22 09:57:29 0 ----a-w- c:\windows\system32\26962.exe
2010-01-22 09:37:28 0 ----a-w- c:\windows\system32\29358.exe
2010-01-22 09:17:26 0 ----a-w- c:\windows\system32\11478.exe
2010-01-22 08:15:57 0 ----a-w- c:\windows\system32\26500.exe
2010-01-22 07:55:56 0 ----a-w- c:\windows\system32\6334.exe
2010-01-22 07:35:55 0 ----a-w- c:\windows\system32\18467.exe
2010-01-22 07:23:55 0 ----a-w- c:\windows\system32\drivers\svchost.exe.sys
2010-01-17 17:36:06 6947 ------w- c:\windows\hpomdl11.dat.temp
2010-01-17 17:36:06 110415 ------w- c:\windows\hpoins11.dat.temp
2010-01-17 17:35:21 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 21:46:45 0 d-----w- c:\program files\Samsung
2010-01-09 21:46:45 0 d-----w- c:\docume~1\tuanch~1\applic~1\Intelli-studio

==================== Find3M ====================

2010-01-20 21:42:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-17 17:36:16 110062 ----a-w- c:\windows\hpoins11.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 21:19:10.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 02 February 2010 - 06:23 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 02 February 2010 - 07:04 PM

Thanks EB, for your help. I will have what you requested posted shortly.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 02 February 2010 - 07:28 PM

Okay. Thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 03 February 2010 - 07:19 AM

EB, I was infected with the Internet Security 2010 malware again! I followed the instructions provided by bleepingcomputer.com in order to remove the malware by:

1) running rkill
2) running MBAM (the program was able to complete its scan and delete the files but when it came to the last step where it had to reboot in order to remove the rest of the problem, the system would not reboot. Only a blank desktop showed so i did a manual power-off)

Here are the logs you requested (attach.txt is attached):

DDS (Ver_09-12-01.01) - NTFSx86
Run by Tuan Chau at 6:46:03.20 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.392 [GMT

-5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\Tuan Chau\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
uSearch Bar =

hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://ww

w.yahoo.com/search/ie.html
uSearch Page =

hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://ww

w.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}

&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar =

hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://ww

w.yahoo.com/search/ie.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -

c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.6.0_03\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32

\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [nForce Tray Options] sstray.exe /r
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32

\NvMcTray.dll,NvTaskbarInit
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [ShStatEXE] "c:\program files\network

associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common

framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common

files\network associates\talkback\tbmon.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common

files\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common

files\intuit\sync\IntuitSyncManager.exe startup
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0

\sharedcom\RoxWatchTray9.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Vyutazaqes] rundll32.exe "c:\windows\iciwemowe.dll",Startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes'

anti-malware\EnXVkdCCT.exe" /runcleanupscript
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol

toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11

\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program

files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-

ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-

00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-

206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} -

hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-

8e791ba99ac5/VirtualEarth3D.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} -

hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -

hxxp://lads.myspace.com/upload/MySpaceUploader.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} -

hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} -

hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} -

c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -

c:\windows\system32\mscoree.dll
AppInit_DLLs: c:\windows\system32\wipekoka.dll,sinehotu.dll,nutowuko.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SSODL: vefeziriw - {c4a98195-5daa-4255-8a0f-a658b6344912} -

c:\windows\system32\wipekoka.dll
STS: mujuzedij: {c4a98195-5daa-4255-8a0f-a658b6344912} -

c:\windows\system32\wipekoka.dll
LSA: Notification Packages = scecli susonuno.dll wult80.dll neduwozi.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tuanch~1\applic~1

\mozilla\firefox\profiles\4vwodw0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience

technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-

46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {9939C0C3-E5AB-4489-B3DD-E3AB9CF2E3AF} -

c:\documents and settings\tuan chau\local settings\application

data\{9939C0C3-E5AB-4489-B3DD-E3AB9CF2E3AF}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-30 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-1-26

