Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Help - NOD32 Detecting "clkh71yhks66.com


  • This topic is locked This topic is locked
10 replies to this topic

#1 Showbiz

Showbiz

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 19 May 2010 - 03:57 AM

Hi,

Hopefully someone can help me..!

Recently I've been getting constant pop up alerts from nod32; one I copied down was "clkh71yhks66.com, as detailed here:

hxxp://www.malwareurl.com/listing.php?domain=clkh71yhks66.com

I get these whenever I browse any web page using Mozilla Firefox, and on certain pages the pop ups are non-stop.


I can no longer access Windows Update via Internet Explorer also, even tho my connection is fine and other pages can still be browsed.


Browsing to save files (similar to when uploading the attach.txt and ark.txt), using windows explorer or context menus etc, is now also very slow and "laggy".


I've recently had to remove a couple of fake Windows Security rogues, which started this whole Malware mess.

Hopefully someone can help me get back to a clean system soon. I'm in my final semester of my university degree and have plenty that needs to be done on this machine over the next few weeks!

Your help is much appreciated!

Scott



DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 17:35:38.18 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.380 [GMT 9.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Scott\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260939379000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258448202062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\krib7xxs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-4-19 13360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-19 304464]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2009-3-17 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-4-19 69936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-19 20952]
S0 xssfktt;xssfktt;c:\windows\system32\drivers\vdrd.sys --> c:\windows\system32\drivers\vdrd.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]

=============== Created Last 30 ================

2010-05-19 00:49:48 711168 ----a-w- c:\windows\isRS-000.tmp
2010-05-19 00:44:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-19 00:44:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-19 00:44:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 10:21:27 0 d-----w- c:\docume~1\chris\applic~1\PrimoPDF
2010-05-17 10:20:42 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-05-16 23:46:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 09:05:56 0 d-----w- c:\program files\NVIDIA Corporation
2010-05-11 09:05:19 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-05-11 09:05:19 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-05-11 09:05:19 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-05-11 09:05:17 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-05-11 09:05:17 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-05-11 09:05:17 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-05-11 09:05:17 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-05-11 09:05:17 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-05-11 09:05:17 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-05-11 09:05:17 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-05-11 09:05:17 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-05-11 09:05:17 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-05-03 05:43:34 0 d-----w- c:\docume~1\chris\applic~1\My Games
2010-05-03 05:05:59 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-05-03 05:05:59 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-05-03 05:05:55 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-05-03 05:05:55 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-05-03 05:05:51 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-05-03 04:36:47 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-04-21 10:08:30 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2010-04-21 10:08:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-21 08:23:21 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-19 09:23:30 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2010-04-19 09:23:29 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-04-19 09:23:27 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-04-19 09:23:26 0 d-----w- c:\program files\PDFCreator
2010-04-19 09:19:07 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-04-19 09:19:07 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-04-19 08:58:20 0 d-----w- c:\docume~1\chris\applic~1\Sunbelt
2010-04-19 08:58:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-04-19 08:58:14 0 d-----w- c:\program files\Sunbelt Software
2010-04-19 08:20:12 0 d-----w- c:\program files\ESET

==================== Find3M ====================

2010-05-19 00:50:43 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-19 00:50:42 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-11 08:43:32 90112 ----a-w- c:\windows\DUMP48b1.tmp
2010-05-11 07:44:58 90112 ----a-w- c:\windows\DUMP49f9.tmp
2010-05-11 04:46:15 90112 ----a-w- c:\windows\DUMP55c1.tmp
2010-05-11 04:40:14 90112 ----a-w- c:\windows\DUMP595b.tmp
2010-05-11 04:34:12 90112 ----a-w- c:\windows\DUMP567c.tmp
2010-04-03 13:25:32 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-03 13:25:32 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 09:53:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 09:53:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 09:53:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 09:53:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 09:53:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 09:52:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 02:24:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 17:37:14.00 ===============

Attached Files


Edited by Orange Blossom, 19 May 2010 - 03:05 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 19 May 2010 - 04:29 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

You seem to be infected with one of the latest TDL3 rootkit. We will deal with this, first please run Combofix and once it's done post the log so we can continue.

Please note that just because things "seem" better or your initial problem is resolved this does not mean you're clean or secure and free of malware/viruses. Please stick to me until the end until I give you the prevention tips and we clean up.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Showbiz

Showbiz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 19 May 2010 - 07:34 PM

Hi EB,

thanks for helping! - much appreciated.

