Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got Unknown Infection on my Comp


  • This topic is locked This topic is locked
5 replies to this topic

#1 Foire

Foire

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 February 2010 - 10:33 PM

Hi,

I'm having troubles cleaning my comp. Just now im finished reformatting my computer but it seems there still got some problems. On start up after a few while im getting an explorer.exe error.

I also noticed that my comp is running an unknown service and i have it disabled at msconfig. The name of this service is VMware service.

Running gmer crashes my comp.

I cant seem to attach the attach.txt here. It takes a lot of time uploading the file.

Here is the DDS log

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 11:29:51.03 on Sat 02/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1676 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
mWinlogon: Taskman=c:\recycler\s-1-5-21-6120790014-5445610506-424388073-9575\syscr.exe c:\recycler\s-1-5-21-6120790014-5445610506-424388073-9575\syscr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-system: DisableCAD = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: DisableCAD = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: Download all by Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download by Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Download selected by Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download web site by Free Download Manager - file://c:\program files\free download manager\dlpage.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\9eixf5i7.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-27 1684736]
S3 MSICDSetup;MSICDSetup;\??\e:\cdriver.sys --> e:\CDriver.sys [?]
S4 VMwareService;VMwareService;c:\windows\system\VMwareService.exe [2010-2-27 23552]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2010-02-27 10:10:32 0 d-----w- c:\program files\common files\ODBC
2010-02-27 10:10:24 0 d-----w- c:\program files\common files\SpeechEngines
2010-02-27 10:09:49 0 d-----r- c:\documents and settings\all users\Documents
2010-02-27 02:52:15 0 d-----w- c:\program files\Trend Micro
2010-02-27 02:43:12 0 d-----w- c:\program files\common files\ATI Technologies
2010-02-27 02:42:04 0 d-----w- c:\program files\ATI Technologies
2010-02-27 02:33:05 0 d-----w- c:\program files\Realtek
2010-02-27 02:24:10 0 d-----w- c:\docume~1\admini~1\applic~1\Free Download Manager
2010-02-27 02:20:28 0 d-----w- c:\program files\Real Alternative
2010-02-27 02:20:28 0 d-----w- c:\program files\Media Player Classic
2010-02-27 02:20:26 0 d-----w- c:\program files\MozBackup
2010-02-27 02:20:08 0 d-----w- c:\program files\Free Download Manager
2010-02-27 02:18:31 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-27 02:18:15 0 d--h--w- c:\program files\WindowsUpdate
2010-02-27 02:18:13 0 d-----w- c:\program files\Online Services
2010-02-27 02:17:36 0 d-----w- c:\program files\common files\MSSoap
2010-02-27 02:16:28 0 d-----w- c:\program files\Unlocker
2010-02-27 02:16:27 0 d-----w- c:\program files\TaskSwitchXP
2010-02-27 02:16:27 0 d-----w- c:\program files\RegShot
2010-02-27 02:16:26 0 d-----w- c:\program files\Attribute Changer
2010-02-27 02:16:25 0 d-----w- c:\program files\CCleaner
2010-02-27 02:16:16 0 d-----w- c:\program files\MSN Gaming Zone
2010-02-27 02:15:42 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-02-27 02:35:30 228871 ----a-w- c:\windows\system32\23.exe
2010-02-27 02:20:11 5217 ----a-w- c:\windows\mozver.dat
2010-02-27 02:20:11 107132 ----a-w- c:\windows\UninstallFirefox.exe
2010-02-27 02:19:31 107132 ----a-w- c:\windows\UninstallThunderbird.exe
2010-02-27 02:16:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 11:29:57.09 ===============


BC AdBot (Login to Remove)

 


#2 Foire

Foire
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 February 2010 - 10:59 PM

brb restarting comp. tried running gmer again but it crashes my comp again i think. i can only do alt tab on open windows. cant click on start button or on taskbar.

#3 Foire

Foire
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 February 2010 - 11:08 PM

hi!

just now i got this Autoruns program and i runned it. i have this "C:\RECYCLER\S-1-5-21-6120790014-5445610506-424388073-9575\syscr.exe c:\recycler\s-1-5-21-6120790014-5445610506-424388073-9575\syscr.exe" under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman. there are three copies of this in which 2 got check marks on the box and 1 got none.

just to let you know

#4 Foire

Foire
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 February 2010 - 11:31 PM

I finally got to upload attach.txt. here it is.

Attached Files



#5 Foire

Foire
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 27 February 2010 - 12:14 AM

close topic please. i think i have resolved my problem. thanks smile.gif

close topic please. i think i have resolved my problem. thanks smile.gif

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:02 AM

Posted 27 February 2010 - 08:29 AM

Topic closed as requested by user.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users