58016]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program

files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network

associates\common framework\FrameworkService.exe [2006-1-26 102463]
R2 McShield;Network Associates McShield;c:\program files\network

associates\virusscan\mcshield.exe [2004-8-18 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network

associates\virusscan\vstskmgr.exe [2004-8-18 28672]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2007-6-22 24652]
S1 hbzgfgjh;hbzgfgjh;\??\c:\windows\system32\drivers\hbzgfgjh.sys -->

c:\windows\system32\drivers\hbzgfgjh.sys [?]
S1 svchost.exe;svchost.exe;\??\c:\windows\system32\drivers\svchost.exe.sys

[2010-1-22 0]
S2 asc3550p;asc3550p; [x]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys

[2005-12-6 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys

[2005-12-6 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32

\drivers\BrUsbMdm.sys [2005-12-6 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32

\drivers\BrUsbScn.sys [2005-12-6 10368]
S3 C792nO7p;C792nO7p;\??\c:\windows\system32\drivers\c792no7p.sys -->

c:\windows\system32\drivers\C792nO7p.sys [?]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1

\KLIF.SYS [?]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys

[2006-1-26 108256]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2010-02-03 03:23:35 38224 ----a-w- c:\windows\system32

\drivers\mbamswissarmy.sys
2010-02-03 03:23:30 19160 ----a-w- c:\windows\system32

\drivers\mbam.sys
2010-01-27 02:11:28 552 ----a-w- c:\windows\system32

\d3d8caps.dat
2010-01-25 06:42:59 0 d-----w- c:\program

files\Malwarebytes' Anti-Malware
2010-01-25 06:06:21 4194305 ----a-w-

c:\windows\pfirewall.log.old
2010-01-23 20:43:43 0 d-----w- c:\docume~1\tuanch~1

\applic~1\Malwarebytes
2010-01-23 20:41:43 0 d-----w- c:\docume~1\alluse~1

\applic~1\Malwarebytes
2010-01-23 16:03:29 0 ----a-w- c:\windows\system32

\17421.exe
2010-01-23 15:43:28 0 ----a-w- c:\windows\system32

\12382.exe
2010-01-23 15:23:28 0 ----a-w- c:\windows\system32\292.exe
2010-01-23 09:10:35 0 ----a-w- c:\windows\system32