Here's ComboFix Log:


ComboFix 10-05-19.02 - Chris 05/20/2010 9:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.691 [GMT 9.5:30]
Running from: d:\scott\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\msconfig.exe
c:\windows\system32\prsgrc.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2010-05-17 10:21 . 2010-05-17 10:21 -------- d-----w- c:\documents and settings\Chris\Application Data\PrimoPDF
2010-05-17 10:20 . 2009-07-31 01:44 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-05-16 23:46 . 2010-05-16 23:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-15 04:22 . 2010-05-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-15 04:17 . 2010-05-15 04:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\jwpnjumgn
2010-05-03 05:43 . 2010-05-10 00:17 -------- d-----w- c:\documents and settings\Chris\Application Data\My Games
2010-05-03 05:27 . 2010-05-10 00:19 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\My Games
2010-05-03 05:05 . 2007-06-20 11:16 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-05-03 05:05 . 2007-06-20 11:15 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-05-03 05:05 . 2007-05-16 07:15 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-05-03 05:05 . 2007-05-16 07:15 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-05-03 05:05 . 2007-05-16 07:15 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-05-03 04:36 . 2005-05-26 06:04 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-04-30 23:49 . 2010-04-30 23:50 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment
2010-04-22 22:47 . 2010-05-17 09:36 15166488 ----a-w- c:\documents and settings\All Users\Application Data\Sunbelt\AntiMalware\Downloads\CSC_EN.4.0.3275.exe
2010-04-21 10:08 . 2010-04-21 10:08 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2010-04-21 10:08 . 2010-04-21 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-21 08:23 . 2010-04-21 08:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-21 08:23 . 2010-04-21 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-20 07:26 . 2010-04-20 07:27 -------- d-----w- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 00:19 . 2009-12-20 02:55 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-20 00:19 . 2009-12-20 02:53 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-19 23:51 . 2009-08-08 12:06 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-19 00:42 . 2009-08-27 08:20 -------- d-----w- c:\documents and settings\Chris\Application Data\uTorrent
2010-05-16 23:47 . 2009-01-16 05:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 23:46 . 2009-01-16 05:26 -------- d-----w- c:\program files\Java
2010-05-12 23:29 . 2009-08-27 08:20 -------- d-----w- c:\program files\uTorrent
2010-05-11 09:06 . 2010-05-11 09:05 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-11 09:06 . 2010-03-22 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-11 08:43 . 2009-01-15 16:15 90112 ----a-w- c:\windows\DUMP48b1.tmp
2010-05-11 07:44 . 2009-01-15 16:15 90112 ----a-w- c:\windows\DUMP49f9.tmp
2010-05-11 04:46 . 2009-01-15 16:15 90112 ----a-w- c:\windows\DUMP55c1.tmp
2010-05-11 04:40 . 2009-01-15 16:15 90112 ----a-w- c:\windows\DUMP595b.tmp
2010-05-11 04:34 . 2009-01-15 16:15 90112 ----a-w- c:\windows\DUMP567c.tmp
2010-05-10 00:20 . 2009-01-16 03:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-09 11:07 . 2009-01-25 07:17 -------- d-----w- c:\documents and settings\Chris\Application Data\Skype
2010-05-09 09:03 . 2009-01-25 07:19 -------- d-----w- c:\documents and settings\Chris\Application Data\skypePM
2010-05-03 23:51 . 2009-10-29 11:37 -------- d-----w- c:\documents and settings\Chris\Application Data\BOM
2010-04-20 05:27 . 2010-01-17 06:30 -------- d-----w- c:\program files\JDownloader
2010-04-19 11:19 . 2009-01-31 09:29 -------- d-----w- c:\documents and settings\Chris\Application Data\Canon
2010-04-19 09:24 . 2010-04-19 09:23 -------- d-----w- c:\program files\PDFCreator
2010-04-19 08:58 . 2010-04-19 08:58 -------- d-----w- c:\documents and settings\Chris\Application Data\Sunbelt
2010-04-19 08:58 . 2010-04-19 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-04-19 08:58 . 2010-04-19 08:58 -------- d-----w- c:\program files\Sunbelt Software
2010-04-19 08:20 . 2010-04-19 08:20 -------- d-----w- c:\program files\ESET
2010-04-03 22:55 . 2010-05-11 09:05 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 22:55 . 2010-05-11 09:05 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-03 22:55 . 2010-05-11 09:05 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-04-03 22:55 . 2010-05-11 09:05 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55 . 2010-05-11 09:05 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2010-05-11 09:05 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2010-05-11 09:05 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55 . 2010-05-11 09:05 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2010-05-11 09:05 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-03 22:55 . 2010-05-11 09:05 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2010-05-11 09:05 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 22:55 . 2010-05-11 09:05 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 13:25 . 2009-01-16 02:50 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 13:25 . 2009-01-16 02:50 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-03 09:53 . 2010-04-03 09:53 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 09:53 . 2010-04-03 09:53 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 09:53 . 2010-04-03 09:53 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 09:53 . 2010-04-03 09:53 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 09:53 . 2010-04-03 09:53 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 09:52 . 2010-04-03 09:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-03-28 21:39 . 2010-03-28 10:07 -------- d-----w- c:\documents and settings\Chris\Application Data\ICAClient
2010-03-22 06:03 . 2009-01-16 02:55 28344 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 06:09 . 2010-03-16 06:00 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-03-16 06:08 . 2010-03-16 06:00 0 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ssprs.dll
2010-03-16 06:05 . 2010-03-16 06:05 1024 ----a-w- c:\windows\system32\grcauth2.dll
2010-03-16 06:05 . 2010-03-16 06:05 1024 ----a-w- c:\windows\system32\grcauth1.dll
2010-03-16 05:58 . 2010-03-16 05:58 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-03-10 06:15 . 2008-04-14 03:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 01:11 . 2009-01-16 02:28 220112 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2010-02-25 06:24 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-13 22:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-28 76304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2009-03-17 681256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-07 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-18 805392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-01 16:12 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/19/2010 6:49 PM 13360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [3/17/2009 1:26 PM 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/19/2010 6:49 PM 69936]
S0 xssfktt;xssfktt;c:\windows\system32\drivers\vdrd.sys --> c:\windows\system32\drivers\vdrd.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2009-01-17 04:55]

