Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Have DDS txt. Unknown Malware. Executables Blocked

  • This topic is locked This topic is locked
2 replies to this topic

#1 fingkish


  • Members
  • 2 posts
  • Local time:06:51 AM

Posted 20 April 2010 - 09:22 PM


4/21 02:230 UCT (4/20 10:023pm EDT) I posted below. Would have expected at least one reply in nigh on to 23 hours. Did I break or am I breaking some norms by bumping? perhaps my expectations were off. Sorry, but have now taken work off to re-format, re-install OS/Apps, and retrieve backed-up data. Would be keen to avoid that. regards, much indebted to anyone who can give me a clue from below
-- Frank

We have a unknown malware, when my wife called from home, it sounded like antivirus hijack/ransome variant.
"Shut it down," I said. When restarted it, I saw AV warnings, and executables were blocked.
So, I booted XP into Safe mode, logged into Administrator session, and ran Malwarebytes. It reported several exploits. Which it removed. Now MBAM reports no issues. Unfortunately, I overwrote the MBAM text log file from that session. I I suspect the exploit had sabotaged MBAM, anyway. When I logged out as Admin and back into infected username session, even in Safe mode, executables are still blocked. even Process Explorer. When logged in normal Windows session, am not sure but I think the random pop-ups haver stopped, But executables are still blocked. Explorer, IE, msconfig, even GMER all not executable.

I tried running GMER in safe mode as Admin -- got BSOD memory dump error. SHOULD I TRY AGAIN?

Here is the DDS txt from the normal Windows session for the infected user login.

thanks in advance for help



DDS (Ver_10-03-17.01) - NTFSx86
Run by Frank at 21:43:26.78 on Tue 04/20/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2571 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesAPCAPC PowerChute Personal Editionmainserv.exe
C:Program FilesMozyHomemozybackup.exe
C:Program FilesNorton Security SuiteEngine3.8.0.41ccSvcHst.exe
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesTomTom HOME 2TomTomHOMEService.exe
C:Program FilesNorton Security SuiteEngine3.8.0.41ccSvcHst.exe
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
C:Documents and SettingsAll UsersDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080222
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton security suiteengine3.8.0.41coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton security suiteengine3.8.0.41IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.5.0_06binssv.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:program filesdel.icio.usinternet explorer buttonsdlcsIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesdellbaeBAE.dll
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:program filesdel.icio.usinternet explorer buttonsdlcsIE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton security suiteengine3.8.0.41coIEPlg.dll
uRun: [AdobeUpdater] "c:program filescommon filesadobeupdater5AdobeUpdater.exe"
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Google Update] "c:documents and settingsfranklocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
mRun: [ATICCC] "c:program filesati technologiesati.aceCLIStart.exe"
mRun: [<NO NAME>]
mRun: [OEM05Mon.exe] c:windowsOEM05Mon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [PaperPort PTD] c:program filesscansoftpaperportpptd40nt.exe
mRun: [IndexSearch] c:program filesscansoftpaperportIndexSearch.exe
mRun: [SetDefPrt] c:program filesbrotherbrmfl04gBrStDvPt.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [MSConfig] c:windowspchealthhelpctrbinariesMSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
StartupFolder: c:docume~1alluse~1startm~1programsstartupapcups~1.lnk - c:program filesapcapc powerchute personal editionDisplay.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuplogite~1.lnk - c:program fileslogitechsetpointSetPoint.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmozyho~1.lnk - c:program filesmozyhomemozystat.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_06binssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
Trusted Zone: carefirst.comcag
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://md2.carefirst.com/iNotes6W.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5848/mcfscan.cab
DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} - hxxps://email.carefirst.com/ondemand/SodaAgent.CAB
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:program fileslogitechdesktop messenger8876480programGAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:program filesnorton security suiteengine3.8.0.41CoIEPlg.dll
Notify: LBTWlgn - c:program filescommon fileslogitechbluetoothLBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1frankapplic~1mozillafirefoxprofilestlpwymj4.default
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:documents and settingsfrankapplication datamozillafirefoxprofilestlpwymj4.defaultextensionspiclens@cooliris.comcomponentspiclensstub.dll
FF - plugin: c:documents and settingsfranklocal settingsapplication datagoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPJPI150_06.dll
FF - plugin: c:program filesjavajre1.5.0_06binNPOJI610.dll
FF - plugin: c:program filesmcafeesupportabilitymvtNPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:windowssystem32driversn3600308000.029SymEFA.sys [2010-3-12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:windowssystem32driversn3600308000.029BHDrvx86.sys [2010-3-12 259632]
R1 ccHP;Symantec Hash Provider;c:windowssystem32driversn3600308000.029cchpx86.sys [2010-3-12 482432]
R1 IDSxpx86;IDSxpx86;c:documents and settingsall usersapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortondefinitionsipsdefs20100415.001IDSXpx86.sys [2010-4-17 329592]
R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2008-3-1 214664]
R2 N360;Norton Security Suite;c:program filesnorton security suiteengine3.8.0.41ccSvcHst.exe [2010-3-12 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:program filestomtom home 2TomTomHOMEService.exe [2009-11-13 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-3-12 102448]
R3 NAVENG;NAVENG;c:documents and settingsall usersapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortondefinitionsvirusdefs20100420.008NAVENG.SYS [2010-4-20 84912]
R3 NAVEX15;NAVEX15;c:documents and settingsall usersapplication datanorton{0c55c096-0f1d-4f28-aaa2-85ef591126e7}nortondefinitionsvirusdefs20100420.008NAVEX15.SYS [2010-4-20 1324720]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:windowssystem32driversOEM05Afx.sys [2008-2-21 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:windowssystem32driversOEM05Vfx.sys [2008-2-21 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:windowssystem32driversOEM05Vid.sys [2008-2-21 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:windowssystem32driverslivecamv.sys [2008-2-21 31616]
S3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2008-3-1 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2008-3-1 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2008-3-1 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2008-3-1 40552]