\15724.exe
2010-01-23 08:50:34 0 ----a-w- c:\windows\system32

\19169.exe
2010-01-23 00:49:12 0 ----a-w- c:\windows\system32

\32662.exe
2010-01-23 00:29:04 0 ----a-w- c:\windows\system32

\27644.exe
2010-01-23 00:08:52 0 ----a-w- c:\windows\system32

\25547.exe
2010-01-22 23:48:38 0 ----a-w- c:\windows\system32

\6868.exe
2010-01-22 23:28:29 0 ----a-w- c:\windows\system32

\28253.exe
2010-01-22 23:08:16 0 ----a-w- c:\windows\system32

\7711.exe
2010-01-22 22:48:10 0 ----a-w- c:\windows\system32

\15141.exe
2010-01-22 22:23:18 0 ----a-w- c:\windows\system32

\4664.exe
2010-01-22 22:03:11 0 ----a-w- c:\windows\system32

\17673.exe
2010-01-22 21:43:06 0 ----a-w- c:\windows\system32

\30333.exe
2010-01-22 21:22:54 0 ----a-w- c:\windows\system32

\31322.exe
2010-01-22 21:02:49 0 ----a-w- c:\windows\system32

\23811.exe
2010-01-22 20:42:34 0 ----a-w- c:\windows\system32

\28703.exe
2010-01-22 20:22:29 0 ----a-w- c:\windows\system32

\9894.exe
2010-01-22 20:02:25 0 ----a-w- c:\windows\system32

\17035.exe
2010-01-22 19:42:21 0 ----a-w- c:\windows\system32

\26299.exe
2010-01-22 19:22:16 0 ----a-w- c:\windows\system32

\25667.exe
2010-01-22 19:02:10 0 ----a-w- c:\windows\system32

\19912.exe
2010-01-22 18:41:58 0 ----a-w- c:\windows\system32

\1869.exe
2010-01-22 18:21:54 0 ----a-w- c:\windows\system32

\11538.exe
2010-01-22 18:01:42 0 ----a-w- c:\windows\system32

\14771.exe
2010-01-22 17:41:37 0 ----a-w- c:\windows\system32

\21726.exe
2010-01-22 17:21:26 0 ----a-w- c:\windows\system32

\5447.exe
2010-01-22 17:01:22 0 ----a-w- c:\windows\system32

\19895.exe
2010-01-22 16:41:09 0 ----a-w- c:\windows\system32

\19718.exe
2010-01-22 16:21:04 0 ----a-w- c:\windows\system32

\18716.exe
2010-01-22 14:58:33 0 ----a-w- c:\windows\system32\153.exe
2010-01-22 14:38:30 0 ----a-w- c:\windows\system32

\3902.exe
2010-01-22 14:18:28 0 ----a-w- c:\windows\system32

\14604.exe
2010-01-22 13:58:19 0 ----a-w- c:\windows\system32

\32391.exe
2010-01-22 13:38:17 0 ----a-w- c:\windows\system32

\5436.exe
2010-01-22 13:18:08 0 ----a-w- c:\windows\system32

\4827.exe
2010-01-22 12:58:05 0 ----a-w- c:\windows\system32

\11942.exe
2010-01-22 12:37:58 0 ----a-w- c:\windows\system32

\2995.exe
2010-01-22 12:17:55 0 ----a-w- c:\windows\system32\491.exe
2010-01-22 11:57:49 0 ----a-w- c:\windows\system32

\9961.exe
2010-01-22 11:37:47 0 ----a-w- c:\windows\system32

\16827.exe
2010-01-22 11:17:40 0 ----a-w- c:\windows\system32

\23281.exe
2010-01-22 10:57:38 0 ----a-w- c:\windows\system32

\28145.exe
2010-01-22 10:37:34 0 ----a-w- c:\windows\system32

\5705.exe
2010-01-22 10:17:31 0 ----a-w- c:\windows\system32

\24464.exe
2010-01-22 09:57:29 0 ----a-w- c:\windows\system32

\26962.exe
2010-01-22 09:37:28 0 ----a-w- c:\windows\system32

\29358.exe
2010-01-22 09:17:26 0 ----a-w- c:\windows\system32

\11478.exe
2010-01-22 08:15:57 0 ----a-w- c:\windows\system32

\26500.exe
2010-01-22 07:55:56 0 ----a-w- c:\windows\system32

\6334.exe
2010-01-22 07:35:55 0 ----a-w- c:\windows\system32

\18467.exe
2010-01-22 07:23:55 0 ----a-w- c:\windows\system32

\drivers\svchost.exe.sys
2010-01-17 17:36:06 6947 ------w-

c:\windows\hpomdl11.dat.temp
2010-01-17 17:36:06 110415 ------w-

c:\windows\hpoins11.dat.temp
2010-01-17 17:35:21 471552 -c----w- c:\windows\system32

\dllcache\aclayers.dll
2010-01-09 21:46:45 0 d-----w- c:\program files\Samsung
2010-01-09 21:46:45 0 d-----w- c:\docume~1\tuanch~1

\applic~1\Intelli-studio

==================== Find3M ====================

2010-01-28 02:27:24 96512 ----a-w- c:\windows\system32

\drivers\atapi.sys
2010-01-17 17:36:16 110062 ----a-w- c:\windows\hpoins11.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32

\wininet.dll

============= FINISH: 6:49:14.73 ===============




...AND THE ROOT REPEAL:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/03 06:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: enqedmw.sys
Image Path: enqedmw.sys
Address: 0xF7487000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8BAB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\temp\flaC.tmp
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf74e787e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x856cf109

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf74e7bfe

==EOF==

Other issues I'm having are:
1) Microsoft Office programs are not loading
2) ads pop up in a new tab using Firefox
3) a pop-up window titled VirusScan On-Access Scan Messages constantly showing "New Malware"
(Name: svchost.exe, Pathname c:\WINDOWS\temp\tcep.tmp\svchost.exe, Detected As: New Malware.j, State: Moved (Clean failed because the file isn't cleanable)
a new message displays every 5 min or so.

thanks for all your help, EB...

