Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removed malware now geting generic host errors and NT authority shutdown


  • This topic is locked This topic is locked
2 replies to this topic

#1 2confused

2confused

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 30 January 2010 - 12:05 PM

Hi,
I have removed several malware from this netbook (Dell mini10) using malwareBytes and Mcaffe. first the problems were severe with an infection of Windows Antivirus Pro popups that had locked down the computer. then I removed several trojans and finally an exploit virus. Now I don't get any malware present when running scans, but I get a generic host error for win32, followed by an NT authority shutdown due to a DCOM error. I override this using the shutdown -a command. Below I paste the DDS and rootrepeal logs. thank you in advance for any help you can provide. I am overwhelmed..


DDS (Ver_09-12-01.01) - NTFSx86
Run by karyn embury at 11:34:49.98 on Sat 01/30/2010
Internet Explorer: 8.0.6001.18702
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\karyn embury\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [<NO NAME>]
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMAgent] "c:\program files\dell\media experience\PCMAgent.exe"
mRun: [CLMLServer] "c:\program files\dell\media experience\kernel\clml\CLMLSvc.exe"
mRun: [PlayMovie] "c:\program files\dell\playmovie\PMVService.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2600 series\ezprint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: 0.0.0.0
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264706283156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-30 14:51:35 0 d-----w- c:\docume~1\karyne~1\applic~1\McAfee
2010-01-28 20:30:48 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-28 20:30:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-27 14:51:55 0 d-----w- c:\program files\Trend Micro
2010-01-23 00:09:42 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-01-19 21:21:14 0 d-sh--w- c:\documents and settings\karyn embury\IECompatCache
2010-01-19 20:31:09 0 d-----w- c:\docume~1\karyne~1\applic~1\Malwarebytes
2010-01-19 20:30:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 20:30:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 20:30:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 20:30:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-17 01:41:15 0 ----a-w- c:\windows\system32\11942.exe
2010-01-17 01:20:57 0 ----a-w- c:\windows\system32\2995.exe
2010-01-17 01:00:19 212 ----a-w- c:\windows\system32\491.exe
2010-01-17 00:40:18 212 ----a-w- c:\windows\system32\9961.exe
2010-01-17 00:20:18 212 ----a-w- c:\windows\system32\16827.exe
2010-01-17 00:00:17 212 ----a-w- c:\windows\system32\23281.exe
2010-01-16 23:40:17 212 ----a-w- c:\windows\system32\28145.exe
2010-01-16 23:20:16 212 ----a-w- c:\windows\system32\5705.exe
2010-01-16 23:00:16 212 ----a-w- c:\windows\system32\24464.exe
2010-01-16 22:40:16 212 ----a-w- c:\windows\system32\26962.exe
2010-01-16 22:20:15 212 ----a-w- c:\windows\system32\29358.exe
2010-01-16 22:00:15 0 ----a-w- c:\windows\system32\11478.exe
2010-01-16 21:40:13 0 ----a-w- c:\windows\system32\15724.exe
2010-01-16 21:20:12 0 ----a-w- c:\windows\system32\19169.exe
2010-01-16 21:00:12 0 ----a-w- c:\windows\system32\26500.exe
2010-01-16 20:40:10 0 ----a-w- c:\windows\system32\6334.exe
2010-01-16 19:14:55 1 ----a-w- C:\s
2010-01-13 04:07:40 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-30 14:34:10 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-01-30 14:34:07 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-01-28 03:32:23 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-01-27 18:05:09 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-23 00:09:40 56680 ----a-w- c:\windows\system32\rpcnet.exe
2010-01-22 15:24:40 1490 ----a-w- c:\docume~1\karyne~1\applic~1\wklnhst.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-03 00:51:14 9728 ----a-w- c:\windows\system32\wceprv.dll
2009-03-02 17:45:32 75 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 11:37:57.09 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/30 11:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEEEF000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_a029s0vq2jmvlw0
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hwoj1jebhfhufhi
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_s1ib9efzrpwj3vj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_fa6j6sejg3b55di
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_0oab4eghuxujaud
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_mh9cj8n74nude6a
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_tevscajjm5hl1sn
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hbb6zvjnwetdjju
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_lpfe53dla9ritsg
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP113\A0034050.exe:{D352D848-071A-20B9-F736-2861B4540AEF}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\karyn embury\local settings\temp\~df2cc6.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\karyn embury\local settings\temp\~dfea67.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\karyn embury\local settings\temp\~dff2fe.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

Path: c:\documents and settings\karyn embury\local settings\temp\~dffc42.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: C:\Documents and Settings\karyn embury\Local Settings\Apps\2.0\PORL1VHH.LHJ\45COH8BD.9CO\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\karyn embury\Local Settings\Apps\2.0\PORL1VHH.LHJ\45COH8BD.9CO\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==

Thanks again..

BC AdBot (Login to Remove)

 


#2 2confused

2confused
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 31 January 2010 - 10:53 AM

Unfortunately my problem was very similar to one described in an earlier post. The resolution for that was the presence of a backdoor trojan, which is also what I was suspecting for this problem. I am going ahead with a reformating of the whole computer.. And changed already all the passwords for sensitive information.. What a pain!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:49 AM

Posted 03 February 2010 - 12:28 PM

Since the issue seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users