============== File Associations ===============


=============== Created Last 30 ================

2010-04-21 00:33:49 0 d-----w- c:program filesfooddata
2010-04-11 16:37:59 0 d-----w- c:program filesBibleCD
2010-04-08 12:43:28 11619424 ----a-w- c:documents and settingsall usersTempmozy-update-25244319088a7b9cdad452bbbd7133d7.exe
2010-04-08 12:43:27 0 d-----w- c:documents and settingsall usersTemp

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-03-20 18:42:18 54776 ----a-w- c:windowssystem32driversmozy.sys
2010-03-12 22:01:20 806 ----a-w- c:windowssystem32driversSYMEVENT.INF
2010-03-12 22:01:20 7456 ----a-w- c:windowssystem32driversSYMEVENT.CAT
2010-03-12 22:01:20 60808 ----a-w- c:windowssystem32S32EVNT1.DLL
2010-03-12 22:01:20 124976 ----a-w- c:windowssystem32driversSYMEVENT.SYS
2010-03-12 22:01:09 36400 ----a-r- c:windowssystem32driversSymIM.sys
2010-03-12 22:01:08 26600 ----a-r- c:windowssystem32driversGEARAspiWDM.sys
2010-03-12 22:00:58 107368 ----a-r- c:windowssystem32GEARAspi.dll
2010-03-10 13:18:21 13824 ------w- c:windowssystem32dllcacheieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:windowssystem32dllcacheie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:windowssystem32dllcachevbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:windowssystem32driversmrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:windowssystem32dllcachemrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:windowssystem32dllcacheiexplore.exe
2010-02-23 05:18:28 161792 ------w- c:windowssystem32dllcacheieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:windowssystem32dllcachentoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:windowssystem32dllcachentkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:windowssystem32dllcachentkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:windowssystem32dllcachentkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:windowssystem32dllcache6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:windowssystem32dllcachetcpip6.sys
2010-01-30 21:36:17 729088 ----a-w- c:windowsiun6001.exe
2008-02-21 23:02:08 76 --sh--r- c:windowsCT4CET.bin
2008-05-11 20:20:34 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008051120080512index.dat

============= FINISH: 21:44:12.00 ===============

Oh how I wish someone would post a reply

Attached Files

Edited by Budapest, 21 April 2010 - 08:15 PM.
Posts merged ~BP

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,785 posts
  • Gender:Female
  • Location:At home
  • Local time:12:51 PM

Posted 27 April 2010 - 08:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,785 posts
  • Gender:Female
  • Location:At home
  • Local time:12:51 PM

Posted 10 May 2010 - 07:07 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users