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 04 February 2010 - 08:02 PM

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 05 February 2010 - 12:52 AM

EB, combofix stalls. I've let it run for an hour but it did not display the various stages as shown on the guide. What do you suggest?

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 06 February 2010 - 02:35 PM

Can you try it in Safe Mode. Also try re-naming it before you donwload it to something like: kmc.exe


How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 06 February 2010 - 02:45 PM

EB, to clarify...
1) Remove combofix
2) Redownload combofix to desktop but rename file
3) Print instructions to boot in safemode
4) Run combofix

Kmc2000

#10 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 06 February 2010 - 02:46 PM

What if that doesn't work? What next? Thanks again, EB

#11 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 06 February 2010 - 06:55 PM

EB, here is the log produced by Combofix...

ComboFix 10-02-06.01 - Tuan Chau 02/06/2010 18:23:39.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.744 [GMT -5:00]
Running from: c:\documents and settings\Tuan Chau\Desktop\kmc2000.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tuan Chau\Application Data\Install.dat
c:\documents and settings\Tuan Chau\Desktop\Internet Security 2010.lnk
c:\program files\Zango Programs
c:\recycler\S-1-5-21-1130501599-940702079-2627028076-1003
c:\recycler\S-1-5-21-3625766470-3470088600-2905144626-1003
c:\recycler\S-1-5-21-3866134492-1521452873-4050220982-1003
c:\recycler\S-1-5-21-4099866237-2012233711-2129043893-1003
c:\recycler\S-1-5-21-4178174610-160181469-3752274280-1003
c:\recycler\S-1-5-21-4210382524-3114635888-1619091654-1003
c:\recycler\S-1-5-21-4283582121-3054389475-1248917996-1003
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\reboot.txt
c:\windows\system32\ssprs.dll
c:\windows\system32\sstray.exe
c:\windows\system32\twain_32.dll
C:\xcrashdump.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Service_asc3550p
-------\Service_svchost.exe


((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-03 11:48 . 2010-02-05 04:09 15761 ----a-w- c:\windows\Xbocinixigotan.dat
2010-02-03 11:48 . 2010-02-03 11:48 0 ----a-w- c:\windows\Ezovageqewipez.bin
2010-02-03 03:23 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 03:23 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 03:17 . 2010-02-03 03:17 -------- d-----w- c:\documents and settings\Tuan Chau\Local Settings\Application Data\{9939C0C3-E5AB-4489-B3DD-E3AB9CF2E3AF}
2010-01-28 06:17 . 2010-01-28 06:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Flock
2010-01-28 06:17 . 2010-01-28 06:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Flock
2010-01-28 01:41 . 2010-01-28 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-27 02:11 . 2010-01-27 02:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-01-25 06:42 . 2010-02-03 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 20:43 . 2010-01-23 20:43 -------- d-----w- c:\documents and settings\Tuan Chau\Application Data\Malwarebytes
2010-01-23 20:41 . 2010-01-23 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-22 07:23 . 2010-01-22 07:23 0 ----a-w- c:\windows\system32\drivers\svchost.exe.sys
2010-01-17 17:35 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 21:46 . 2010-02-01 04:05 -------- d-----w- c:\documents and settings\Tuan Chau\Application Data\Intelli-studio
2010-01-09 21:46 . 2010-01-09 21:46 -------- d-----w- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 06:19 . 2008-11-20 05:45 -------- d-----w- c:\program files\Flock
2010-01-28 02:27 . 2003-01-03 14:07 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-28 02:27 . 2003-01-03 14:07 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-01-22 03:38 . 2009-06-30 03:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 17:36 . 2008-11-09 21:10 110062 ----a-w- c:\windows\hpoins11.dat
2009-12-21 19:14 . 2005-06-18 05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-15 00:30 . 2009-09-21 23:30 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-21 15:51 . 2003-01-03 11:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"nwiz"="nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"CTHelper"="CTHELPER.EXE" [2004-03-19 24576]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\EnXVkdCCT.exe" [2010-02-03 1394000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk
backup=c:\windows\pss\SmartUI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tuan Chau^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Tuan Chau\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tuan Chau^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\Tuan Chau\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-09-21 23:30 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2007-10-04 15:20 50528 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 16:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 19:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 15:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 05:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/30/2009 7:30 PM 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/26/2006 10:50 PM 58016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/22/2007 10:58 PM 24652]
S1 hbzgfgjh;hbzgfgjh;\??\c:\windows\system32\drivers\hbzgfgjh.sys --> c:\windows\system32\drivers\hbzgfgjh.sys [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/6/2005 5:39 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/6/2005 5:39 PM 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [12/6/2005 5:39 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [12/6/2005 5:39 PM 10368]
S3 C792nO7p;C792nO7p;\??\c:\windows\system32\drivers\C792nO7p.sys --> c:\windows\system32\drivers\C792nO7p.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1028432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2010-02-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:30]

