Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MALWARE VIRUS PROBLEM - PLEASE HELP


  • This topic is locked This topic is locked
2 replies to this topic

#1 kevin273

kevin273

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 11 May 2010 - 06:57 AM

Hi,
my name is kevin from London.
I believe my Laptop is infected with Malware and/or virusus.

I cannot connect to the internet on the infected laptop, (I assume the virus is preventing me from doing so..?)and i have had to start the infected laptop in safe mode to get anything visible on the desktop.
I used another pc to download the DDS program which i saved to memory stick & managed to run on the infected laptop


error messages that are coming up are too numerous to recal but this is one that keeps popping up:-
worm Lsasblaster.keylogger
ultiman.exe
netlogon.dll
msmqocm.dll
browseeui.dll
AVIFILE.DLL

When i try and run the GMER root kit program, after about 10 minutes of scanning, a blue screen comes up saying there is a problem with the pc & it needs to shut down with the error message:-PFN_LIST_CORRUPT therefore i cannot post this report.

below is the DDS text file:- (and DDS attach file attached)

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Amy Clynes at 5:05:44.09 on 11/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.831 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Amy Clynes\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.lenovo.com/welcome/thinkpad
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/welcome/thinkpad
mSearchAssistant = hxxp://www.google.com/ie
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe"
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [95071426] c:\docume~1\alluse~1\applic~1\95071426\95071426.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli psqlpwd ACGina

============= SERVICES / DRIVERS ===============

S1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-6-2 239216]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
S2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-13 58368]
S2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]
S2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-4-25 3456]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-8-18 1730240]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060503.018\naveng.sys [2010-4-4 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060503.018\navex15.sys [2010-4-4 799208]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-8-18 124608]

=============== Created Last 30 ================

2010-05-09 11:07:58 0 d-----w- c:\windows\system32\appmgmt
2010-05-09 10:50:05 0 d-----w- c:\docume~1\alluse~1\applic~1\95071426
2010-04-30 12:25:18 0 d-s---w- c:\documents and settings\amy clynes\UserData
2010-04-28 18:22:00 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-28 18:21:59 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-28 18:21:57 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-28 18:21:57 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-27 11:57:19 1089601 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-04-20 19:19:57 0 d-----w- c:\windows\system32\XPSViewer
2010-04-20 19:19:27 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-04-20 19:19:27 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-04-20 19:19:27 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-04-20 19:19:27 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-04-20 19:19:27 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-04-20 19:19:27 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-04-20 19:19:27 117760 ------w- c:\windows\system32\prntvpt.dll
2010-04-20 19:19:26 0 d-----w- C:\a7df55711ab2c7f1bb3c588797cdf89a
2010-04-20 19:16:11 0 d-----w- c:\program files\MSXML 6.0
2010-04-20 03:23:50 0 d-----w- c:\windows\system32\KB905474
2010-04-20 03:17:30 0 d-----w- c:\windows\ServicePackFiles
2010-04-20 03:16:41 0 d-----w- c:\program files\MSXML 4.0
2010-04-20 01:06:58 0 d-----w- c:\windows\system32\CatRoot_bak
2010-04-20 01:02:35 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-04-20 01:02:27 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-04-20 01:02:25 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-04-20 01:02:15 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-20 00:56:28 0 d-----w- c:\windows\system32\PreInstall
2010-04-19 20:20:32 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-04-19 20:20:32 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2010-04-19 20:20:28 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2010-04-19 20:20:24 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-04-19 20:20:24 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-04-19 17:20:50 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-04-19 17:19:59 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-04-19 17:19:59 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-04-19 17:19:52 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-04-19 17:19:52 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-04-19 16:06:11 3216 ----a-w- c:\windows\system32\encobject.dat
2010-04-19 16:05:41 0 d-----w- c:\windows\system32\Client Security Solution
2010-04-19 15:28:45 0 d-----w- c:\docume~1\amycly~1\applic~1\ThinkVantage
2010-04-19 15:28:45 0 d-----w- c:\docume~1\amycly~1\applic~1\Symantec
2010-04-19 15:28:45 0 d-----w- c:\docume~1\amycly~1\applic~1\Lenovo
2010-04-19 03:48:13 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-04-19 03:40:59 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-04-19 03:37:47 0 d-----w- c:\windows\SHELLNEW
2010-04-19 03:30:27 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-19 03:30:19 50 ----a-w- c:\windows\system32\drivers\LENOVO_1951_F8G.MRK
2010-04-19 03:30:15 10 ----a-w- c:\windows\system32\firstboot.ibm

==================== Find3M ====================

2010-05-09 11:09:17 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe
2010-05-09 11:09:17 17536 ----a-w- c:\windows\system32\drivers\psadd.sys
2010-05-09 09:15:29 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-04-04 23:53:30 7012 ----a-w- c:\windows\system32\drivers\pmemnt.sys
2010-04-04 23:35:00 0 ---ha-r- c:\windows\system32\drivers\IBM_1951_F8G_TP.MRK
2010-04-04 23:34:02 21419 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 08:02:04 417792 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-10 04:57:43 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:57:36 1024000 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-02-26 19:35:08 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-02-25 11:17:33 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-17 18:57:54 2063744 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 17:37:57 2186880 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:35:40 2143744 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 16:57:54 2021888 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:36:09 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 11:08:25 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 5:06:01.96 ===============

Attached Files


Edited by kevin273, 11 May 2010 - 08:24 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:02 AM

Posted 12 May 2010 - 06:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:02 AM

Posted 17 May 2010 - 07:43 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users