2010-05-19 c:\windows\Tasks\User_Feed_Synchronization-{1A63EAEA-9482-4B17-82B9-00E89DA1548B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\krib7xxs.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 09:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85CDBCEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf760ff28
\Driver\ACPI -> ACPI.sys @ 0xf74b2cb8
\Driver\atapi -> atapi.sys @ 0xf7444852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek PCIe GBE Family Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7350bb0
PacketIndicateHandler -> NDIS.sys @ 0xf735da21
SendHandler -> NDIS.sys @ 0xf733b87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-20 09:59:20
ComboFix-quarantined-files.txt 2010-05-20 00:29

Pre-Run: 8,962,777,088 bytes free
Post-Run: 9,572,392,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 87BEDFBE128DB7B72B2E9C08419EFF11

#4 Showbiz

Showbiz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 19 May 2010 - 07:50 PM

After ComboFix was run and I'd posted the log, I rebooted so that AV programs would start again and so that I could keep working on some study.

Just letting you know that I'm still getting the pop up blocks from NOD when browsing certain web pages, so ComboFix didn't entirely fix the problem.

Thanks again

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 20 May 2010 - 06:55 PM

Hello,

Yes, that's because it was not removed.

We'll deal with this another way. We need to first find a replacement copy file for that.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    ehdrv.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Showbiz

Showbiz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 20 May 2010 - 07:12 PM

Hi, I had to run SystemLook in Safemode with Networking. At this stage , this is the only way I can communicate as on regular Windows boot, my computer will get to Windows Logo screen, then auto-reboot itself. -- I cannot get into desktop without using Safemode.

Not sure if that will affect these scan results..

Anyway, here's a copy of the log:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:38 on 21/05/2010 by Chris (Administrator - Elevation successful)

========== filefind ==========

Searching for "ehdrv.sys"
C:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\ehdrv\ehdrv.sys --a--- 108792 bytes [03:32 29/09/2009] [03:32 29/09/2009] A4241545ECFF3EE97041847D83936E1F
C:\WINDOWS\system32\drivers\ehdrv.sys --a--- 108792 bytes [03:32 29/09/2009] [03:32 29/09/2009] A4241545ECFF3EE97041847D83936E1F

-=End Of File=-


Thanks!

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 21 May 2010 - 09:53 PM

Hello.

Do you still have your Windows XP Disk with you?

C:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\ehdrv\ehdrv.sys <- This file, please submit it to the following online scanner below.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
    1. C:\Program Files\ESET\ESET NOD32 Antivirus\Drivers\ehdrv\ehdrv.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Showbiz

Showbiz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 23 May 2010 - 07:03 AM

Hi,

I ended up having to reformat. sad.gif

I had school work to do and as of last message I couldn't boot into windows. Just kept getting to windows logo then rebooting itself.

I tried to run windows repair but once done, it would get to desktop, and then all i could see was wallpaper; no task bar, icons, nothing. Then it would freeze.

Is there anything that I should be doing in the future to prevent this from occurring again?

I am currently running windows firewall with nod32 and counterspy + all windows updates.

Thanks for the help EB! - unfortunately the time difference sunk me in the end :/

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 23 May 2010 - 06:02 PM

Hello.

Sorry that we couldn't help you finish it up. Regarding prevention, yes there are a few things you can do.

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 24 May 2010 - 12:43 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Showbiz

Showbiz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 23 May 2010 - 07:18 PM

Thanks for the help EB, you can close the thread.

and just FYI, those prevention blogger links you posted weren't found.

Thanks again

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 24 May 2010 - 12:44 PM

You're welcome.

URL got changed for some reason. Those links should be working now.

Happy surfing again.

--
Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users