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Tuan Chau\Application Data\Mozilla\Firefox\Profiles\4vwodw0b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {9939C0C3-E5AB-4489-B3DD-E3AB9CF2E3AF} - c:\documents and settings\Tuan Chau\Local Settings\Application Data\{9939C0C3-E5AB-4489-B3DD-E3AB9CF2E3AF}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-nForce Tray Options - sstray.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
SharedTaskScheduler-{c4a98195-5daa-4255-8a0f-a658b6344912} - c:\windows\system32\wipekoka.dll
SSODL-vefeziriw-{c4a98195-5daa-4255-8a0f-a658b6344912} - c:\windows\system32\wipekoka.dll
MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\EntApi.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WININET.dll
c:\windows\system32\EntApi.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\zHotkey.exe
c:\windows\system32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-06 18:48:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 23:48

Pre-Run: 93,150,494,720 bytes free
Post-Run: 93,138,731,008 bytes free

- - End Of File - - 7DB310F4E9BD7D33652144B30BE5519D


thanks for your help thus far. What do you suggest I do next? I haven't been using my computer since starting this fix with you so i don't know if i have any of the symptoms previously described. Also, any suggestions on which programs to install in order to prevent this from happening again?

thanks,
kmc2000

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 07 February 2010 - 02:36 PM

Hello.

Thanks for that log, seems Combofix removed one of the rootkit that was on your system.

However, I still need to let you aware of the nature of this infection. Let me know if you wish to continue or not.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 kmc2000

kmc2000
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 07 February 2010 - 02:59 PM

I would like to go forward with reformatting and re-installation. I don't have the original cd for the operating system, can we continue without one? Also, only after running combofix have i been using the computer to view financial information. From the log, do you see anything else that might need attention? Do you think my security have been compromised? And, can i use another computer sharing the same internet connection (via wireless)? thanks, EB


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 08 February 2010 - 08:22 PM

Hello again.

Well without the CD then you can't format unless you purchase another copy, which can be quite expensive. We can continue to disinfect anything on your machine but I was mentioning there WAS an infection of that on your system. Overall, the logs look better now. Yes, backdoors do compromise your system until you actually remove it however, backdoors gain control of your system and they can alter system security if they want to and this can pose a threat to you. The questions is if whether or not you feel it's safe to continue using the computer. The other computer should be fine but if you want to get it checked you can start a new topic. This infection isn't a worm that spreads so should be okay.

With Regards,
Extremeboy




Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 12 February 2010 - 04:45 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users